Your site is designed to attract visitors, create interest, and ultimately drive engagement. In most cases, this leads to a predictable pattern: Better content creates better SEO, which increases traffic and improves overall sales conversions.
In many cases, it also means increased interaction with your site itself — from comments on new posts to email inquiries and social media mentions.
But what happens when this attention isn’t advantageous? What steps can you take if visitors are leaving rude or aggressive comments, spamming your inbox with emails, or slowing down your site with unwanted traffic?
While it’s possible to resolve some issues with polite requests and reasonable restrictions, there are times when you’re best-served by blocking specific Internet protocol (IP) addresses to frustrate offensive commenters, stop spammers, and avoid ongoing attacks. Let’s dive into details of why, when, and how to block an IP address.
What is an IP Address used for?
IP addresses are much like physical addresses — they provide information about both the device and network being used to connect.
Unlike physical addresses, however, they’re not static; while you’ll generally have the same IP address when connecting devices through your home network, this address changes if you’re using another network outside your home and can also change if you reboot your router or switch Internet providers.
The most common type of IP addresses, known as IPv4 addresses, use four sets of up to three numbers each separated by dots, like this:
This address is known as the “loopback address”, which all devices use to identify themselves on any network. They are then assigned a specific IP address to connect to the Internet at large.
Anyone who connects to your site with any device does so using an IP address, which is recorded by your content management system (CMS). Let's say you're using WordPress. If users leave a comment, their IP address can be found in the “Comments” section of your WordPress admin page.
You can also find a list of all the IP addresses that have visited your site using your WordPress hosting provider’s cPanel dashboard. Find the “Logs” section and then click on “Raw Access Logs”. Once you’ve downloaded the raw access data file you’ll need to decompress it and open it using a text editor to see a list of all the IP addresses that have recently visited your site.
Why Block an IP Address
If visitors leave a negative comment on your site, it’s often possible to reach out and resolve the problem without any further issues. In some cases, however, this isn’t effective, resulting in post comments sections that quickly descend into mean-spirited and unproductive debate.
It’s also possible that your website may be targeted by malicious actors looking to compromise administrative logins or carry out distributed denial of service (DDoS) attacks which can significantly reduce site performance or take your site offline entirely.
While it’s always preferable to resolve issues without blocking users or their devices, the scenarios listed above call for more drastic action: Blocking IP addresses.
How to Block an IP Address
So how do you block an IP address?
Blocking a single address is possible using your WordPress administrator page. Head to the “Comments” section and click on a specific comment to see the user’s IP address. Then, go to “Settings”, click on the “Discussion” submenu and scroll down to “Comment Blacklist”. This brings up a text box that allows you to block specific IP addresses. Enter one IP address per line and click the “Save Changes” button — now, users with these specific IP addresses won’t be able to comment on any posts.
It’s worth noting, however, that this method only stops users from commenting on your posts, but won’t stop them from accessing your site or spamming it with malicious data traffic to slow down performance. In this case, you’ll need to completely block the offending IP address using the administrative options in your WordPress hosting providers’ cPanel dashboard.
Head to the “Security” section and find the “IP Address Deny Manager”, then enter a specific IP address or range of addresses to block. Here, the result is more substantive: Anyone trying to access your site from these addresses will get an error message instead of seeing your page.
The Obfuscation Issue
As noted above, IP addresses aren’t permanent. Instead, they’re assigned based on factors including current location, device, and network type. They can also be deliberately replaced with different IP addresses by using what’s known as a virtual private network (VPN).
VPN services have a host of legitimate uses. For example, they’re often used by businesses to obfuscate user locations and encrypt data traffic, in turn making it much more difficult for hackers to compromise key functions. But VPNs can also be used by malicious actors to generate massive amounts of website traffic — traffic that seemingly originates from multiple devices and locations worldwide. In this case, blocking specific IP addresses and even address ranges through WordPress or hosting cPanels won’t help, since attackers will simply use a different set of addresses for their next attack.
Solving for IP Overload
Thankfully, site owners have several options when it comes to handling IP address overload.
First up are WordPress plugins that allow administrators to block traffic from specific geographic locations in addition to IP ranges. Consider the case of a DDoS attack on your site: If your examination of server logs shows that the bulk of malicious access requests are coming from a certain country or region, WordPress plugins such as IP2 Location Country Blocker let you actively block access from this geographic area to limit the risk of site compromise.
It’s also worth considering more active security options for your WordPress site, such as web application firewalls (WAFs) offered by reputable security providers. These solutions help reduce malicious site traffic by routing all access requests through their own servers and scanning them for suspicious activity or IP addresses. If these tools discover a large volume of traffic coming from the same geographic area or detect suspicious activity — such as rapid-fire requests or the use of proxy servers to reroute and obfuscate these requests — they will automatically deny access to protect your site.
Building Better Blocks
In most cases, blocking an IP address isn’t necessary — one-off comments and occasional site security issues can be mitigated by responsive administrators and robust security solutions. In the event that commenters refuse to respect community guidelines or large-scale DDoS attacks on WordPress websites become a reality, however, it’s worth considering more drastic action with IP address blocking.
For single, specific blocks or small-scale address ranges it’s easy enough for site admins to use built-in comment moderation or cPanel hosting management tools. In the case of targeted attacks using VPN or proxy processes, meanwhile, consider building better blocks with location-blocking WordPress plugins or advanced IP address detection and rejection tools.
Originally published Dec 30, 2020 7:00:00 AM, updated June 22 2022