If your website is not relevant to people in certain countries, you expect to see little or no traffic from those places. Then you see a sudden surge, your server resources get exhausted and your site is affected.
Turns out, the traffic is caused by hackers and bots.
Many website administrators then turn to block countries in WordPress by IP, so that they can safeguard their website and its visitors from harm.
In this article, we will take you through the various means you can implement geoblocking on your WordPress website.
TL;DR: Block country IPs from your WordPress website easily with MalCare. Select the countries you want to restrict access from, and in a few clicks, traffic is blocked. It’s that simple.
What does Geoblocking in WordPress mean?
Before we begin, let’s talk a little bit about what geoblocking in WordPress is exactly. If you have heard the term before, it essentially means that you can block visitors—or traffic—from other countries from accessing your website.
Blocking by country happens via IP addresses, individual identifiers for devices. Countries often have ranges of IP addresses, so if you want to block China, for example, you need to have that range of IP addresses.
Website owners and administrators often look to geoblocking as a solution to a bot problem. However, each admin identifies the source of the bot traffic depending on their own websites. Opinions are often mixed, but you will see some recurring ones like Russia and China on mostly everyone’s list.
How to identify which country IP address to block in WordPress?
If you don’t already know which countries you want to block from accessing your WordPress website, but still want to stop bad traffic in its tracks, there are a few ways to find out.
Use a security plugin with a firewall
The advantages of having a firewall from your website are manifold, and one of the great features is logging. Firewalls log every request that your website receives, and analyse them based on parameters.
MalCare, our best-in-class security plugin, does exactly that. In fact, MalCare’s firewall does such a good job of blocking malicious traffic, you don’t actually need to implement geoblocking. The firewall will take care of the bad requests.
In any case, to find the source of bad requests, install the MalCare plugin, log into the dashboard, and navigate to Security > Traffic Logs.
As you will see, every single request to your website is logged in detail. You can see which country the maximum requests are coming in from, and determine whether these requests are legitimate users.
Additionally, if you suspect there is unusual login activity, check Security > Login Logs. There too, you will see login requests in detail. If a large number of requests is coming in, and yet failing to log in, this is a good sign of bot traffic.
Using Google Analytics
On your Google Analytics dashboard, navigate to Sessions by country > Location overview to find details about your users. Here, you will see a visual representation of your worldwide traffic.
Google Analytics will only indicate where the traffic is coming from, not the kind of traffic that you are receiving. Based on your website contents and audience profile, you would be able to determine whether any country’s traffic is detrimental to your website.
How to block country IP addresses from accessing your WordPress site?
There are two ways you can implement geoblocking on your WordPress site: manually or using a plugin. We’re going to say that the manual method is tedious and time-consuming right off the bat. We strongly recommend you use the plugin method to block country IP addresses in WordPress.
Using WordPress plugin to block country [RECOMMENDED]
Easily block countries you want to using a plugin. The manual method requires editing core WordPress files, adding thousands of lines of repetitive code, and updating the code on a regular basis. It is a significant investment of your time that you could spend doing something far more valuable.
We’ve listed a few plugin options here for your convenience. Our recommendation is MalCare, because it is an all-in-one security solution with WordPress geoblocking as a feature. There is no need to install a specialist plugin just for this reason.
MalCare allows you to block countries’ IP addresses in WordPress with a few clicks, right from your dashboard. The big advantage here is that you can access the other diagnostic tools like login and traffic logs to help you determine which countries need blocking.
The process is simple and fast. Plus, the plugin uses intelligent signals to analyse the behaviour of the IP address. So if someone tries to use a VPN or proxy server, MalCare will analyse if this IP address is actually malicious and then block it.
So, blocked country IP addresses on your WordPress are actually blocked, and you don’t have to worry about breaking your site! Let’s take a look at how you can implement geoblocking on your WordPress using MalCare.
- Install and activate the plugin. Then go to the MalCare dashboard from the left sidebar on your wp-admin dashboard.
- Go to the Sites screen, and use the checkbox to select the site you want to modify.
3. Then, click on Manage to open a dropdown with options. Select GeoBlocking to proceed.
4. From the dropdown menu, select the countries you want to block. You can select as many countries as you want to, and each one will appear at the bottom of the screen.
5. Click on Block countries to complete the process.
The advantage of geoblocking in WordPress this way is that you don’t have to input country IP addresses manually, or jump through a lot of hoops to implement. To reverse blocking, go back to the geoblocking screen, and remove the countries from your block list.
Wordfence is a popular WordPress security plugin and has geoblocking built into its features. Again, we recommend using a WordPress security plugin instead of a dedicated geoblocking plugin.
1. Install and activate the plugin, and go to WordPress admin dashboard to set up geoblocking.
2. From the sidebar, select Wordfence and navigate to Firewall.
3. At the top of the screen, there are two tabs. Select the Blocking tab.
4. On the next screen, click on the Country tab to continue.
5. Wordfence gives you two options for country blocking in WordPress. If you want to block access to your complete website, select both options: Login from and Block access to the rest of the site. Wordfence recommends that Google Ads users only block access to their login form.
6. Select the countries you want to block using the textbox, or pick them from a list.
7. Click on Block selected countries to complete the process.
iQ Block Country is a plugin with one job, and that is geoblocking. For the purposes of this article, we installed it and tested it out.
1. Before you begin, you will need to download and unzip the MaxMind GeoIP database, and upload it to your wp-uploads/content folder via cPanel or FTP.
2. Install and activate the plugin, and go to the WordPress admin dashboard to start the process.
3. Navigate to the plugin from Settings.
4. Next, you choose the Block type: show a customisable forbidden message, redirect to an internal page, or redirect to an external URL.
5. Next, go into the Frontend tab to set up which countries you want to block from accessing your website. This is similar to the geoblocking done by the other plugins on this list.
There are several more options available with this plugin, and it is free to use. You can also block access to the backend of your Website, posts, pages, categories, just as well. You can also prevent search engines from visiting your site, should that be a feature you require.
There is also a tab for logging, and the requisite settings are on the first tab. We are huge advocates of logs, because logs are excellent diagnostic tools for when things go pear-shaped.
iQ Block Country does one job really well, however in our experiments we rarely felt the need to have such granular control over access. We recommend this plugin for highly specific use cases.
Blocking country IPs using .htaccess file [Manual Method]
We highly recommend going in for one of the plugins we suggested above. The manual method for blocking country IP addresses in WordPress is a time-consuming process. You would need to access your WordPress files and then add thousands of lines of code to block individual suspicious IP addresses and ranges.
Plus, any time you tamper with the backend files of a WordPress site like the .htaccess file, you risk breaking your website. This is because even the slightest error introduced in the coding can cause the whole thing to malfunction.
If you still want to go ahead and implement country blocking manually, please do take a fresh backup of your website. This step will save you a ton of grief should anything go wrong.
Step 2: Choose the country you want to block from dropdown list, and generate an IP list.
Step 3: Choose the .htaccess deny option for the output format. The service will generate a text file with the IP addresses.
Step 4: Next, to insert the list into your .htaccess file, open the .htaccess file from the public_html directory, either through cPanel or using FTP.
Step 5: Copy paste the contents of the text file into your .htaccess file, and save it.
Remember to update this list every month or so, to make sure the information is up to date, as IP addresses can change.
Why block country IP address in WordPress?
There are several reasons why you would want to block certain countries from accessing your website.
Unfortunately, every website owner has to deal with malware attacks at some point. Because malware is versatile, the attacks themselves can take many forms.
Maybe you are seeing a spike in failed logins (potentially a brute force attack) or your server is overloaded with requests, causing your site to go down. If these attacks are coming in from one location, then you would want to block all access from that country, especially if there is no good reason to allow traffic from there.
Perhaps your business website doesn’t service certain locations: your ecommerce store doesn’t ship to Russia for instance. So if you are seeing a lot of malicious traffic from Russia, and there is no good business reason for Russians to visit your website, you may feel that it is a no-risk idea to ban traffic from Russia altogether.
Signs you may be experiencing increased bot traffic
Bad bots are incredibly harmful for your website and can cause tremendous losses. It is always best to have a security plugin installed, however there are other ways to determine if your website is experiencing bot traffic:
- Monitoring services for your website will show spikes in CPU and network usage
- A good web host will send you an alert if your website is consuming excessive server resources
- Login logs will show multiple failed login attempts in a short period if your website is experiencing password-cracking attacks
- Your website could go down entirely if bots consume all its available resources
If you are seeing any or all of these signs, you are experiencing bot traffic. While blocking country IPs might be a temporary solution, installing a firewall is the best way to protect your website in the long term and more threats.
Local audience only
If your website is relevant to one country only, then you might want to stop visitors from other countries visiting altogether.
Apart from the lack of relevance, if you follow security news regularly, certain countries come up quite often when speaking of hackers and bots. You might want to stop this preemptively, especially if yours is a smaller site with limited server resources.
In your analytics, you might see a high percentage of traffic from certain countries. If there is no engagement on your website from this segment of traffic, like purchases for instance, then this traffic is useless to you, and is consuming site resources pointlessly.
Additionally, spam traffic and bots mess up important metrics like conversion rates for instance. You might be getting a completely inaccurate picture from your analytics, because of this reason. Your marketing decisions are then affected, and you will end up wasting resources because of this reason.
Geo blocks are also implemented on sites that restrict access to premium media, like films and television shows. This is done to adhere to copyright and licensing terms. You would see this on streaming services like Netflix or Amazon Prime.
Within grey area industries, like online gambling, laws vary not just by country, but often by region as well. In these cases, websites would need to restrict access and ensure they adhere to the laws that apply to the particular regions they want to service, and block everyone else out.
Why blocking IPs by country is not a good idea?
Depending on your reasons for implementing geoblocking, there are usually better and more robust solutions that serve the purpose.
We do not recommend geoblocking on your WordPress site, as a rule of thumb because of several reasons. If your primary reason is to block threats, install a security plugin on your website, and avoid all this hassle.
IP resolution is not perfect
There are two implications of not resolving IPs correctly: one, you can inadvertently block out users you want from another country; two, the block may not work completely. Either way, the solution is not perfect.
Servers exist all over the world
If you ban traffic from an entire country, it is like throwing the baby out with the bathwater. There may be legitimate traffic from those countries, and you will lose their visits altogether.
For instance, one user saw a great deal of phishing scams on their website originating from Germany. He was tempted to block traffic from Germany too, but couldn’t. Services that his website used servers that are located in Germany, like uptime monitoring and backup services.
Another user has vendors from China, and therefore has to keep China unblocked for those reasons.
You might block Google
This is a serious entry on the list. Blocking countries by IP can affect Google rankings because blocking can inadvertently block Google bots from crawling your website. This is especially true if you want to block countries in North America and Europe, where Google bots are located. Depending on the method you use, country blocking may or may not be able to make an exception for friendly site crawler bots.
In some cases, it might be possible to whitelist googlebot, but several bots masquerade as googlebot, so this is risky to do, without a good outcome.
You might block yourself
It sounds absurd, but happens quite often. There have been cases where website owners have been blocked from their own websites because of the imprecise nature of geoblocking. It is then a complicated task to reverse the inadvertent block.
Malware is universal
Blocking a country doesn’t guarantee that your website is safe from malware and phishing scams. In order to have a multi-pronged and more successful attack, malware can be stashed on devices across the world—and potentially countries that are whitelisted. The compromised hosts are often oblivious to the infection on their devices, and so unwittingly form part of botnets, for instance.
In our opinion, it is a poor substitute for a good firewall.
Constant updates are necessary
If your geoblocking is relying on a database for lookups, an error in the database could result in something getting blocked inadvertently, or not getting blocked when it should be.
This is especially the case because IP addresses, and by extension IP address ranges, keep changing. If you have used one of the manual methods with an ACL to block countries, you will have to periodically update the list to make sure it still works.
Savvier malicious actors will use proxies or VPNs to bypass block country rules. You may actually succeed at blocking direct traffic, but then a percentage of the bad will find a way to circumvent.
Google Ads might not work
There is some evidence that shows that Google Ads penalize sites with geoblocking. Many users have reported seeing their ads disapproved after restricting traffic from other countries.
As we have said before, to prevent bad traffic, use a firewall like MalCare, which has automated protection against bad requests. A firewall is better than a geoblocking WordPress plugin because it will stop the bad traffic before it hits the website. Most firewalls will also log request data, so you can use that to analyse your website’s traffic better.
Other variants of country blocking in WordPress
When you think of country blocking, you usually want to block traffic from a few countries. However, there are other ways of implementing blocks as well:
- Block everyone, and whitelist specific ip addresses as required: This is obviously a very drastic measure, so it is highly dependent on the use case of the website. Often this method is used when the site has a miniscule and specific audience or may contain sensitive information.
- Only block access to the login page: As opposed to the entire frontend of the website. This method is often suggested as a workaround to the Google Ads issue we described in the previous section.
In our opinion, blocking countries by IP—or any other way for that matter—is not a good solution. As we have listed above, there are several downsides and ways to circumvent the block, so the benefits are significantly reduced as a result.
If you want to protect your website from malicious bots and hackers, which is the primary reason website admin consider geoblocking in the first place, then a firewall is the best option.
MalCare’s firewall intelligently blocks all bad requests before they even hit your website, therefore preventing many of the issues of bot traffic.
Have thoughts to share, or more questions? Drop us an email or reach out to Twitter or Facebook.
Q1: How to block countries from accessing my website?
There are several ways to block countries from accessing your website, and all of them involve using IP addresses and ranges to zero in on location. We recommend using a wp security plugin like MalCare or Wordfence, or even a plugin dedicated to geoblocking, like iQ Country Blocker.
We do not recommend modifying the .htaccess file of your WordPress website, although this is also feasible. You would end up writing hundreds of lines of code, and then have to update it every month to make sure the blocks are still in place.
Recommended read: block ip address in WordPress
Q2: How to block access to my website based on country with .htaccess?
1. Firstly, you need to get a list of IP address ranges for the countries you want to block.
2. Next, open up your .htaccess file via cPanel or FTP in edit mode.
3. Then, paste the code with the blocked country IPs into the .htaccess file and save it.
Use a service to generate the IP address list, so that you don’t have to use a lookup tool to determine which countries map to which IPs.
Q3: What happens when a user from the blocked country tries to access your website?
Blocked visitors are redirected to an Access Denied 403 page. Most blocking plugins will allow you to set up a custom page for blocked traffic to be redirected to, and the page doesn’t have to be on your domain.