We are rarely concerned about WordPress security until WordPress informs us that someone has repeatedly failed to gain access to our site. Sound familiar? It’s called brute force attack – one of the most common tricks in a hacker’s book. What they do is try to crack your WordPress password using a combination of popular credentials. For website owners, brute force attacks have become a part of our daily digital life. This is why we tend to get so immune over the issue and become lenient in our security measures. It’s one of the biggest WordPress security issue website owner’s are facing these days. And one of the easiest ways to defend against or deflect such attacks is by blocking IP addresses trying to access your WordPress site over and over again.
Hackers attack your website by using several IP addresses. An IP is a unique internet ID for a device/system. The device (smartphone or computer) that you are using to read this post has an IP address. If you try to login to someone’s WordPress site using your device, the failed login attempt will be recorded. And your device will be identified using the IP address. This is precisely why hackers don’t stick to one IP address. Because it can be identified and blacklisted. Hence, they often create a cluster of IP addresses using which they launch attacks on targeted websites. Your WordPress site could be one such target.
(Picture credit: hostpapa.blog)
You’d be surprised to know that small to medium-sized websites these days are more likely to be in the line of fire than the big fish in the sea. This is largely because small to medium websites are lenient about the site’s security. It’s the mindset of “what can anyone possible steal for my little site?” that works against small websites. Your website is valuable and an easy fish to fry. Hackers could use your server to store files. They could be targeting your site to execute a political agenda or to bring your site down so that your rival site steps up in search engine ranking. There could be any number of reasons to hack your WordPress site.
The bright side of things is that when someone is repeatedly trying to get access to your website, your server will identify them and suggest blocking those IP addresses. Now that leads us to question number 1: what does blocking IP addresses really mean? What role does it play in WordPress security? And question number 2: How can blocking IP addresses, positively and negatively affect your website? Read our guide and learn how WordPress IP blocking works and all the pros and cons.
What Does Blocking an IP Address Mean?
Earlier we mentioned brute force attacks, but there can be several other kinds of attacks like people leaving comment spams, email spams, DDOS attacks, etc. Blocking the origin of these attacks will help in securing your website. There are a number of ways of going about blocking IP addresses. Some do it manually, and others prefer using plugins.
Most of the popular WordPress security plugins allow the user to block IP addresses. Another way of denying access to your site is by using a .htaccess file which is a very powerful tool and must be carefully handled.
Blocking IP Addresses By Editing .htaccess File
Suppose you want to ban the following bunch of IP addresses from visiting your website:
126.96.36.199 188.8.131.52 184.108.40.206
You can edit WordPress .htaccess file and insert the following code. This will help the system identify that anyone is trying to visit the site from these IPs, need to be turned away.
order allow, deny deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 allow from all
As you can see, the IP addresses we want to ban is present in the code. And that’s not the end of it, and you will need to upload the modified .htaccess file to a specific location with the assistance of FTP and SFTP. The process is complex and risky. One false step can undo your entire website.
Blocking IP Addresses Using a Plugin
If anything, one of the greatest features that draw people to build their websites on WordPress is the vast repository of plugins. Want to collect email ID of visitors? Use a plugin. Want to use a form on a page? Use a plugin. With plugins, it’s easy to design a website. There is a plugin for all your website needs. And you might have guessed it already, there are plugins that’ll help you block malicious IP addresses.
These plugins will allow users to block individual IPs or even a range of IP addresses. Sometimes large-scale malicious activities have a geographical origin. Website owners can opt for country-wise blocking where they basically deny access to people from certain countries.
Some Web Hosts Allows Blocking IP Addresses
Another convenient way of blocking IPs are through the web host. If you log into your web host account, you should be able to locate the IP Address Deny Manager tool under the Security section. Once you click on it, another page will appear where you’ll be asked to add an IP address. Following this, you will be redirected to a different page confirming that your desired IP address has been blocked. And that’s it. In case, you decide to unblock an IP address, you can use the same tool to meet that need.
IP Address Deny Manager can be found under Security
IP Blocking: Pros
Preventing IP addresses from accessing your WordPress site offers several benefits.
First Line of Defence
It could act as your first line of defense. Generally, your web host notifies you when someone is making multiple failed login attempts. A number of attempts made within a short span of time are likely to be identified as brute force attack. Here hackers try to guess your login credential by using a combination of popular passwords and usernames. Identifying these specific troublemakers and blocking them is a stepping stone towards making your website secure.
Readily Available List of Malicious IP Addresses
There is a list of IPs identified for attempting to undermine website security measures. Several organizations maintain and publish these lists of IP addresses. A simple Google search on ‘what are the blacklisted IPs’ or ‘IPs I should block’ should procure you a list of commonly blocked IP addresses. You can ban these IPs from accessing your website to further strengthen your security.
Block Visitors by Country
Sometimes while investigating malicious login attempts, website owners may trace the activities to IP addresses from a specific place or a country. If your target audience does not belong to this country, you can opt for something called country blocking. This would typically mean you are blocking the entire traffic from that particular country. Anyone using the internet from that country and trying to access your website will be turned away. Hence, it will greatly reduce the risk of a compromise.
IP Blocking Reduces the Load on Your Website Server
Blocking bad IPs by using .htaccess file helps reduce the load on your website. Hackers use automated tools to try and break into your website. When you get your hands on the malicious IPs that the hackers are using to hammer at your login page, block them by modifying the WordPress .htaccess file. It will help minimize the impact of these bad users on your web server. And it’ll be a boon to the performance of your website.
IP Blocking: Cons
While there are a lot of advantages of blocking IP addresses, it has its share of disadvantages too.
You Can Make a Mistake
The risk of accidentally banning valid visitors from visiting your site is always there. This can happen if the IP address is incorrect or because of some other human error. Once we had come across a forum where a website owner confessed to accidentally blocking the IP address of an admin of his website.
Your WordPress Site Can Crash
The .htaccess is a complex file. One simple misstep can be catastrophic. It’s usually recommended that people without the required technical know-how shouldn’t edit it. Of course, there are tons of tutorials telling you how to edit a .htaccess file. But if you make the smallest of mistakes like changing the wrong part of the file or giving a wrong command, it could cause your website to misbehave. Your entire site could crash.
Hackers Keep Changing IP Addresses
We’ve discussed it before that hackers can have access to several of IP addresses. They don’t stick to one IP because it’s likely to get caught and blacklisted. Hence, they connect to different IP addresses, building a cluster of IPs they can use. When one of their IP address is recognized for its malicious intention, they shift to using a different IP address. It’s a never-ending game of cat and mouse. Therefore blocking IP addresses can sometimes just be a temporary relief and nothing more.
Search Engine Crawlers Are Sometimes Blocked
In some cases, a misconfiguration can end up blocking search engine crawlers like Google Bots from crawling your website. This could cause you the health of your website. Search engine bots blocked from accessing your website won’t be able to crawl your website or index your new post. Any new modifications that you do to your website will go ignored. This could lead to an SEO catastrophe and you will start losing search engine ranking.
You Miss Out on Potential Audience
Country blocking is an efficient way of keeping your site safe, but it also means that you miss out on the all the potential traffic it could bring to you site. The whole idea of having a presence online is to reach out to an audience residing anywhere on the globe. Most content is valuable to people who use the internet, regardless of their geographical location. By blocking an entire nation, you could be ignoring a legit pool of audience interested in your work.
You May Unwittingly Block Out a Number of Visitors
There could be several individuals using the same IP addresses. Office complex often has the same IP address. At times, an entire country could be using a small range of IP addresses. Trying to lockout one bad IP or a range of IP addresses may lead to locking out a whole bunch of people. This could hamper your reputation and limit your potential.
So, what is to be done? Do you need to lock out those bad users right? Or you’ll risk a security breach soon. One easy solution is to avoid manually blocking IP addresses and automate the process using firewall services like MalCare, Sucuri, etc. They’ll help negate the cons without losing the benefits that come with blocking malicious IP addresses.
Over to You
We hope this article helped you learn how WordPress IP blocking is an important pillar of website security. We welcome questions surrounding the same.