Blocking

Aside from the Firewall rules that protect against SQL-injection, XSS and more, Wordfence also has custom features for additional blocking.

Blocking in Wordfence gives you a way to block an IP address, specific countries, and custom patterns.

IP Address

An IP address is a numerical representation of a computer or server connected to the Internet. To block an IP address, simply enter the IP address and a reason and click “Block this IP address.” Make sure that you know that the IP address is malicious before you block it. You can find more information about examining IP addresses in the section about Whois Lookup.

Country Blocking

Wordfence country blocking is an effective way to stop an attack, content theft or other malicious activity that originates from a geographic region. Wordfence country-blocking uses a commercial IP-to-country database that we have licensed to determine which country an IP address is in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP-to-country lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.

Learn more about Country Blocking

Custom Pattern

A custom block pattern allows you to block based on these criteria:

  • Ranges of IP addresses (which are also called networks).
  • Certain web browsers or web browser patterns (also called user agents)
  • Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
  • Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean ‘AND’)

Before you start creating custom block patterns, we recommend you read our Whois Lookup article to understand what Whois lookup is, how you can use it to find out which network an IP address belongs to, and how you can use Whois combined with Blocking to quickly block networks or blocks of IP addresses. The real power of blocking is the ability to view Wordfence Live Traffic, do a quick Whois on an IP address to find out which network it belongs to and then click that network to block it. Live Traffic, Whois, and Blocking work closely together in Wordfence to let you block attacks from entire networks with just three clicks.

Blocking in Wordfence gives you a way to block:

  • Ranges of IP addresses (which are also called networks).
  • Certain web browsers or web browser patterns (also called user agents)
  • Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
  • Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean ‘AND’)

How to block a range of IP addresses

To block a range of IP addresses, simply enter the starting IP address followed by a space, a dash, a space and then the ending IP address. For example:

10.1.0.1 - 10.1.0.22

That will block IP address range 10.1.0.1 to 10.1.0.22 which is 22 addresses and includes the addresses ending in 1 and 22.

Enter a reason you’re blocking this IP address range and then hit the Block button. That IP address range will be instantly blocked.

How to block a web browser pattern

Web browsers from Android devices generally contain the keyword ‘Android’ without quotes. If you want to block all Android browsers, in other words all user agents that contain the word ‘Android,’ you can use the following pattern:

*Android*

The asterisk character acts like a wildcard so the pattern above means: Block all user-agents that contain the word android and that have any text at the start or end.

You can also do this:

Android*

Which means: Block all user agents that start with ‘Android’ without quotes. Or

*Android

Which means: Block all user agents that end with ‘Android’ without quotes.

Hopefully you get the idea of how you can use an asterisk to mean “any text.” All patterns are case insensitive.

How to block a referer (or referring website)

This feature lets you block traffic arriving from any individual website. Why would you want to do this? Because many spammers visit your site claiming they arrived from their own website, when in fact they didn’t. They’re sending you a fake “referer” header which they’re hoping will appear in your logs so that you might click on them. Also, if you show referers anywhere on your public-facing site, this will give the spammers’ links more visibility and more clicks. So this feature gives you a way to block those bad referers. Here’s how:

Let’s say there’s a website called www.example.com that you know is spam. If you ever get a visitor arriving at your website who claims to have arrived from www.example.com you may want to block them. Simply enter:

*example.com

as your blocking pattern. Just like in the web browser examples above, referer blocking uses the asterisk (*) as a wildcard to let you specify patterns that either start with, end with or contain your text.

Blocking a combination of IP address range, browser pattern and referring website

If you’re being attacked by several hosts on a network and they are all using the same user-agent string to identify themselves, this can be useful. Simply follow the instructions in the section above, but enter any combination of IP address ranges, user agents and referer patterns that you want to block. Then enter a reason and hit the button to block the combination.

Remove a block

To remove a block, just select the corresponding rule in the list on the Block page, then click the “Unblock” button.

Filter the block list

To view a smaller portion of your block list, you can filter the list of blocks by the columns labeled Block Type, Detail, or Reason. Just type in the “Filter by …” text box, and click the Filter button.

For the Block Type column, you can search for words “Lockout”, “IP Block”, or “Advanced Block” to show only those types of blocks.

When searching for an IP address, typing the entire address will show you whether that address is individually blocked or locked out, or whether it appears within an IP range that you have blocked.

You can also search for partial IP addresses, by typing at least the first two “octets”, or the numbers between the dots. For example, if you wanted to find an address like 10.2.3.4, you can search for “10.2.” to find IP addresses beginning with those numbers. Partial wildcard support is included for IP addresses, but it only matches an entire octet. Referring to the example address above, you will find 10.2.3.4 if you search for *.2.3.4, but searching for 1*.2.3.4 will not work. Similar searches also work for IPv6 addresses.

In the Detail and Reason columns, you can also search for any text that you entered when the block record was originally added, as well as the text of automatic blocks.

If you have blocked any IP address ranges, searching for any part of an IP address will match the text of the range displayed. Partial IP addresses will not be matched against the contents of the range between the first and last displayed IP.

Sort the block list

You can sort the block list by any column by clicking on the column name. After sorting, clicking the column name a second time will sort it in the opposite direction. This is the best way to find recent automatic blocks that have not yet expired.

Frequently Asked Questions

  • I am locked out of my site

    Make sure that it’s Wordfence that is locking you out of your site. If you have been locked out by Wordfence, the block page will mention “Wordfence” and state a reason for the block. If you contact Wordfence support, include that reason in your message for faster assistance.

    If you have accidentally locked yourself out of your site, enter your admin email on the block page to receive an email that will allow you to unlock yourself. If that doesn’t work, please log in to your website using FTP/SSH or any file manager your web host may be providing via their administration panel and rename the wordfence plugin directory located in wp-content/plugins/. You can name it wordfence_. When the Wordfence folder has been renamed you should be able to log in. If you are still seeing a block page at this point, clear any cache you have in WordPress or on the server.

    Once logged in, reactivate Wordfence by naming the wordfence_ folder back to wordfence. If you then get locked out again, it likely means your IP-address has ended up on your list of blocked IPs. Disable Wordfence again by renaming the wordfence folder. Then install the Wordfence Assistant plugin and use it to either

    • Disable the Wordfence Firewall. You can now enable Wordfence and examine Wordfence blocks to determine which one locked you out.
    • Clear all currently active blocks in Wordfence. This is an easier method.

    If you are able to access WordPress admin but have problems using normal methods of unblocking in Wordfence or can’t find the IP address of the user you are trying to unblock you can use the Wordfence Assistant to clear all currently active blocks in Wordfence.

  • Extracting blocked IPs from the database

    If you want to extract blocked IPs from the database so that you can process them with other software you can do a MySQL query like this

    Please note that MySQL >= 5.6 is required.

    SELECT INET6_NTOA(IP) FROM wp_wfBlocks

    If you want to output the results to a file, you can do that with this code

    SELECT INET6_NTOA(IP) FROM wp_wfBlocks
    INTO OUTFILE '/writable_directory_by_mysql/blocked_IPs.csv'
    LINES TERMINATED BY '\n';