How to Block IP Addresses To Protect Your WordPress Site

Jun 5, 2020

How to Block IP Addresses To Protect Your WordPress Site

Jun 5, 2020

Do you receive a lot of spammy comments on your WordPress website?

One of the biggest drawbacks of popularity is that it draws negative attention.

As a website grows, it starts drawing more and more visitors. Some visitors (or rather hackers) have malicious intent. Hackers often leave malicious comments trying to draw visitors away from your site. Or they plant malicious links which they use to hack your website.

Once a site is hacked, they can use it to execute activities like storing illegal files and folders on your site, stealing sensitive information, sending spam emails, or even launching attacks on other websites.

If you are unlucky, things will snowball further and your site will be blacklisted by Google and your hosting provider will suspend your site.

But don’t worry, you can prevent this catastrophe from occurring. One of the best ways to protect your WordPress site against spammers and hackers is by blocking their IP addresses. In this article, we are going to show you exactly how you can do that.

What is an IP Address?

There are billions of devices connected to the internet and every single device (be it a smartphone or a laptop) can be identified. This means that if a device is used to launch malware attacks then it can be identified.

This is possible because of IP addresses. An IP address is a unique numeric code allotted to a device that is connected to the internet. Even the device you are using to read this article, such as your smartphone, tablet, or laptop, has an IP address.

You can find out your specific IP address by opening Google and typing what is my IP address?


what is my ip address


Your IP address will be a number, like

When you type out the URL (like or in the address bar or you do a Google search, you are requesting the browser to show you a specific website or to search for an inquiry. Your request is tagged with the IP address of the device.

Browsers handle millions of such requests. The IP address helps the browser identify which device to send the response to.

Now that we understand what an IP address is, let’s look at the reasons you might need to implement IP address blocking.

Reasons For Blocking an IP Address

Each visitor coming to your site is using a device, therefore they have an IP address. If you could know the IP addresses of malicious visitors whose intention is to harm your site, then you can block them from accessing your site.

There are two types of harm that visitors could cause to your website. Those are – leaving spam comments and trying to hack your site.

1. Spam Comments

Spam comments are irrelevant comments often posted by bots. They may contain advertisements selling illegal drugs or link to another website which drives away your traffic.

WordPress, as well as almost all comment plugins, offer to manually approve comments before they are posted on the website.

But moderating comments can be tedious and time-consuming hence it’s best to identify malicious IP addresses and block them from accessing your website altogether.

2. Blocking Hack Attacks

One of the most common types of hack attacks made on a WordPress website is called cross-site scripting. In the xss attack, comment areas are used to hack your website or extract sensitive information from your visitors.

Comments can be an intrinsic part of a website hence it is not possible for site owners to retire it. In that case, blocking malicious IP addresses in WordPress is an ideal solution.

How to Block an IP Address in WordPress?

There are two ways to block IP addresses. You can do it manually or using a plugin. Before we show you the steps, you first need to locate the IP addresses.

How to Locate Suspicious IP Addresses?

WordPress records the IP address of everyone who leaves a comment on your website. All you need to do is –

Log into your WordPress dashboard and go to Comments

→ On the next page, you’ll find all the comments and IP addresses of those who’ve left them on your site.


ip address of spam comments


Be sure to note down the IP addresses from the comments that look spammy. For instance comments with suspicious links. Often, they are irrelevant to the topics that you are speaking of in the article.

Look out for comments in foreign languages and also for links embedded inside the text.


spam comments on wordpress


Once you have all the suspicious IP addresses, you can proceed to block them.

Blocking IP Addresses in WordPress

As we said earlier, there are two ways of doing this. You can –

    1. Block IP Addresses With a Plugin (easy way)
    2. Block IP Addresses Manually (hard way)

Blocking IP addresses manually is time-consuming work and the results are not all that effective. But if you want to go ahead with the manual way then jump to this section.


1. Block IP Addresses With a Plugin

A security plugin like MalCare will automate the process. You don’t have to go about seeking spammers and hackers to block them. MalCare will automatically identify and prevent them from accessing the website altogether.

    • Once you activate MalCare, it’ll install a powerful firewall on your site which will investigate everyone who tries to visit it. If it identifies the visitor’s IP address as suspicious, it’ll promptly block it.
    • Moreover, the firewall keeps a log of all the countries whose visitors it is blocking. To protect your website further, make a note of the countries, and then block them using MalCare’s WordPress Geoblocking or country blocking feature.


malcare geoblocking



2. Block IP Addresses Manually

When it comes to manually block IP addresses, there are quite a few ways of doing it. You can:

i. Use WordPress Discussion Option
ii. Use IP Blocker on cPanel
iii. Use .htaccess File

i. Use WordPress Discussion Option

WordPress offers a native comment blacklisting option. You can use it to ban IP addresses sending spammy comments.

Log into your WordPress dashboard

→ Then from the menu, navigate to Settings > Discussions

→ In the Discussions page, scroll down and you should be able to see a section called Comment Blacklist

Paste the IP addresses  in that section

→ Remember to Save Changes


wordpress comment blacklist


This is only going to prevent blacklisted IP addresses from leaving spam comments but they can still access your site and may try to hack it. To block IP addresses from accessing your site, you can follow the method below.

ii. Use IP Blocker on cPanel

Most hosting providers offer an option to block IP addresses in order to protect your site.

Log into your hosting account

→ Navigate to the cPanel and go to the section called Security. In this section, there should be an option that’ll enable you to block IPs. On Bluehost, the option is called IP Blocker. Other hosting providers will call it something similar.


bluehost ip blocker


→ Next, you will need to add the IP addresses one by one and your hosting provider will block them.


bluehost blocked ip address


iii. Use .htaccess File

The last option to block IP addresses manually is to add them to your .htaccess file.

WordPress websites are made of files and folders. The .htaccess is one such file. It is an important configuration file. It contains certain rules that offer instructions to the website server.

You can modify the .htaccess file and add instructions for IP blocking.

IMPORTANT: Before we show you the steps you need to take, we suggest taking a complete website backup. The .htaccess file is an important WordPress file and modifying it is a risky business. Small mistakes can end up breaking your website. If you have a backup you can quickly restore it back to normal.

Log into your WordPress hosting account.

→ Navigate to the cPanel and go Files > File Manager.

→ In the File Manager, you’ll find many files and folders. The .htaccess file will be present in a folder named public_html.


htaccess file in public html


→ When you find the file, right-click on it and choose Edit.


edit htaccess file


→ Then add the following snippet of code at the end of the file –

order allow,deny
deny from
deny from 3.374.983.084
deny from
allow from all

→ Remember to Save Changes


htaccess file block ip address


It tells the host which IP address to deny access to your site and to allow the rest.

The IP address present in the code is for representation purposes. Replace them with your own list of IP addresses that you want to block.

You can add as many IP addresses as you want.

With that, we have come to the end of how to block IP addresses to protect your WordPress site.

Sometimes, the website admin or team members are accidentally prevented from visiting their own site. If this happened, Here is guide for Whitelisting IP addresses that removes the block and allows them to access your WordPress website again

What Next?

We strongly recommend installing a WordPress security plugin to protect your WordPress website.

If you use a security plugin like MalCare there will be no need to manually block IP addresses. It will install a firewall that will automatically block IP addresses of malicious visitors. If they can’t visit your site, they can’t leave spammy comments or try to hack your site.

Besides this, with MalCare you can block an entire country from accessing your website. Not just that, it’ll scan your website on a daily basis, and alert you immediately if it finds any suspicious activity. The plugin will help you implement site hardening measures among other security features.

Sign Up With MalCare Right Now!

Share via
Copy link