How to Blacklist IP Addresses and Users to Protect Your WordPress Site

Posted on May 1, 2018 by 7 Comments Reader Disclosure Disclosure: If you purchase something after clicking links in the post, we may receive a commission. Thank you for the support!

How to Blacklist IP Addresses and Users to Protect Your WordPress Site
Blog / Tips & Tricks / How to Blacklist IP Addresses and Users to Protect Your WordPress Site

No matter how large or small your website is, security is crucial. One of the most effective ways to protect your website is to block IP addresses and harmful users from having access to your website. This is known as blacklisting and it can be done several ways.

By blacklisting IP addresses you can avoid hackers, denial of service (DDOS) and brute force attacks, email spam, comment spam, and even unwanted visitors. In this article we’ll take a look at how to blacklist IP addresses and users to protect your WordPress site both manually and with plugins.

What is an IP Address

In order to know what to block we need to know what we’re looking for. So, what is an IP address and what does it look like?

In order to connect to the Internet, the Internet Service Provider (ISP) assigns each computer or device an IP address. The IP Address is the Internet Protocol portion of TCP/IP – Transmission Control Protocol / Internet Protocol. The simplified answer is it’s string of numbers that tell the browser where to find the website.

There are two types of IP addresses:

IPv4 – the most popular and has been around since the 70’s. It’s a 32 bit address with 4 sets of numbers from 0-255, separated by a dot. An example might look like this:

IPv6 – was developed in the 90’s and is meant to eventually replace IPv4. It was created due to the high amount of traffic on the Internet. It’s a 128 bit address with 8 groups of 4 hexadecimal digits separated by colons. An example might look like this:


There are ways to abbreviate them, such as removing the leading 0’s:


And removing the consecutive 0’s:


Block IP Addresses and Users Manually

If you’re not using plugins there are two locations to find IP addresses. One is the comments area within WordPress. The other is on your host’s dashboard, which includes all IP’s (not just commenters) and can help you find attackers. Both allow you to block or unblock IP’s and are good options to block individual users. With the host dashboard you can and even regions or countries.

Blocking IP Addresses and User’s within WordPress

IP addresses for commenters are displayed within the comments tab in the dashboard menu. All comments display the IP address under the email address.

These are easy to use because you know the users you’re looking for such as spammers or those who refuse to abide by your commenting policy. This is my latest round of spam. Notice the first and second have the same IP address and the third and fourth have the same IP address. These are the IP addresses for spam bots.

Copy and paste the IP addresses that you want to block with the Comment Blacklist field. In the dashboard menu, go to Settings > Discussion and scroll down to Comment Blacklist. Paste in your list of URL’s (one per line) and save. This helps for commenters, but for hacking attempts you’ll need to dig a little deeper.

Blocking IP Addresses and User’s within cPanel

Your host keeps a log of all IP’s that have visited your site. You’ll find this information from your hosts’ cPanel or similar dashboard. If you’re using cPanel, under the section labeled Metrics look for a file called Raw Access (or similar name, depending on your host).

Open the file in a text editor and you’ll see the IP addresses of all the visitors. It’s more difficult to know which IP is the culprit, but you block them the same way as you would users. One problem to this method is it’s too easy to block search engines, other users, or even yourself. It’s a good idea to check suspicious IP addresses with online tools such as IP Address.

Within your cPanel, go to Security > IP Blocker (or IP Address Manager, or similar) and paste the addresses.

In my case I’m pasting them in one at a time. Depending on your host you might have the option to block a range of addresses.

Block IP Address and Users with Plugins

One problem with blocking IP addresses manually is they can be random, meaning that you keep getting attacked by other IP addresses. This is difficult to keep up with. A much better way to know which IP’s to block is by using a plugin. There are several high-quality plugins in all price ranges. Here’s a quick look at the most popular free security plugins with blacklisting capability, many of which topped our list of the best all-around WordPress security plugins.


Wordfence has a firewall where you can create blocking rules and block by IP address, country, and pattern. It also protects from brute forces attacks by limiting login attempts.

You can get the addresses from reports that Wordfence provides about suspicious activity. Here I’m looking at my live visitors. It shows which is human, which are bots, identifies some as a warning, and shows which have been blocked. In this example I have a few bots from Russia that I can block.

Enter the addresses and provide a reason for the block so you’ll remember what the issue was if you decide to reconsider blocking them.

Block a country by selecting it on the map. This requires an upgrade to premium.

You can also block based on a custom pattern. This includes a range of addresses, hostname, browser, and referrer.

See Plugin

iThemes Security

iThemes Security has a featured called Banned Users. It also has local and network brute force protection. You can enable the default blacklist from, enable ban lists, enter hosts to ban, and ban user agents. It has protection so you can’t ban yourself. Enter the list of IP’s and save it. The premium edition includes a user security check feature.

The logs will show important events and provide you with the hosts so you can block them.

See Plugin

All In One WP Security & Firewall

All In One WP Security & Firewall has a blacklist manager where you can enter IP addresses and user agents to block. There’s also a premium addon available that will blacklist a country. A login lockdown feature protects against brute force login attempts.

It includes a Whois lookup tool where you can learn more about who you’re blocking.

A comment spam IP monitoring tool lists the IP addresses of spam comments that you’ve received. You can view them, search them, and block them in bulk.

See Plugin

Ending Thoughts

Blacklisting IP addresses and users is a great way to protect your website from spam and malicious attacks. Blocking unwanted IP’s and users can improve both the quality and security of your website.

There are other ways to handle spam, such as a spam blocking plugin, but blocking the IP address of the spam bot keeps it from getting to your website in the first place, which improves security, the possibility of spam getting through, and saves resources since the spam bot can’t take part of your bandwidth.

It’s easy to blacklist IP’s manually, but plugins offer several advantages such as identifying those with multiple login attempts, blocking known spam and malicious IP’s, providing whois tools, blocking countries, etc., as well as other firewalls and security features.

There are lots of plugins and methods to blacklist IP addresses. Using the methods described here, you can easily blacklist unwanted IP’s and users and protect your WordPress website, making it a better and safer website for your legitimate users.

We want to hear from you. What is your preferred method to block IP addresses and users? Let us know in the comments.

Featured Image via Zeeker2526 /

Disclosure: If you purchase something after clicking links in the post, we may receive a commission. This helps us keep the free content and great resources flowing. Thank you for the support!


Want To Build Better WordPress Websites? Start Here! 👇

Take the first step towards a better website.

Get Started
Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Posted on May 7, 2019 in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post
How to Use Font Awesome On Your WordPress Website

How to Use Font Awesome On Your WordPress Website

Posted on February 14, 2019 in Tips & Tricks

When given the choice between using a vector icon or a static image, it’s a good idea to go with the vector. They’re small and fast to load, and they can scale to any size without a loss of resolution. Font Awesome is a superb library of vector icons that you can use on your websites,...

View Full Post


  1. That might not be as useful as you think. Wordfence says:

    Blocking IPs manually is generally an ineffective security tactic. Attackers generally cycle through IPs quickly and tend not to reuse them. Attacking IPs often belong to victims, so you risk blocking real users who want to access your website.

    More about that here

  2. Hi There, As i prefere to block some ip in my wp blogs itself. And Askimat blocked all spam comments. So.. yah..

  3. The website secure system is very vital for Business website therefore the presence of block IP addresses in is right to be.

  4. i have been using Wordfence for blocking for a while and it works well for me. …not hard to get around the block tho unfortunately so it’s and ongoing battle!

  5. I use geolocation blocking to block traffic from known dodgy sources, such as China and certain eastern European locations.
    It should be mentioned that doing this also results in ElegantThemes Support being unable to access your site, since it seems that a lot of them are based in these commonly blacklisted eastern european locations.

  6. I would definitely recommend using the limit access system.

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Get Started With Divi