Stop malicious traffic: Block IP address in WordPress

How to Automatically Block IP Address in WordPress (2023)

WordPress has long been a popular platform for businesses and individuals to create websites, but one of the most common threats these sites face is malicious visitors. Protecting your WordPress site from malicious visitors is critical to ensure the safety of your data and maintain a positive user experience.

According to Wordfence’s report, in 2020 alone, there were 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses. This highlights the importance of taking proactive measures to enhance website security.

One effective method for enhancing website security is to block IP addresses in WordPress. By blocking suspicious IP addresses, you can prevent unauthorized access to sensitive or restricted information, reduce the risk of brute force attacks, and minimize spam comments.

In this blog, we will cover everything you need to know about how to block IP address in WordPress. It includes identifying problematic IP addresses, various methods of blocking IP addresses, popular WordPress plugins for IP blocking, additional security tips, and potential drawbacks of IP blocking.

Types Of Malicious Visitors

Bots and Spammers

These malicious visitors are automated programs that leave spam threads and comments on WordPress sites. They can also slow website performance by overloading resources, enabling malware injection, or compromising security protocols.


These malicious visitors attempt to gain access to a site’s data or take control of it for their own purposes. Examples include Denial-of-Service (DDoS) attacks and Brute Force Attacks, which try thousands of combinations quickly in order to guess username/password pairs.


These malicious programs are designed to harvest content from websites, such as images or text, by automatically accessing them thousands of times, slowing down the performance of the website they’re targeting in the process.

Tracking Software & Passwords Stealers

Malicious software like keyloggers collects personal information through your WordPress site’s login page, making it easy for hackers to get hold of passwords and confidential details stored inside your database tables.

Impact Of Malicious Visitors On Website Security And Performance

The malicious activities can lead to security breaches such as sensitive data theft, unauthorized access to admin areas of the website, or the distribution of malware across the entire site.

Not only do attackers cause direct harm with their actions, but they also slow down the performance of websites by flooding them with fake page requests and other resources, such as large images.

Furthermore, hacked WordPress sites may become blacklisted by Google and other search engines since they’re no longer seen as secure by potential customers.

How To Block IP Address in WordPress

Identifying suspicious IP addresses, manually blacklisting them, automating specific IP address blocking with security plugins, or enhancing security with firewall protection are just some of the ways to effectively block malicious WordPress visitors by IP address.

Identifying Malicious IP Addresses

Here are some telltale signs that an IP address might be suspicious:

  1.   Multiple failed login attempts: Unknown users repeatedly try to access your WordPress dashboard.
  2.   Unusual traffic patterns: An IP address generating excessive or unusual traffic, potentially indicating DDoS attacks or other hacking attempts.
  3.   Spam comments: Excessive spam comments originating from the same IP address.

Tools and methods for finding malicious IP addresses

There are several tools and methods to help you identify suspicious IP addresses:

  •   Raw Access log: Analyze your raw access logs in your hosting account to find IP addresses responsible for suspicious activities.
  •  WordPress plugins: Plugins like Wordfence and Sucuri can help monitor and identify malicious IP addresses.
  •  Third-party tools: Services like Cloudflare and IPVoid can provide additional insights into IP address reputation.

Block Users By IP Addresses in WordPress

WordPress Dashboard

You can block IP addresses directly from your WordPress dashboard using the following methods:

Blocking IP addresses in the comments section

Navigate to the “Comments” tab and block the user’s IP address by clicking “Block” next to the comment.

Block IP addresses from commenting in WordPress
Using the comment moderation box

To block comments in the Comment Moderation box, follow these steps:

Access the Comment Moderation settings in the WordPress dashboard by navigating to Setting > Discussions.

Navigating to the Discussion in WordPress settings to customize different settings for comments.
  1. Enable the “Hold a comment in the queue if it contains 2 or more links” option to prevent comments with excessive links from appearing.
  2. Create a list of words or IP addresses that you want to block from appearing in comments. Enter them in the appropriate field in the Comment Moderation settings.
  3. Enable the “Comment must be manually approved” option to ensure that all comments are reviewed and approved before they are published.
  4. If desired, you can also require commenters to fill out their name and email, and/or be registered and logged in to comment.
  5. Save your settings to implement these changes.

By following these steps, you can effectively block unwanted or spam comments from appearing on your WordPress site, and ensure that all comments are reviewed and approved before being published.

WordPress discussion settings: comments moderation IP blocking
Disallowed comment keys

Add specific keywords or phrases associated with spam comments to the “Disallowed Comment Keys” box to automatically block comments containing those terms.

Prevent comment spam: Disallow IPs in WordPress discussion settings

.htaccess file

The .htaccess file allows you to block IP addresses at the server level. It is recommended that you create a backup of your website and .htaccess file. This will allow you to restore your website to a previous stable version in case anything goes wrong.

How to edit the .htaccess files

Access the .htaccess file using your hosting account’s File Manager or an FTP client.

Code snippets for blocking IP addresses

Add the following code snippet to block a single IP address or multiple IP addresses:

Block a single IP address

If is a spam IP, then add this code at the end of the .htaccess file:

Order Allow,Deny
Deny from
Allow from all

Block multiple IP addresses

If and are unwanted IP addresses, then add this code at the end of the .htaccess file:

Order Allow,Deny
Deny from
Deny from
Allow from all

Hosting account

Some hosting providers offer tools for blocking IP addresses:

IP Address Deny Manager

In your cPanel dashboard, use the IP Address Deny Manager tool to block specific IP addresses.

cPanel dashboard

You can manually block IP addresses in the IP blocker option through the cPanel. This can be done through the following steps:

1. Check your web access logs to identify any suspicious IP addresses that have been accessing your website.

2. Login to your cPanel dashboard and navigate to the “IP Blocker” tool.

3. Enter the IP address you want to block in the “Add an IP or Range” field and click on “Add“.

4. The specified IP address will now be blocked from accessing your website.

5. You can also blacklist multiple IP addresses or a range of IP addresses using this tool.

It is important to note that manually blacklisting IP addresses may not be efficient for blocking dynamic IP addresses that change frequently. For more effective blocking, it is recommended to use security plugins or firewall protection to automate the process of blocking malicious visitors by their IP address.

How to automatically block IP addresses in WordPress? (WordPress Plugins)

Several WordPress plugins can help you automatically block malicious IP addresses. Some popular options include:

  1. Wordfence
  2. Sucuri
  3. iThemes Security
  4. All-In-One Security & Firewall

These plugins offer various features to enhance website security:

Real-time IP address blocking – Automatically block IP addresses involved in hacking attempts or brute force attacks.

Blacklist monitoring – Continuously check your website against known IP blacklists.

Login protection – Limit login attempts and enforce strong passwords.

How to install and configure the plugins

You can install and configure these plugins in your WordPress website by following these steps:

  1. Go to your WordPress dashboard and navigate to “Plugins” > “Add New“.
  2. Search for the desired plugin and click “Install Now“.
  3. Activate the plugin and follow the on-screen instructions to configure the settings.

Additional Tips for Enhanced WordPress Security

Limiting login attempts

Limit the number of login attempts to reduce the risk of brute force attacks. You can achieve this by using a plugin like Login LockDown or configuring the settings in your security plugin.

Implementing Two-Factor Authentication (2FA)

Enable 2FA to add an extra layer of security to your WordPress login process. This can be done using plugins like Google Authenticator or Duo Two-Factor Authentication.

Regularly updating plugins and themes

Keep your plugins and themes up-to-date to ensure they remain secure against known vulnerabilities.

Monitoring website traffic

Regularly monitor your website traffic to detect any unusual patterns or spikes in traffic that may indicate a security issue.

Working with a reliable hosting provider

Choose a hosting provider with a strong reputation for security and support, as they can help protect your website from malicious attacks and provide assistance when needed.

Also, Read Common WordPress Security Mistakes to Avoid

Potential Drawbacks of IP Blocking

Blocking legitimate users

IP blocking can sometimes lead to false positives, accidentally blocking legitimate users. Regularly review your blocked IP addresses to minimize the impact on genuine visitors.

Temporary IP addresses

Some users may have dynamic IP addresses that change frequently. Blocking a temporary IP address may not be effective in the long run.


Blocking malicious IP addresses is a crucial aspect of maintaining a secure WordPress website. By identifying and blocking problematic IP addresses, you can prevent unauthorized access, reduce spam comments, and minimize hacking attempts.

IP blocking is just one of the many security measures that can help protect your WordPress site. By combining IP blocking with other security practices, such as limiting login attempts, implementing 2FA, and working with a reliable hosting provider, you can significantly enhance your website’s security.

Don’t wait until it’s too late. Be proactive in implementing IP blocking and other security measures to safeguard your WordPress website, protect your data, and ensure a positive user experience for your visitors.


How do I find suspicious IP addresses?

You can use tools such as Wordfence or access logs to identify suspicious IP addresses.

Can I block entire countries from accessing my WordPress site?

Yes, you can use security plugins such as Shield Security or Cloudflare to block traffic from specific countries.

What if a legitimate user gets blocked by mistake?

You can whitelist their IP address in the security plugin settings or firewall rules to ensure they have access to your site.

How often should I update my IP blocks?

We recommend regularly reviewing and updating your IP blocks on a weekly or monthly basis.

Can I use a VPN for added security when accessing my WordPress site?

Yes, using a VPN can provide an extra layer of security and help protect your sensitive information.

Dany Mirza

Dany is a full-time writer at Host Duplex, with a talent for breaking down complex ideas into easy-to-digest, engaging and informative articles. When not tapping away at the keyboard, you can find Dany exploring new coffee shops and reading works from favorite authors.

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *