🇺🇸 4th of July DISCOUNT!

How to Block IP Address in WordPress

How to Block IP Address in WordPress

88 / 100

Are you worried about unwanted visitors to your WordPress site?

Whether it’s spam comments, malicious bots, or even determined hackers, unwanted traffic can disrupt your site’s performance and peace of mind. 

But fear not! You can block IP addresses in WordPress, a simple yet powerful method to create a secure environment for your content and community.

In this post, we’ll show you how to identify malicious IPs and methods to block the IP addresses.

Ready to secure your WordPress site? Let’s get started.

1 What is an IP Address?

An IP address, or Internet Protocol address, serves as a unique identifier for every internet-connected device, facilitating communication between devices online.

Your computer, smartphone, tablet, and other internet-enabled devices each possess an IP address, facilitating communication with other devices on the internet.

Think of the internet as a vast telephone network, with IP addresses functioning like phone numbers that allow devices to connect and communicate.

Typically expressed in numerical form (e.g.,, these addresses serve two primary functions: identifying network interfaces and specifying locations.

Every visitor to a WordPress website has their IP address stored in the website’s access log files, and the same goes for when you visit other websites.

Now, why will you block specific IP addresses from accessing your website when they’re essential for site access? We’ll explore it in the next section.

2 Reasons to Block IP Addresses in Your WordPress Website

Blocking IP addresses is a common practice for various purposes. Now, let’s consider when and why you must block some IP addresses from accessing your website.

2.1 Preventing Malicious Activity

When you notice recurring malicious actions, like brute force attacks, hacking attempts, or suspicious conduct from particular IP addresses attempting to access your server or website, blocking these IPs should be the next action. 

This step helps safeguard your website from potential security breaches and unauthorized entry. 

2.2 Preventing Spam and Unwanted Emails and Comments

At times, you may encounter spam comments on your website’s pages/posts, often accompanied by unwanted links leading to insecure sources. 

The same applies when you have a contact form or any other form on your website, leading to spam emails in your inbox that are irrelevant or lack meaningful content.

To address these issues and maintain a cleaner inbox and a more user-friendly website environment, you can block IP addresses responsible for generating spam comments and emails becomes an effective measure.

2.3 Managing Unwanted Traffic

Blocking IP addresses can help manage and reduce unwanted traffic, especially when experiencing high requests from specific IPs or address ranges. These unwanted traffic can be bots or crawlers.

Additionally, it addresses the menace of DDoS (Distributed Denial of Service) attacks, which can render your website consistently inaccessible or cause prolonged page loading times.

The primary goal of blocking these IP addresses is to mitigate server load and elevate the overall performance of your system.

2.4 Restricting Access to Content or Company Policies

The practice of blocking IP addresses limits access to particular content or services. For example, in subscription-based services, blocking the IP addresses of non-subscribers ensures exclusive access for paying users.

This also applies to organizations that may choose to block IP addresses to enforce company policies, restricting employee access to certain websites or services. This is important for businesses handling sensitive information or proprietary data.

2.5 Geographical Restrictions

If you want to limit access to your website from specific regions or countries, blocking their IP addresses is a straightforward method to implement geographical restrictions.

3 Identifying the IP Addresses to Block in WordPress

If you’re dealing with spam comments on your posts or pages, it’s essential to note that WordPress stores the IP addresses of your website commenters.

To locate this information, simply navigate to the Comments page from your WordPress admin area.

locate the IP address in WordPress

However, in the case of a severe attack impeding access to your admin area, it’s important to examine your server’s access log. Access this log through your hosting provider’s cPanel tools.

Navigate to the Metrics section and select the Raw Access option, as shown below.

Raw Access

This action will lead you to the Raw Access Log page, where you’ll find the raw access log for your domain. Click on the domain to download the access logs file.

Download Current Raw Access Logs

By clicking on your domain, you’ll download your server’s log file in .gz archive format. Proceed to extract the file.

If you’re having trouble opening this file format on your computer, try converting it to DOC or PDF using online tools. You can then download the converted file to view your raw access logs.

The access log file comprises raw data of all requests made to your website, with each line starting with the IP address responsible for that particular request.

Log file

It’s a good idea to keep an eye out for any suspicious IP addresses in the access log, particularly if you notice a certain IP address showing up frequently.

Be careful not to block yourself accidentally, genuine audience, or search engines from accessing your website.

If needed, use an online IP lookup tool to get more information about a suspicious IP address before making any decisions.

Now that you know how to identify suspicious IPs on your website, let’s discuss how to block these IPs from accessing your site.

4 Methods to Block IP Addresses in WordPress

Let’s discuss five methods to block IP addresses from accessing your WordPress website.

4.1 Block IP Addresses of Commenters 

This method allows you to block the IPs from commenting on your WordPress posts or pages.

To implement this, navigate to Settings → Discussion from your WordPress dashboard and scroll down to the Disallowed Comment Keys section.

Ensure that you enter the IP addresses one per line, as shown below.

Block IP address of commenters

Once you’ve entered the IP addresses, scroll down to the bottom of the page and click on the Save Changes button.

WordPress will now automatically prevent users with these IP addresses from posting comments on your website. While these users can still visit your site, they’ll encounter an error message if they attempt to submit a comment.

4.2 Block IP Addresses Using cPanel

This method enables you to block an IP address entirely, providing a robust measure to protect your WordPress site from potential hacking attempts and DDoS attacks.

Log in to your hosting account’s cPanel dashboard and navigate to the Security section. Choose the IP Blocker icon, as shown below.

IP Blocker

This will direct you to the IP Blocker page, where you can precisely specify the IP address you wish to block from accessing your website. 

You can add a single IP address or an IP range and click the Add button.

Add IP address

After that, scroll down to view the list of IP addresses you have restricted from visiting your website. You can come back anytime you want to delete or unblock any IPs by clicking the Delete option.

List of IP address

4.3 Block IP Addresses Using a Security Plugin

Blocking IP addresses using a security plugin is the easiest method to enhance the protection of your website against potential threats and unauthorized access.

Security plugins like Sucuri Security help protect your website from malicious attacks. Refer to our tutorial on installing a WordPress plugin on your website.

The process typically involves the use of a Web Application Firewall (WAF) integrated into the security plugin. This firewall acts as a barrier between your website and incoming traffic, analyzing each request for potential threats. Suspicious IP addresses, known for malicious activities like hacking attempts, are automatically detected and blocked by the security plugin.

Moreover, you can still block the IP addresses manually using the Sucuri plugin.

Sucuri WP plugin

4.4 Block IP Addresses by Editing the .htaccess File

You can block suspicious IP addresses from accessing your website by adding a few lines of code to your website’s .htaccess file

However, if you lack coding knowledge, we recommend using the previously mentioned methods.

Note: It’s important to back up your website before adding any code so that you can restore your site if anything goes wrong.

Log in to your FTP client or cPanel and locate the File Manager within your public_html or site directory. Choose to edit the .htaccess file.

In the .htaccess file, paste the following code at the bottom of the file:

deny from [IP Address You Want To Block]

Replace the IP Address You Want To Block with the actual IP address you wish to block, as shown below.

replace IP address

If you have multiple IPs to block, continue adding the code with each IP address.

4.5  Block IP Addresses Using the WordPress functions.php File

This method requires adding a custom code into the functions.php file of your active WordPress theme.

Below is a code snippet that demonstrates how to block an IP address using functions.php. The code utilizes an array to keep track of blocked IP addresses. It checks whether the visitor’s IP is in the array before granting access.

function block_ip_addresses() {
    $blocked_ips = array(

    if (in_array($_SERVER['REMOTE_ADDR'], $blocked_ips)) {
        wp_die('Access Denied');
add_action('init', 'block_ip_addresses');

Add as many IP addresses as needed using the style from the $blocked_ips array. If you have only a few, delete the other IPs and input the IPs you want to block.

Access your active theme’s functions.php at Appearance → Theme File Editor. Choose functions.php, scroll to the bottom, and paste the code as shown.

Add code in functions.php file

Once you’ve added all the IPs you want to block, simply click the Update File button to save your changes.

After successfully applying this code, the specified IP addresses will be denied access. The code utilizes the wp_die function displaying the message “Access Denied” to the blocked user, as shown below.

Access Denied message

5 Conclusion

Securing your WordPress website against malicious attacks, spam, and unwanted traffic is necessary for a secure online presence.

Whether you opt for plugins, edit .htaccess files, or set up a firewall, use these features wisely.

Blocking legitimate IP addresses can have drawbacks, potentially excluding potential customers. Therefore, carefully assess each IP address before taking action.

With the right approach, blocking IP addresses can significantly enhance the security and performance of your WordPress website, protecting it against cyber threats and ensuring a safe and enjoyable user experience for visitors.

If you like this post, let us know by Tweeting @rankmathseo.

Email Icon

Don’t Miss Any Future Post!

Sign up today for Exclusive SEO Articles