There are several reasons that might need to block an IP address from accessing the site. I’ve categorized the reasons in no particular order:
- Unnecessary traffic
- Spam
- Brute Force Attack
- DDoS Attack
Unnecessary traffic
Usually, this is traffic generated by bots crawling the site, they might be good or bad bots. A bot is considered good when it would adhere or follow what’s on the robots.txt file, the other one would just ignore the contents. There are also some email harvesters, content scrapers, and web extractors. This adds bandwidth and sometimes hinders the loading of the site.
Spam
Spam is unwanted messages, usually on form submissions like contact forms, registration pages, and comment pages. They sometimes become annoying since the query does not come from legitimate users or customers. On server access logs most of them come with a single IP.
Brute Force Attack
A brute force attack is a series of login attempts trying to guess the password. There are many methods of doing this, one is doing all the combinations to log in, another is using a dictionary of known weak passwords. Access to the wp-admin dashboard is really plenty on server access logs.
DDoS Attack
DDoS is an acronym for Distributed Denial of Service. The DDoS attack utilizes several IP addresses that send multiple requests with the aim to exceed the bandwidth and limit access to a website.
Blocking an IP using a plugin
The most sophisticated plugin for securing a WordPress site is Wordfence. Wordfence features a built-from-the-ground-up endpoint firewall and malware scanner to secure WordPress. Wordfence gets the latest firewall rules, malware signatures, and malicious IP addresses from its Threat Defense Feed, so it can keep the website secure. Wordfence is the most robust WordPress protection system today, with 2FA and a suite of additional tools.
Here are other plugins worth considering in blocking IP:
- All In One WP Security & Firewall
- WP Cerber Security, Antispam & Malware Scan
- Loginizer
- Spam protection, AntiSpam, FireWall by CleanTalk
- iQ Block Country
Blocking an IP in Server Configuration
On Apache servers, this can be done by adding Deny keyword on .htaccess
# Block Single IP
Deny from 192.168.254.1
# Block Entire Subnet
Deny from 192.168
# Block using CIDR
Deny from 192.168.254.0/24
On Nginx servers, add access.conf file on Nginx configuration folder.
location / {
deny 192.168.254.1;
}
After adding, reload the configuration or restart Nginx.
Blocking an IP by using PHP
Use a PHP snippet to block IP, the best way to put the code on wp-config.php, the server would deny the IP before bootstrapping the core, plugins, and themes.
if ($_SERVER['REMOTE_ADDR'] == '192.168.254.1') {
header('HTTP/1.0 403 Forbidden');
exit;
}
Wrapping UP
I think the best method to use is the server configuration and PHP code inclusion. Even if the site is experiencing a DDoS attack, the Server and PHP code can be added instantly.