Wordpress

Block IP Addresses in WordPress

There are several reasons that might need to block an IP address from accessing the site. I’ve categorized the reasons in no particular order:

  • Unnecessary traffic
  • Spam
  • Brute Force Attack
  • DDoS Attack

Unnecessary traffic

Usually, this is traffic generated by bots crawling the site, they might be good or bad bots. A bot is considered good when it would adhere or follow what’s on the robots.txt file, the other one would just ignore the contents. There are also some email harvesters, content scrapers, and web extractors. This adds bandwidth and sometimes hinders the loading of the site.

Spam

Spam is unwanted messages, usually on form submissions like contact forms, registration pages, and comment pages. They sometimes become annoying since the query does not come from legitimate users or customers. On server access logs most of them come with a single IP.

Brute Force Attack

A brute force attack is a series of login attempts trying to guess the password. There are many methods of doing this, one is doing all the combinations to log in, another is using a dictionary of known weak passwords. Access to the wp-admin dashboard is really plenty on server access logs.

DDoS Attack

DDoS is an acronym for Distributed Denial of Service. The DDoS attack utilizes several IP addresses that send multiple requests with the aim to exceed the bandwidth and limit access to a website.

Blocking an IP using a plugin

The most sophisticated plugin for securing a WordPress site is Wordfence. Wordfence features a built-from-the-ground-up endpoint firewall and malware scanner to secure WordPress. Wordfence gets the latest firewall rules, malware signatures, and malicious IP addresses from its Threat Defense Feed, so it can keep the website secure. Wordfence is the most robust WordPress protection system today, with 2FA and a suite of additional tools.

Here are other plugins worth considering in blocking IP:

Blocking an IP in Server Configuration

On Apache servers, this can be done by adding Deny keyword on .htaccess

# Block Single IP
Deny from 192.168.254.1

# Block Entire Subnet
Deny from 192.168

# Block using CIDR
Deny from 192.168.254.0/24

On Nginx servers, add access.conf file on Nginx configuration folder.

location / {
   deny 192.168.254.1;
 }

After adding, reload the configuration or restart Nginx.

Blocking an IP by using PHP

Use a PHP snippet to block IP, the best way to put the code on wp-config.php, the server would deny the IP before bootstrapping the core, plugins, and themes.

if ($_SERVER['REMOTE_ADDR'] == '192.168.254.1') {
  header('HTTP/1.0 403 Forbidden');
  exit;
}

Wrapping UP

I think the best method to use is the server configuration and PHP code inclusion. Even if the site is experiencing a DDoS attack, the Server and PHP code can be added instantly.

Installing WP Rocket on Pantheon Platform

Some people do find a hard time installing WP Rocket on Pantheon since it creates files on a write-protect folder set by Pantheon Platform.

The solution was to create a symlink and point to the write permitted folder which is the wp-content/uploads folder.

Please take note that this step is not recommended to be used on any SFTP app but only on the SFTP command line. Since creating symlinks over SFTP have inconsistencies between clients. The process below was tested using MacBook Pro (Mojave), Ubuntu 18.04.4 LTS, and Windows 10 (Release 1909)

  • Create a folder cache and wp-rocket-config on wp-content/uploads folder on DEV first (later would be TEST and LIVE).
  • Remove the wp-content/cache folder. If there is a wp-content/wp-rocket-config folder, remove it also.
  • Create a symlink via the terminal command line.

Note: Be sure that you are in the wp-content folder.

$ ln -s ./uploads/cache cache
$ ln -s ./uploads/wp-rocket-config wp-rocket-config
  • Commit and push the symlink via git.
  • Create the folder cache and wp-rocket-config in wp-content/uploads​ for TEST and LIVE.
  • Commit and deploy code to TEST and LIVE.
  • Activate the WP-Rocket plugin and apply the license code.

Hopefully, this will help users install the WP-Rocket Plugin on the Pantheon Platform.

Happy Coding.