How To Block IP Address in WordPress? (Ban spam and hack attacks)


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.


Have you noticed a lot of login requests coming in from the same IP addresses?

This is a classic symptom of a brute force attack on your website. As your website grows, it will also bring in its own share of security issues. It could be in the form of brute force attacks or spammy comments. But if not handled properly, these attacks could slow down your website or, in the worst-case scenario, lead to a hack.

Issues like a constant barrage of login requests or spam comments may seem like a minor nuisance but these can actually snowball into bigger problems. If attackers find a way to access your website, they could store unwanted files on your website, steal your information, redirect your visitors, or even deface your website and demand money.

Thankfully, there is an easy way to secure your website from known attackers. An efficient way to protect your website from spammers and attackers is to block IP address in WordPress. Let us discuss the what, why, and how of banning IP addresses on WordPress.

TL;DR: Secure your website with MalCare and automatically block any malicious IP addresses that may visit your website. Read more on how to block IP address in WordPress manually in different ways.

Reasons to block IP addresses in WordPress

Blocking malicious IP addresses in WordPress is a quick and effective method of dealing with spam, unwanted login requests, malware, DDOS attacks, or even hacking attempts. But the most common reasons for blocking IP addresses on WordPress are spam comments and hacking attempts.

Spam comments

Any comments that are irrelevant to your website can be categorized as spam. These are often left by bots and carry random links or advertisements that may be malicious.

While most WordPress owners opt for manual approvals of comments, too many spam comments can make it difficult for website owners to moderate comments.

This is when blocking IP addresses can come in handy. By banning the IP addresses that are sending these spam comments, you can easily block their access to your website.

Hacking attempts

Attackers often make hacking attempts through input fields like the comments section or the contact form. This is known as cross-site scripting and is a serious threat to your website security. This type of attack can lead to the attackers gaining access to your website or extract confidential information.

Blocking suspicious IP addresses in WordPress can help prevent such attacks and enhance the overall WordPress security.

Step 1. Find suspicious IP addresses in WordPress for blacklist

Like we discussed earlier, every website keeps a record of visitors. So it is possible to find out the IP address of anyone who left a comment or visited your website. There are various ways to do this. Let us go through all of them one by one. 

Option 1. Using WordPress comments panel

Your WordPress dashboard can help you find most things on your website. You can also find the IP addresses of spam commenters here.

1. Go to Comments from your WordPress dashboard.

2. On the next page, you’ll find all the comments and IP addresses of those who’ve left them on your site.

3. Note down any IP addresses from comments that seem irrelevant or spammy. These comments may have links or have messages in foreign languages. 

4. Once all the suspicious addresses have been noted, we can proceed to block them.

Option 2. Using raw access log

You can use the WordPress comments for spam commenters, but how do you find IP addresses of attackers who are sending overwhelming amounts of requests to your website server? For this, you can use your website’s access logs.

  1. Go to the cPanel dashboard of your hosting account and look for ‘logs’.
  2. In this section, you will find the ‘raw access logs’

Raw access logs in C-panel

  1. Then click on your domain name, which will download the access logs on your computer in a .gz archive file.
  2. You can extract the logs with a program for archived files like Winzip.
  3. Open the logs in a text editor like notepad.

List of IP addresses that have made request to website

  1. Here, you can see all the IP addresses that have made requests to your website. If an IP address is sending you constant requests, you can note down the address to block.

You need to make sure that you do not accidentally block legit visitors or yourself from your website. To ensure this, you can look up the IP addresses online on IP lookup tools to make sure that these IP addresses are at least suspicious or malicious.

Step 2. Block IP addresses in WordPress successfully

There are two ways to block IP addresses in WordPress. One is through a security plugin like MalCare, which will simplify the process and block IP addresses automatically for you.

If you are someone who knows very little about website security, this is the best option for you. But if you want to do it yourself, there is a manual method of blocking IP addresses in WordPress, which we will discuss in detail.

Option 1. Block IP address in WordPress using security plugin [Recommended]

MalCare is designed specifically to keep out suspicious IP addresses and malware. So blocking IP addresses with MalCare is done automatically.

You do not have to go through the whole process of locating and blocking IP addresses because MalCare does it for you. MalCare’s powerful firewall identifies spam and suspicious visitors and bans them automatically. 

Moreover, in the firewall IP log, you will find the country associated with the IP as well.  

So, if you notice that a lot of IPs from a particular country appear to be malicious, you can block all problematic IP addresses from the country, using MalCare’s geoblocking feature. Of course, you can only do this if you don’t expect legitimate traffic from those countries, so use this feature wisely.

Option 2. Ban IP address in WordPress manually

If you prefer to block IP addresses in WordPress manually, there is more than one way to do it. Depending on your comfort level, choose the one that seems the most suitable for your needs.

Using WordPress comments blacklist to prevent spam comments

Your WordPress dashboard has an option to blacklist certain comments, which prevents the commenter from leaving more comments on your website and stops spam comments.

To use the option, follow the below steps for blocking IP addresses in WordPress:

  1. Log into your WordPress dashboard
  2. Then from the menu, navigate to Settings > Discussion
  3. In the Discussion page, scroll down and you should be able to see a section called Comment Blacklist
  4. Copy and Paste the IP addresses you want to block in that section
  5. Remember to Save Changes
  6. WordPress will successfully block these IP addresses from leaving a spam comment

Doing this will restrict spammers from posting comments, but they will still be able to access your website. This could be a potential security risk as these attackers could hack your website through other means.

Using IP blocker in cPanel

Most hosting providers also offer the option to block suspicious IP addresses in WordPress. If you prefer this method, you can block suspicious IPs from your hosting account by following these steps:

  1. Log into your hosting account
  2. Go to the cPanel and go to the section called Security. 
  3. In this section, there should be an option that allows you to block IPs. On Bluehost, the option is called IP Blocker. Other hosting providers may name it something else.

  1. Now, you need to add all the IP addresses that you have noted down as suspicious, and your hosting provider will lock them.

Block IP address using .htaccess in WordPress

There is another way to block IP addresses in WordPress—you can add these IPs directly to your .htaccess file. 

The .htaccess file is an important configuration file in your WordPress website. It contains certain rules that offer instructions to the website server. 

🚨 While this is a legitimate way to block IP addresses, we do not recommend doing this by yourself unless you are confident in your technical abilities. The .htaccess file is an important WordPress file and modifying it is a risky business. Small mistakes can end up breaking your website. If you must use this method, take a complete backup of your website first, so that if anything goes wrong, you can restore your WordPress website.

  1. Log into your WordPress hosting account.
  2. Navigate to the cPanel and go Files > File Manager.
  3. In the File Manager, the .htaccess file will be present in a folder named public_html.

htaccess file

  1. When you find the file, right-click on it and choose Edit.

edit htaccess

  1. Then add the following snippet of code at the end of the file –
order allow,deny
deny from (the IP address that you have noted)
deny from 3.374.983.084
deny from
allow from all

  1. Save Changes


This code snippet will tell your host which IP addresses to deny access to your site. The IP addresses given in the code are only examples, replace them with the IPs you find suspicious.

Why you should not rely on blocking IP addresses?

Sometimes when you rely on a free or untrustworthy solution to take care of your WordPress security, the result may not be favorable.

For instance, when blocking suspicious IPs from your website, you may also block customers or team members from accessing it. This may prove to be counterproductive for your website security and create more problems than it solves. 

When this happens, you will have to whitelist IP addresses and allow the right traffic back, You can do this through your security plugin or manually, but unless you have very specific access requirements, manually doing this can prove to be tedious. Instead, a good firewall will take care of both blocking malicious traffic and giving access to the right kind.

An intelligent firewall, such as MalCare’s, knows the difference between malicious IP addresses and those that may trigger alarms due to certain factors but are legitimate visitors.

MalCare’s firewall studies over 300,000 websites every day to understand and refine website security nuances so that you don’t have to worry about blocking individual IP addresses.


Blocking IP addresses in WordPress is an extremely effective preventative measure to secure your site. This ensures that attackers do not get any access to your website and they are kept at bay before they can cause any serious harm to our website.

If you would like this process to be automatic, and not concern yourself with security issues, you can opt for a security solution like MalCare which not only identifies suspicious IP addresses, but also blocks them automatically. This way, you don’t have to worry about any attacks and your website remains secure 24/7.


How do I block an IP address from my WordPress website?

There are various ways to block IP address in WordPress website. But the easiest way is to use a WordPress plugin to block IP address such as MalCare. It will automatically identify and block suspicious IPs from your website. Other ways to blacklist IP addresses in WordPress are:

1. Blocking through WordPress dashboard
2. Using IP blocker in cPanel
3. Block specific IP addresses using .htaccess file

Can I ban IP address in WordPress by myself?

Yes, you can block IP addresses in WordPress by yourself. You need to find the said IP address first. Once you do that, use the comments blacklisting option available on your WordPress dashboard.

Alternatively, the IP blocker on cPanel or .htaccess files are some other good options to ban IP addresses in WordPress manually. You can also blacklist IPs manually via your security plugin. 

What kind of IP addresses can I block from accessing my website?

If you find any IP addresses that are sending repeated login requests or leaving spam comments constantly, they are most likely malicious bots. You can block these IP addresses from accessing your WordPress website.

Moreover, if you notice that all these suspicious IP addresses are from a single region, you can ban the entire region from accessing your website. However, use this feature with caution.

Is it possible to block the IP addresses of entire countries?

Yes. You can use the geoblocking tool that MalCare offers in order to block IP addresses in WordPress from entire countries. This may seem like overkill, but malicious requests do come from specific regions, and blocking the regions can give you a lot of peace of mind. But be careful of this feature as it will also block any legitimate traffic from the country.



You may also like

Website logs
What are the Different Types of Website Logs?

Imagine driving a car without knowing your speed, engine temperature, or fuel levels. Sounds terrifying, right? Well, managing a website without understanding website logs is a bit like that. You…

What is Cross-Site Scripting (XSS) and How to Prevent It?

Websites can sometimes act strangely, showing unexpected pop-ups or exposing personal information. This isn’t just a glitch—it’s often due to a sneaky trick called Cross-Site Scripting (XSS). You might be…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.