Block Bad Users From Accessing Your WordPress

Last updated on December 06th, 2014 by Robert Abela. Filed under WordPress Security Hacks

If you want to ban a bad user from accessing your WordPress website or blog and you have the user’s IP address, or hostname, you can block such users by using an htaccess file. If you want to ban the IP address from accessing any part of the website then the htaccess file should be placed in the root of your WordPress or website. If you would like to block access only to a specific directory on your website, then upload the .htaccess file to that particular directory.

WP White Security Tip: If you already have an .htaccess file in the root of your WordPress, download the existing one and add the below at the end of the .htaccess file. It is important to always add content outside the # BEGIN WordPress and # END WordPress lines.

New to htaccess? Check the Definitive Guide to htaccess and WordPress!

htaccess file to ban bad users

To ban a single IP address from accessing your WordPress, add the below to the htaccess file in the root of your website.

order allow,deny
deny from 192.168.1.2
allow from all

The above htaccess file sample will deny access to WordPress or your website to the following IP address; 192.168.1.2. If you would like to exclude more IP addresses, simply add them in new lines using the following syntax deny from [IP ADDRESS] as shown in the below example where we block the following IP addresses; 192.168.1.2, 10.130.130.6 and 172.16.130.106.

order allow,deny
deny from 192.168.1.2
deny from 10.130.130.6
deny from 172.16.130.106
allow from all

htaccess file to ban a range of IP addresses

To ban a whole IP range, such as from 192.168.1.1 to 192.168.1.254, you can also do so by using an .htaccess file as seen in the below example.

order allow,deny
deny from 192.168.1.
allow from all

htaccess file to ban an ISP or hostname

It is also possible to ban a user, a group of users or an ISP by using hostnames. For example if an ISP’s hostname is badisp.com, you can use the below example to block such ISP.

order allow,deny
deny from badisp.com
allow from all

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

8 comments

Gourish Yaji 20/11/2012

Hello, Thanks for information on blocking IP addresses. Recently I have been experiencing lots of hits from the country Ukraine. I am sure all the hits from their are from bots. They are using significant amount of bandwidth. It will be problematic to me as I hosted on a shared host. I tried to block it using IP deny manager , but seems it is not working. When I looked at my root folder I don’t see any .htaccess file. Should I create the one to block these IPs from accessing my site? Is it OK if I have only define the block ips in my .htaccess file?

John Bonello 20/11/2012

Hi Gourish,

If you are on a shared hosting and you have another place from where to block IPs, then most probably the hosting provider is blocking the IPs at server configuration level and there is no need for you to specify it in an .htaccess file. In such case, if they are consuming a lot of bandwidth I would recommend you to talk to the hosting provider so maybe they block them at router level from their end and they won’t consume bandwidth from you.

As regards your other query, yes you can blog a whole range of IPs as explained in the second section of this article.

I hope the above helps and you solve your issues. Do not hesitate to contact us on help@wpwhitesecurity.com if you need further assistance.

Happy blogging 🙂

Harish 30/03/2013

There is a plugin which I came across – IP Address Blocker from LionScripts – http://wordpress.org/extend/plugins/ip-address-blocker/

Robert Abela 30/03/2013

Hi Harish,

This looks like a very good plugin. Thanks for sharing.

Gutti 22/10/2013

Hi there..
I already have a htaccess file with this code:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Where do I put the code?:

order allow,deny
deny from 192.168.1.
allow from all

Robert Abela 25/10/2013

Hi Gutti,

You can place the code anywhere in the .htaccess file as long as it is outside the #BEGIN WordPress and #END WordPress tags.

Bradley 10/02/2014

I have a big list of IP addresses I need to block so to test it I used my mobile phone as a guinea pig. If I can block my mobile phone then it’s working right? But my phone can still access it just fine. WiFi is off its only accessing the site through it’s 3G and I definitely used it’s 3G IP which I’ve shown as *.*.*.*

I was happily blocking these guys in my modems firewall until I reached it’s maximum number of IP’s it can block which was only 32 so I need this to work.

# BEGIN WordPress
# END WordPress

order allow,deny
deny from 27.159.220.44
deny from 27.159.220.169
deny from 27.159.225.152
deny from 115.210.75.128
deny from 119.63.193.130
deny from 119.63.193.132
deny from 119.63.193.196
deny from 119.63.193.195
deny from 119.63.193.131
deny from 125.112.168.82
deny from 125.112.175.207
deny from 125.112.206.216
deny from 125.112.192.236
deny from 125.112.168.65
deny from 125.112.204.199
deny from 125.112.175.239
deny from 125.112.203.4
deny from 222.77.238.62
deny from 117.26.226.247
deny from 66.249.74.90
deny from 222.77.232.197
deny from 59.58.187.209
deny from 59.58.187.118
deny from 59.60.112.145
deny from 117.26.224.127
deny from 220.161.114.237
deny from 59.60.118.194
deny from 222.77.232.147
deny from 117.26.227.99
deny from 117.26.227.132
deny from 220.161.114.32
deny from 59.60.119.82
deny from *.*.*.*
allow from all

Robert Abela 18/02/2014

Hi Bradley,

Thank you for visiting our website.

The .htaccess rules are correct so maybe you are not recording the correct mobile IP address? Could it be the provider has some sort of proxy, hence your IP is being changed? Also the above change should be done in the .htaccess file so I cannot understand how the limitation on your firewall can stop you from blocking more than 32 IPs. Can you please expand more? I would recommend you to get in touch with us via email on support@wpwhitesecurity.com so we can discuss this issue in further detail and assist you.

Looking forward to hearing from you.

Leave a Reply

Your email address will not be published. Required fields are marked *