How to Block IP Address Using WordPress .htaccess File to Stop Bad Visitors

In this tutorial, we show you how to block bad visitors by their IP addresses using only Apache .htaccess file. No WordPress plugin required.

Your public website is on the internet for anyone, including bad visitors like bad bots, spammers, hackers, malicious users. They are annoying, taking up your web server resources, and potential security risk.
The good news is that you can “blacklist” them by blocking their IP address. An IP address is a string of 4 numbers separated by a single dot (IPv4) or 8 groups of 4 hexadecimal digits (IPv6). Each device on the internet is identified by an unique IP address.

At RunCloud, we supports 2 different web server stack: NGINX+Apache2 Hybrid and Native NGINX. If you are using NGINX+Apache2 Hybrid web server stack then you can easily block IP address using the .htaccess file in your WordPress root folder.

What is .htaccess file

.htaccess is a configuration file for Apache web server. You can create and edit an .htaccess file using any plain text editor.

When the Apache server loads a web folder, it detects and execute the .htaccess file. .htaccess file can be used to modify Apache server configuration, enable or disable functionality and features — including blocking visitors by IP address.
One of the advantages of using .htaccess is that it is executed before website is loaded. It also does not take up system resources like PHP & MySQL.

Identify bad IP addresses

We need to identify a bad IP address before we can block it. Here we show two ways to find bad IP addresses that visit your WordPress site.

1. Find IP address of spammers

WordPress dashboard comments IP address

Login your WordPress dashboard then goto Comments. Click on “Spam” to list all the spam comments. The spammer’s IP address is displayed in the “Author” column. Identify the repeating spammers then copy their IP addresses. We will block them later.

2. Find IP address of brute force attacks or login attempts

We can find all visitors IP addresses in the web server access log file. It is a bit tricky and takes some experiences to identify a bad visitor.

Apache access log file path on RunCloud is:

/home/runcloud/logs/apache/app-name_access.log
  • runcloud is the RunCloud default system user name. Replace it with your own system user name.
  • Replace app-name with your web application name.

Check the Apache server log file and identify IP addresses that repeatedly visit (flooding) your website pages in a short period (every few seconds).
RunCLoud Log file

Who is the IP address?
Write down the suspicious IP addresses. It is a good idea to check who owns the IP addresses before blocking them. You do not want to mistakenly blocking a genuine visitor like Google bots, right? Simply visit https://who.is/ to check the owner of an IP address.

Block IP address using WordPress .htaccess file

Warning: Your website may not be accessible if you mess up the .htaccess file. Please make sure you backup your .htaccess file before edit it.

Now you have a list of bad IP addresses you want to ban them from visiting your website. You can easily block the IP addresses using .htaccess file.

Please note that .htaccess file only works if you are using Apache or NGINX+Apache2 Hybrid web server stack.
A default WordPress .htaccess file will look like the below:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Depends on your site configuration, your .htaccess file may look different. It is fine. Make sure you make a backup copy of the .htaccess file.

Edit your WordPress .htaccess file using any plain text editor (or RunCloud web based file editor) and add the following lines to the top of the file:

        Order Allow,Deny
        Allow from All
        # add new line to block eacg IP address
        # 192.168.8.1

Add each IP address that you want to block as a new line below the above lines. Save the .htaccess file and any visitors with the IP addresses are unable to access your site.

Tip: You can temporary unblock an IP address by comment it — add a “#” at the beginning of the line.

Bonus: 6G Firewall

Now that you know how to block an IP address using WordPress .htaccess file. It is a small step to fight malicious visitors.

Blocking visitor by IP address is a temporary solution because IP addresses change constantly. It is best for quickly blocking certain visitors.

Check out the 6G Firewall by Jeff Starr, if you are looking for more complete WordPress security protection using only .htaccess file. It is free and open source.

Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks.

Hope this article is helpful to you fighting annoying malicious visitors to your WordPress site. Please share with us about how do you ban bad website visitors in the comment.

Categories: Tips & Tricks, Tutorials, WordPress

Simplifying Server Management

RunCloud is a cloud server management tool that allows you to maintain full control of your server and host multiple WordPress, WooCommerce, Laravel, and PHP applications with fast and easy configuration.

Start Your Free Trial

5 days free trial no credit card required cancel anytime

3 thoughts on “How to Block IP Address Using WordPress .htaccess File to Stop Bad Visitors

  1. I like to use the plugin NinjaFirewall and it is a very good tool to ban bad guys.
    For me is a must have in my list of security plugins for WordPress.
    With the pro version of the plugin you have a place to insert the IPs you want to ban. Also it has an powerfull engine that block all bad traffic and a very detailed log file that helps you much.
    Regards.

  2. Would be cool if we could whitelist Ip range as cidr in your firewall, use full when you have your site behind an proxy

  3. Good Article. if any user follow these steps for block these IP’s who comes for spamming any site. then he will be 99% safe from those users, who produce a bad traffic rate and want to increase your sites spam rate.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.