Blocking

Aside from the Firewall rules that protect against SQL-injection, XSS and more, Wordfence also has custom features for additional blocking.

Blocking in Wordfence gives you a way to block an IP address, specific countries, and custom patterns.

IP Address

An IP address is a numerical representation of a computer or server connected to the Internet. To block an IP address, simply enter the IP address and a reason and click “Block this IP address.” Make sure that you know that the IP address is malicious before you block it. You can find more information about examining IP addresses in the section about Whois Lookup.

Country Blocking

Wordfence country blocking is an effective way to stop an attack, content theft or other malicious activity that originates from a geographic region. Wordfence country-blocking uses a commercial IP-to-country database that we have licensed to determine which country an IP address is in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP-to-country lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.

Learn more about Country Blocking

Custom Pattern

A custom block pattern allows you to block based on these criteria:

  • Ranges of IP addresses (which are also called networks).
  • Certain web browsers or web browser patterns (also called user agents)
  • Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
  • Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean ‘AND’)

Before you start creating custom block patterns, we recommend you read our Whois Lookup article to understand what Whois lookup is, how you can use it to find out which network an IP address belongs to, and how you can use Whois combined with Blocking to quickly block networks or blocks of IP addresses. The real power of blocking is the ability to view Wordfence Live Traffic, do a quick Whois on an IP address to find out which network it belongs to and then click that network to block it. Live Traffic, Whois, and Blocking work closely together in Wordfence to let you block attacks from entire networks with just three clicks.

Blocking in Wordfence gives you a way to block:

  • Ranges of IP addresses (which are also called networks).
  • Certain web browsers or web browser patterns (also called user agents)
  • Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
  • Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean ‘AND’)

How to block a range of IP addresses

To block a range of IP addresses, simply enter the starting IP address followed by a space, a dash, a space and then the ending IP address. For example:

10.1.0.1 - 10.1.0.22

That will block IP address range 10.1.0.1 to 10.1.0.22 which is 22 addresses and includes the addresses ending in 1 and 22.

Enter a reason you’re blocking this IP address range and then hit the Block button. That IP address range will be instantly blocked.

How to block a web browser pattern

Web browsers from Android devices generally contain the keyword ‘Android’ without quotes. If you want to block all Android browsers, in other words all user agents that contain the word ‘Android,’ you can use the following pattern:

*Android*

The asterisk character acts like a wildcard so the pattern above means: Block all user-agents that contain the word android and that have any text at the start or end.

You can also do this:

Android*

Which means: Block all user agents that start with ‘Android’ without quotes. Or

*Android

Which means: Block all user agents that end with ‘Android’ without quotes.

Hopefully you get the idea of how you can use an asterisk to mean “any text.” All patterns are case insensitive.

How to block a referer (or referring website)

This feature lets you block traffic arriving from any individual website. Why would you want to do this? Because many spammers visit your site claiming they arrived from their own website, when in fact they didn’t. They’re sending you a fake “referer” header which they’re hoping will appear in your logs so that you might click on them. Also, if you show referers anywhere on your public-facing site, this will give the spammers’ links more visibility and more clicks. So this feature gives you a way to block those bad referers. Here’s how:

Let’s say there’s a website called www.example.com that you know is spam. If you ever get a visitor arriving at your website who claims to have arrived from www.example.com you may want to block them. Simply enter:

*example.com

as your blocking pattern. Just like in the web browser examples above, referer blocking uses the asterisk (*) as a wildcard to let you specify patterns that either start with, end with or contain your text.

Blocking a combination of IP address range, browser pattern and referring website

If you’re being attacked by several hosts on a network and they are all using the same user-agent string to identify themselves, this can be useful. Simply follow the instructions in the section above, but enter any combination of IP address ranges, user agents and referer patterns that you want to block. Then enter a reason and hit the button to block the combination.

Removing a block

To remove a block, just select the corresponding rule in the list on the Block page, then click the “Unblock” button.

Frequently Asked Questions

  • I am locked out of my site

    Make sure that it’s Wordfence that is locking you out of your site. If you have been locked out by Wordfence, the block page will mention “Wordfence” and state a reason for the block. If you contact Wordfence support, include that reason in your message for faster assistance.

    If you have accidentally locked yourself out of your site, enter your admin email on the block page to receive an email that will allow you to unlock yourself. If that doesn’t work, please log in to your website using FTP/SSH or any file manager your web host may be providing via their administration panel and rename the wordfence plugin directory located in wp-content/plugins/. You can name it wordfence_. When the Wordfence folder has been renamed you should be able to log in. If you are still seeing a block page at this point, clear any cache you have in WordPress or on the server.

    Once logged in, reactivate Wordfence by naming the wordfence_ folder back to wordfence. If you then get locked out again, it likely means your IP-address has ended up on your list of blocked IPs. Disable Wordfence again by renaming the wordfence folder. Then install the Wordfence Assistant plugin and use it to either

    • Disable the Wordfence Firewall. You can now enable Wordfence and examine Wordfence blocks to determine which one locked you out.
    • Clear all currently active blocks in Wordfence. This is an easier method.

    If you have access to WordPress admin and someone else is locked out, you can use the Wordfence Assistant to clear all currently active blocks in Wordfence.

  • Extracting blocked IPs from the database

    If you want to extract blocked IPs from the database so that you can process them with other software you can do a MySQL query like this

    Please note that MySQL >= 5.6 is required.

    SELECT INET6_NTOA(IP) FROM wp_wfBlocks

    If you want to output the results to a file, you can do that with this code

    SELECT INET6_NTOA(IP) FROM wp_wfBlocks
    INTO OUTFILE '/writable_directory_by_mysql/blocked_IPs.csv'
    LINES TERMINATED BY '\n';