Are you tired of dealing with spam comments, unwanted traffic, or malicious attacks on your WordPress website? One of the most effective ways to keep your website safe is by blocking IP addresses or even countries.
In this guide, you’ll learn how to track down and and block IP addresses on your WordPress website. WordPress makes it easy.
Disclaimer:
Many spammers and hackers use VPN-type services to protect their identities, so blocking an IP address or even a country will not block a persistent criminal from accessing or posting to your website. If they choose to do so, they can simply change the VPN service location to an altogether different IP address or country on the fly through their VPN software. That said, let’s get started.
This article provides a comprehensive guide for blocking IP addresses or entire countries in WordPress. It explains how to identify malicious IP addresses by analyzing website activity logs or monitoring comments, and how to add a “bad IP list” into the WordPress Discussion Settings page. The article also covers the use of Cloudflare to block countries, and a plugin called IQ Block Country for blocking countries and the process for obtaining and uploading the necessary GeoLite2 data file. It also includes notes about the effects of IP address blocking and search engine optimization. ]
Step 1: How do I Identify Malicious IP Addresses?
The first step in blocking IP addresses is to first identify the addresses that need to be blocked. This can be done by analyzing your website’s activity logs or by monitoring comments on your website.
Here is a WordPress bad comments example. Below each of the comments is the IP address of the person who wrote them (picture below).
Most security plugins provide bad login and malicious activity IP address information as well. Below is an example from a website I manage through my service, using the Wordfence plugin for monitoring ( picture below).
IP Blocking SEO Trivia:
Blocking IP addresses will not hurt your search engine optimization efforts. Block away my friend.
I do recommend that you copy the offending addresses you wish to block into a separate text file. That will make it easier to identify extra spaces or characters as you build your bad IP addresses list.
Step 2: Where in WordPress Do I Add my Bad IP Addresses List?
With your IP addresses list in hand, navigate to the Discussion Settings panel in your WordPress dashboard. This can be found by going to Settings > Discussion in the sidebar. In this panel, you’ll find a section titled Comment Moderation and Disallowed Comment Keys. Paste your bad IP address list into the respective box and click Save Changes.
Step 3: Did you know that your WordPress Discussion Settings options page allows for the blocking of words, URLs, and email addresses?
Now if this isn’t worth “buying Jim a cup of coffee” I don’t know what is.
- Use my WordPress Comment Moderation Bad list. This list covers all of the usual suspects (literally).
Step 4: How do I Block Countries from Visiting my WordPress website?
- Though Cloudflare
- Or, by using the Plugin IQ Block Country
4.1: Let’s Start with Cloudflare
Cloudflare provides a free domain name management service and most notably a free Content Delivery Network (CDN) service.
In 2024 Cloudflare updated their Web Application Firewall (WAF) and made it free of charge to all using their service. If you would like to learn more about the Cloudflare WAF options I recommend visiting their online FAQ: Cloudflare Web Application Firewall. Blocking or excluding countries, or connections from TOR, is quite easy with Cloudflare. See my example picture below:
4.2: Using the Plugin IQ Block Country
So you wish to block all IP addresses from a specific country? That’s easy. Begin by installing the plugin IQ Block Country within your WordPress dashboard.
To use the country blocking plugin, see Plugins and click Add New. Type “IQ Block Country” into the search box. Install and activate the plugin.
You will need to register a free GeoLite2 account to download the tiny GeoLite2 data file.
- Visit the web page at Maxmind, and click Sign Up for GeoLite2
- Once you’re in, look for the text, “Download Databases” link. Click that link.
- And choose the “GeoLite2 Country” gzip link to download.
- Extract the gzip file on your computer, and look for the “GeoLite2-Country.mmdb” file.
- Upload the GeoLite2-Country.mmdb file to the wp-content/uploads/ directory of your website.
- Yes, the plugin will automatically recognize the file. Installation complete.
Once the plugin has access to the database file (usually automatic if the file is in the /uploads directory), you can then select the countries you wish to block in the IQ Block Country plugin settings page ( picture at right).
Seriously, the hardest part of this process is uploading the tiny file to your hosting account. The IQ Block Country plugin’s settings page is nicely self-explanatory. To start, click the Frontend tab in the country blocking plugin’s settings page. Choose your countries from the list and click Save Changes (picture below).
Country Blocking SEO Trivia:
Blocking entire countries will not hurt your search engine optimization efforts. You are optimizing for your service area after all. The only time you may be penalized SEO-wise is if you inadvertently block Googlebot. Watch this deep-dive video on the country blocking subject if you’d like to learn more. If you block a country, the only real trade-off is that you will not receive traffic or inbound links from that blocked country.
That’s all there is to it. From here on out those would-be spammers should no longer be able to openly pollute your post comments or access your page from the IP or country blocked.
As a website security professional, I’ve been providing monitoring and management services to my clients for over 10 years. If you are curious about my low-cost WordPress management service, please see my website, HackGuard.com for more details.