How to Block IP Addresses in WordPress to Stop Attacks

When your server logs show the same IP address hammering your login page hundreds of times an hour, or a scraper bot churning through your site at midnight, the fastest remedy is a direct block. Brute force attacks, comment spam, and aggressive crawlers often come from a small pool of repeat offenders. Cut off those addresses and the noise drops immediately.

WordPress doesn’t have a built-in IP blocking tool, but you have three practical options: a security plugin, your .htaccess file, or your hosting control panel. The right choice depends on how many IPs you need to block and where the attack is coming from.

Quick Answer

The quickest way to block an IP address in WordPress is through a security plugin like Wordfence. Go to Wordfence > Firewall > Blocking, enter the IP address, and click Block. It takes under a minute and applies instantly. For bulk blocking or when you don’t want a plugin involved, editing your .htaccess file or using your host’s IP blocker are both solid alternatives.

Why This Matters

Repeated hits from the same IP addresses add up quickly. A brute force attack testing thousands of password combinations puts constant load on your server and can trigger rate limits on your hosting plan. Scrapers pull bandwidth without contributing anything. And if an attacker finds a vulnerable endpoint, returning requests from the same source make it easier to spot patterns — but only if you’re already watching. If you’re not yet monitoring WordPress for security threats, setting that up alongside IP blocking gives you a much clearer picture of what’s hitting your site.

Blocking known bad actors is one layer of a broader hardening approach. It won’t stop every attack, but it eliminates the easy repeat offenders and reduces server load at the same time. Think of it as closing a door that keeps swinging open rather than waiting for someone to eventually come through.

How to Identify Which IPs to Block

Before you block anything, you need to know what you’re blocking. There are a few ways to find offending IP addresses:

  • Security plugin reports — Wordfence and similar plugins log failed login attempts and blocked requests, usually with the originating IP clearly visible under Wordfence > Firewall > Blocked Attacks.
  • Server access logs — If you have cPanel access, go to Metrics > Visitors or Logs > Access Log. Look for high-frequency requests from a single IP in a short time window.
  • Comment spam queue — Spam comments that slip through often share the same IP. Check your WordPress spam queue for patterns.

Before blocking any IP, run a quick lookup using a tool like ipinfo.io to confirm it’s not a shared hosting address, a legitimate search engine crawler, or a known CDN node. Blocking a Googlebot IP by mistake will hurt your indexing.

Method 1: Block IP Addresses Using Wordfence

Wordfence is the most popular WordPress security plugin and includes IP blocking built into its firewall. It’s also free for the core features you need here. You can find it at wordpress.org/plugins/wordfence.

Block a single IP address

  1. Install and activate Wordfence from Plugins > Add New.
  2. Go to Wordfence > Firewall in the WordPress dashboard.
  3. Click Blocking in the top menu.
  4. Select IP Address from the block type dropdown.
  5. Enter the IP address in the field provided.
  6. Add a reason if you like (for your own records), then click Block.

The block takes effect immediately. Wordfence will return a 403 Forbidden response to any request from that address.

Block an IP range

If attacks are coming from multiple IPs within the same subnet, you can block an entire range using CIDR notation (e.g. 192.168.1.0/24 blocks all 256 addresses in that range). Wordfence’s blocking interface accepts CIDR ranges directly. In my experience, this is worth doing when you see a cluster of IPs all starting with the same first two or three octets.

Method 2: Block IP Addresses via .htaccess

If you’d rather not use a plugin, you can block IP addresses directly in your .htaccess file. This method works at the server level, before WordPress even loads, so it’s slightly faster for high-volume blocking.

  1. Access your .htaccess file via FTP or your hosting file manager (it’s in the root of your WordPress install).
  2. Add the following block before the WordPress rewrite rules:
## Block bad IPs
Order Allow,Deny
Deny from 192.168.1.100
Deny from 10.0.0.50
Allow from all

Replace the example IPs with the ones you want to block. To block a range, use the partial IP notation: Deny from 192.168.1 blocks all addresses starting with 192.168.1.

Save the file and the block applies immediately — no restart needed. Keep a note of what you added and when, so you can remove blocks later if needed.

Method 3: Block at Hosting Level

Most shared and managed hosting providers include an IP blocking tool in their control panel. In cPanel, it’s listed under Security > IP Blocker. You enter an IP or range and the host applies the block at the server level, ahead of your WordPress install entirely.

This is the best option when you’re dealing with a high-volume attack that’s already putting load on the server — blocking at the application layer (WordPress or even .htaccess) still involves some server processing per request, whereas hosting-level blocks stop the traffic earlier. It’s also useful if you manage multiple WordPress installs on the same hosting account and want the block to apply across all of them.

Practical Tips

  • Record what you block. Keep a simple log — a text file or a note — with the IP, the date, and the reason. When you revisit your security setup in three months, you’ll thank yourself.
  • Check before blocking shared IPs. Corporate networks, mobile carriers, and some ISPs route many users through a single IP. Blocking a shared address can lock out legitimate visitors. An ipinfo.io lookup will flag this.
  • Combine blocking with broader WordPress hardening. IP blocks deal with known offenders, but hardening your installation closes the vulnerabilities those offenders are trying to exploit.
  • Review blocks periodically. IPs get reassigned. A block that was necessary six months ago may now affect innocent users.

Common Mistakes

  • Blocking your own IP. It sounds obvious, but it happens. Before blocking any address, double-check it isn’t your own. Google “what is my IP” to confirm.
  • Blocking without investigating. Blocking one IP doesn’t mean the attack stops. Most bots rotate through multiple addresses. Use your security logs to look for patterns rather than just reacting to a single address.
  • Using IP blocking as a substitute for a firewall. A good WordPress firewall does the same job as manual IP blocking — and much more — automatically. If you find yourself blocking IPs manually on a regular basis, a firewall plugin or a WAF at the hosting level is the better long-term solution.

IP Blocking vs Alternatives

IP blocking is effective against persistent, known bad actors hitting the same site from the same address. It’s less effective against:

  • Distributed attacks — where traffic comes from thousands of addresses simultaneously. For this, a CDN with DDoS protection or a cloud-based WAF is more appropriate.
  • Comment and form spam — where bots cycle through addresses quickly. A CAPTCHA or honeypot on your forms handles this better than blocking individual IPs.
  • Unknown future threats — a firewall that analyses behaviour patterns will catch new attackers before you’ve even identified their IP.

Use IP blocking for targeted, reactive situations: someone hammering your login page, a scraper you’ve identified, or a source generating repeated 404 errors against known vulnerable paths. For everything else, invest in the preventive layers. If you’re building a WordPress site from scratch and working through your security setup, the step-by-step guide to building a WordPress website covers the security groundwork in the right order.

Conclusion

Blocking a problem IP takes less than two minutes in Wordfence or .htaccess — and it works. Use it when you have a specific, identified source causing trouble, combine it with a firewall for ongoing protection, and keep a record of what you’ve blocked so you can review it later.