Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Block IP Addresses in WordPress (& Why)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to block specific IP addresses from accessing your WordPress site?

Blocking IP addresses is used as a solution to block spam and hacking attacks on your website.

In this article, we will show you how to block IP addresses in WordPress, and we will also show you how to find out which IP addresses need to be blocked.

How to Block IP Addresses in WordPress

What Is an IP Address?

Each computer connected to the internet has an IP address assigned to them by their internet service provider.

If the internet was a physical world, then think of IP addresses as country, street, and house numbers. They are 4 sets of numbers from 0-255 separated by dots and look like this:

All visitors to your WordPress website have an IP address that is stored in your website’s access log files. This means that all websites that you visit also store your IP address.

If you want to hide your real IP address and other personal information when using the internet, then you can use a VPN service.

Why & When Do You Need to Block IP Addresses?

Blocking an IP address from accessing your website is an effective way to deal with unwanted visitors, comment spam, email spam, hacking attempts, and DDoS (denial of service) attacks.

The most common sign that your website is under a DDoS attack is that your website will frequently become inaccessible or your pages will take forever to load.

The other attacks are more obvious such as when you start getting spam comments or a lot of spam emails from your contact form. We have a list of ways to fight spam comments, but the last solution is to block IP addresses.

Finding Out IP Addresses You Want to Block in WordPress

WordPress stores IP addresses for users that leave a comment on your website. You can see their IP address by visiting the Comments page in your WordPress admin area.

IP addresses stored in WordPress comments

If your website is under a DDoS attack, then the best way to locate the IP addresses is by checking your server’s access log.

To see those logs, you will need to log in to the cPanel dashboard of your WordPress hosting account. Next, locate the ‘Logs’ section and click on the ‘Raw Access Logs’ icon.

Raw access logs

This will take you to the access logs page.

You will need to click on your domain name to download the access logs file.

Download access log file

Your access log file will be inside a .gz archive file. Go ahead and extract the file by clicking on it.

If your computer does not have a program to handle .gz archive files, then you will need to install one. Winzip and 7-zip are two popular choices among Windows users.

Inside the archive, you will see your access log file, which you can open in a plain text editor like Notepad or TextEdit.

The access log file contains raw data of all requests made to your website. Each line begins with the IP address making that request.

IP addresses in access log file

You need to make sure that you don’t end up blocking yourself, legit users, or search engines from accessing your website. Copy a suspicious-looking IP address and use online IP lookup tools to find out more about it.

You will have to carefully look at your access logs for an unusually high number of requests from a particular IP address. We share a way to automate this at the bottom of this article.

Once you have located those IP addresses, you need to copy and paste them into a separate text file.

Blocking IP Addresses in WordPress

If you just want to stop users with a specific IP address from leaving a comment on your site, then you can do that inside your WordPress admin area.

Head over to Settings » Discussion page and scroll down to the ‘Comment Blacklist’ text box.

Blacklist IP addresses in WordPress comments

You need to copy and paste the IP addresses that you want to block and then click on the ‘Save Changes’ button.

WordPress will now block users with these IP addresses from leaving a comment on your website. These users will still be able to visit your website, but they will see an error message when they try to submit a comment.

Blocking an IP Address Using cPanel

This method completely blocks an IP address from accessing or viewing your website. You should use this method when you want to protect your WordPress site from hacking attempts and DDoS attacks.

First, you need to log in to the cPanel dashboard of your hosting account. Now scroll down to the Security section and click on the ‘IP Blocker’ icon.

The cPanel IP Blocker Tool

This will take you to the IP Blocker tool.

Here, you can add the IP addresses you want to block. You can add a single IP address or an IP range and then click the ‘Add’ button.

Blocking IP addresses in cPanel

You can come back to the same page again if you ever need to unblock those IP addresses.

When IP Address Blocking Doesn’t Work – Automate It!

Blocking an IP address will work if you are just blocking some basic hacking attempts, specific users, or users from specific regions or countries.

However, many hacking attempts and attacks are made using a wide range of random IP addresses from all over the world. It is impossible for you to keep up with all those random IP addresses.

That’s when you need a Web Application Firewall (WAF) such as Sucuri our Cloudflare. These website security services protect your website against such attacks using a website application firewall.

Basically, all your website traffic goes through their servers, where it is examined for suspicious activity. It automatically blocks suspicious IP addresses from reaching your website altogether. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to easily block IP addresses in WordPress. You may also want to see our ultimate WordPress security guide for beginners or our expert pick of the best WordPress landing page plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

31 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Dayo Olobayo says

    I have been using the first method on my WordPress admin dashboard and it worked at reducing the spam comments. But how do we deal with those who use VPN to change their IP addresses? If I were to keep adding such IPs to my blacklist, won’t I lock out legitimate visitors from commenting on my posts?

    • WPBeginner Support says

      If your hackers are determined enough to use multiple IP addresses then you can normally block the IP addresses temporarily and then remove them after a time as that would require many resources to change the IP constantly.


      • Dayo Olobayo says

        That sounds logical. Blocking IP addresses temporarily and then removing them later can be effective, as constantly changing IPs requires significant resources from the hackers.

  3. ed thoma says

    there is no ‘Comment Blacklist’ text box.

    if word press removed this feature, then the the part where you direct/suggest the so called option should be removed.

  4. Borundebnath says

    My Wifi IP address is block in my own site for my mistake but I can log in my site by using another wifi, how to unblock my IP address with WordPress?

  5. Gbengard says

    Hi there,

    I blocked an IP Address from visiting my blog, the visitor still finds a way to visit my blog with the same IP Address.

    What would you advise?

    • WPBeginner Support says

      In these situations, we would recommend checking with your hosting provider to ensure there are no conflicts on their end.


    • WPBeginner Support says

      You would want to look for Disallowed Comment Keys on the discussion page due to a more recent update for where to add the IPs :)


    • zanuda says

      From left menu (rather then comments) choose Settings -> Disussions and scroll down until you see line “Disallowed Comment Keys” and the box under. IP to blocked goes in the box, one per line.

  6. Azra Noir says

    Thanks ^^ This helped me find what I was looking for to block an ip address from commenting on my articles.

  7. Gaurav Ramani says

    One website is copying my whole content without leaving any comment .
    What can I do. help me please

  8. zanuda says

    How do I block a range of IPs (subnet)? I’m getting spam from the same subnet, let.s say ABC.CDE.*.* First part is the same, the last varies. At the moment I wrote in the blacklist section that way: ABC.CDE , but I’m not sure it’s the right way. I’ve seen this as an advice somewhere ages ago. Now one of the anti-spam plugin died out and I started to look, I’ve got another info. like this: ABC.CDE.* or like this ABC.CDE.*.* So are all those ways are Ok or only one of them? And which one?

    • WPBeginner Support says

      It would depend on what method you are using to block the IPs but normally you would want to use the second option with two *s


      • zanuda says

        Method – the same as in the article above, going to Discussion settings and putting IP address over there. It’s just there are no way to double check which one is working because I don’t have access to different IP…

        Thanks, I’ll change everything to ABC.CDE.*.*

  9. iptv says

    I have recently started a blog, the information you offer on this web site has helped me tremendously. Thank you for all of your time & work.

  10. Leon Mufaya says

    Thanks a lot for the information, ever since I came across WPBeginner, my WordPress life has been extremely easy and stress-free and I hope you guys keep up the great work.

  11. dorian says

    I was looking to this answer since my site was getting so much hits and spam from particular IP addresses. I am disabling that now. Thanks!

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.