If you want to ban a bad user from accessing your WordPress website or blog and you have the user’s IP address, or hostname, you can block such users by using an htaccess file. If you want to ban the IP address from accessing any part of the website then the htaccess file should be placed in the root of your WordPress or website. If you would like to block access only to a specific directory on your website, then upload the .htaccess file to that particular directory.
WP White Security Tip: If you already have an .htaccess file in the root of your WordPress, download the existing one and add the below at the end of the .htaccess file. It is important to always add content outside the # BEGIN WordPress and # END WordPress lines.
htaccess file to ban bad users
To ban a single IP address from accessing your WordPress, add the below to the htaccess file in the root of your website.
Require all granted Require not IP 192.168.1.2
The above htaccess file sample will deny access to WordPress or your website to the following IP address; 192.168.1.2. If you would like to exclude more IP addresses, simply add them in new lines using the following syntax deny from [IP ADDRESS] as shown in the below example where we block the following IP addresses; 192.168.1.2, 10.130.130.6 and 172.16.130.106.
Require all granted Require not IP 192.168.1.2 Require not IP 10.130.130.6 Require not IP 172.16.130.106
htaccess file to ban a range of IP addresses
To ban a whole IP range, such as from 192.168.1.1 to 192.168.1.254, you can also do so by using an .htaccess file as seen in the below example.
Require all granted Require not IP 192.168.1 allow from all
htaccess file to ban an ISP or hostname
It is also possible to ban a user, a group of users or an ISP by using hostnames. For example if an ISP’s hostname is badisp.com, you can use the below example to block such ISP.
Require all granted Require not host badisp.com
16 comments
Hello, Thanks for information on blocking IP addresses. Recently I have been experiencing lots of hits from the country Ukraine. I am sure all the hits from their are from bots. They are using significant amount of bandwidth. It will be problematic to me as I hosted on a shared host. I tried to block it using IP deny manager , but seems it is not working. When I looked at my root folder I don’t see any .htaccess file. Should I create the one to block these IPs from accessing my site? Is it OK if I have only define the block ips in my .htaccess file?
Hi Gourish,
If you are on a shared hosting and you have another place from where to block IPs, then most probably the hosting provider is blocking the IPs at server configuration level and there is no need for you to specify it in an .htaccess file. In such case, if they are consuming a lot of bandwidth I would recommend you to talk to the hosting provider so maybe they block them at router level from their end and they won’t consume bandwidth from you.
As regards your other query, yes you can blog a whole range of IPs as explained in the second section of this article.
I hope the above helps and you solve your issues. Do not hesitate to contact us on help@wpwhitesecurity.com if you need further assistance.
Happy blogging 🙂
There is a plugin which I came across – IP Address Blocker from LionScripts – http://wordpress.org/extend/plugins/ip-address-blocker/
Hi Harish,
This looks like a very good plugin. Thanks for sharing.
Plugins introduce possible security vulnerabilities for your site. Why use one when you’ve been provided an appropriate method of dealing with the issue here?
Sometimes it is easier for users to use a plugin then to update .htaccess files. Also, some users might not have access to their .htaccess files. So it is always good to have an option.
Hi there..
I already have a htaccess file with this code:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Where do I put the code?:
order allow,deny
deny from 192.168.1.
allow from all
Hi Gutti,
You can place the code anywhere in the .htaccess file as long as it is outside the #BEGIN WordPress and #END WordPress tags.
I have a big list of IP addresses I need to block so to test it I used my mobile phone as a guinea pig. If I can block my mobile phone then it’s working right? But my phone can still access it just fine. WiFi is off its only accessing the site through it’s 3G and I definitely used it’s 3G IP which I’ve shown as *.*.*.*
I was happily blocking these guys in my modems firewall until I reached it’s maximum number of IP’s it can block which was only 32 so I need this to work.
# BEGIN WordPress
# END WordPress
order allow,deny
deny from 27.159.220.44
deny from 27.159.220.169
deny from 27.159.225.152
deny from 115.210.75.128
deny from 119.63.193.130
deny from 119.63.193.132
deny from 119.63.193.196
deny from 119.63.193.195
deny from 119.63.193.131
deny from 125.112.168.82
deny from 125.112.175.207
deny from 125.112.206.216
deny from 125.112.192.236
deny from 125.112.168.65
deny from 125.112.204.199
deny from 125.112.175.239
deny from 125.112.203.4
deny from 222.77.238.62
deny from 117.26.226.247
deny from 66.249.74.90
deny from 222.77.232.197
deny from 59.58.187.209
deny from 59.58.187.118
deny from 59.60.112.145
deny from 117.26.224.127
deny from 220.161.114.237
deny from 59.60.118.194
deny from 222.77.232.147
deny from 117.26.227.99
deny from 117.26.227.132
deny from 220.161.114.32
deny from 59.60.119.82
deny from *.*.*.*
allow from all
Hi Bradley,
Thank you for visiting our website.
The .htaccess rules are correct so maybe you are not recording the correct mobile IP address? Could it be the provider has some sort of proxy, hence your IP is being changed? Also the above change should be done in the .htaccess file so I cannot understand how the limitation on your firewall can stop you from blocking more than 32 IPs. Can you please expand more? I would recommend you to get in touch with us via email on support@wpwhitesecurity.com so we can discuss this issue in further detail and assist you.
Looking forward to hearing from you.
Does anyone hosting provider still use Apache 2.2?In 2019?
Because in Apache 2.4..x
It’s like this
require all granted
require not ip xxx.xxx.xxx.xxx
Thank you for your comment Dimiter. Apache 2.4 still support the old directives, however, it is recommended to switch them to the new Require directive. In fact we just updated these in our article. Thank you for pointing this out.
Great Post!
I didn‘t really understand…
How can i Block for example all IP‘s starting like 2a01:598:xxxxxx
Is this possible?
Does it also work with mobile ip Adresses?
Greetings from Germany
According to the Apache documentation you can block both IP v4 and v6. Refer to these examples for more information.
In regards to your mobile IP addresses questions: all IP addresses are the same, regardless if they are assigned to mobile devices, PCs or network attacked devices.