Want to secure your WordPress site by blocking specific IP addresses? As experienced WordPress users, we've relied on IP blocking to stop spam, hacking attempts, and DDoS attacks effectively. In this guide, we'll walk you through identifying suspicious IPs and blocking them step by step.
Think of the internet like the physical world: an IP address is your device's unique identifier, much like a house number on a street. It's four sets of numbers (0-255) separated by dots.
Every internet-connected device receives an IP address from its Internet Service Provider (ISP).
Your WordPress site's access logs record the IP addresses of every visitor. Websites you visit store your IP too. For privacy, use a reputable VPN to mask your IP and personal details.
Blocking IPs is a reliable defense against unwanted traffic, comment spam, hacking probes, and DDoS attacks that can slow or crash your site.
DDoS signs include frequent downtime or sluggish page loads.
Spam is obvious in comments or contact forms. While we recommend anti-spam plugins first, IP blocking is a powerful last resort.
WordPress logs commenter IPs. Check them in your admin dashboard under Comments.
For DDoS or heavy attacks, review your server's access logs.
Log into cPanel, find the Logs section, and click Raw Access Logs.
Click your domain to download the .gz file. Extract it with 7-Zip or WinZip, then open in Notepad or TextEdit.
Each line starts with the requesting IP.
Avoid blocking legit users or search engines. Use online IP lookup tools to vet suspicious ones. Look for high request volumes from one IP. Tip: We'll cover automation later.
Copy suspect IPs to a text file.
To stop specific IPs from commenting (but allow site access):
Go to Settings » Discussion and add IPs to the Comment Blacklist box.
Save changes. They'll get an error on comment submission.
For full access denial (ideal for hacks/DDoS):
Log into cPanel, go to Security » IP Blocker (or IP Deny Manager).
Add single IPs or ranges, then click Add.
Return anytime to remove.
Manual blocking works for targeted threats, but sophisticated attacks use rotating global IPs—impossible to track manually.
Enter Web Application Firewalls (WAFs). Sites like WPBeginner trust Sucuri, a proven security service. It routes traffic through protected servers, scanning for threats and auto-blocking bad IPs.
Sucuri blocked 450,000 WordPress attacks for us in just 3 months.
We hope this expert guide helps you block IPs effortlessly in WordPress. Check our beginner's WordPress security guide next.
Subscribe to our YouTube channel for video tutorials. Follow us on Twitter and Facebook.
