In the previous article, I’d shown you how to block bots by user agent through the .htaccess file. This technique can be used by any site – whether it’s powered by WordPress or not. But sometimes, it’s not a specific bot that hammers your site with requests. There could be thousands of log in attempts and IP addresses that access your wp-login.php page in an attempt to DDoS your site.
The difference is that bots – even bad ones – generally give their name and it’s easy to identify them. IP addresses on the other hand are a little more complicated. In this tutorial, I’ll show you several methods to block IP addresses, including solutions you might not have thought you needed!
Solution 1: Most Common – Block from Comments
A very common problem is comment spam that somehow slips through your filters. I sometimes wake up to find my blog flooded with dozens of spam messages. It’s not necessarily a strain on my server, but it’s annoying to have to delete them over and over manually, and it creates a bad impression to visitors to the site who see the spam comments.
We can block these comments via IP. First, go to your comments section and see the IP name of the commenter like this:
Next, go to Settings -> Discussion:
Here, scroll down to the section labeled “Comment Blacklist” and add the IP address to the box as shown here:
Save your changes and you’re done! Now all comments originating from that IP address will go straight to the trash can. It’s a simple solution and it works great for most people.
Solution 2: Block IP Addresses in .htaccess
This is a bit more serious. Use this solution when it’s more than just a dozen comments or hits on your site. This is for an IP address that actively tries to DDoS your site – whether accidentally, or on purpose.
Open the “.htaccess” file at the root of your site directory and paste in the following lines:
Order Allow,Deny Deny from [IP Address] Allow from all
Here, replace [IP Address] in bold with the IP address you need to block. Now sessions that originate from that IP address will get a 403 error as shown here:
This solution also puts the least strain on your server. Since no PHP files are being executed, there’s barely any CPU or script usage.
Solution 3: Using a Plugin for IP Lists
The solution above with htaccess is great for one-off IP address bans. But if you find yourself doing it more often, then a better solution is to use a plugin. I personally use the iThemes security plugin. The free version is pretty good by itself and it comes with a bunch of other useful security tweaks. Once installed, navigate to the section on “Banned Users”, and click “Enable Ban Lists”:
Now enter the IP addresses you want to ban in the box below – one on each line. Save your changes and you’re done!
Solution 4: Banning by Country with Cloudflare
If you notice a lot of spam coming from a specific country, you might want to consider a country specific IP ban list. However, this is far from trivial. IP block rules for countries can number hundreds of lines that change all the time. It’s practically impossible to manually maintain a list of IP addresses by country. People have tried, and it usually turns out to be a mess. Don’t do it.
A far better solution is to use a reverse proxy like Cloudflare that does the heavy work for you. If you’re already using Cloudflare, then navigate to the “Firewall” section and scroll down to “Access Rules” as shown here:
Now just enter the country name you want to ban. You can create more than one blocking rule and block several countries if you want. It’s much more efficient and effective than trying to do it by yourself.
So there you have it. A number of methods to implement IP bans on your site – from the simple comment moderation, to a full-blown country-level IP ban. I hope some of the information here helps keep you safe, and your site accessible!