Blocking in Wordfence gives you a way to block an IP address, specific countries, and custom patterns.
An IP address is a numerical representation of a computer or server connected to the Internet. To block an IP address open the “Blocking” tab at the top of the “Firewall” page and then use the “Block Type” button that says “IP Address”. Simply enter the IP address, include a reason and click “Block this IP address.” Make sure that you know that the IP address is malicious before you block it. You can find more information about examining IP addresses in the section about Whois Lookup. When you block an IP address as outlined above it is a permanent block.
You can also block an IP address on the Live Traffic tool page, with instructions on that documentation page.
In the “Current blocks” section there are also IP address blocks with an expiration time. IP blocks with an expiration time were either blocked by breaking certain rules on the “Firewall” > “All Firewall Options” page, or blocked manually on the “Live Traffic” tool page. IP addresses blocked with an expiration time are temporary blocks controlled by the option “How long is an IP address blocked when it breaks a rule”. You can find this option in the “Rate Limiting” section on the “Firewall Options” page or on the “All Options” page.
If you want to permanently block an IP address that is listed with an expiration time in the “Current blocks” section then you can select that block using the checkbox and then use the “Make Permanent” button.
If you are considering manually blocking many IP addresses then this is not always the best solution. See details from our research in the post Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking?
Wordfence country blocking is an effective way to stop an attack, content theft or other malicious activity that originates from a geographic region. Wordfence country-blocking uses a commercial IP-to-country database that we have licensed to determine which country an IP address is in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP-to-country lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.
Learn more about Country Blocking
A custom block pattern allows you to block based on these criteria:
- Ranges of IP addresses (which are also called networks).
- Certain web browsers or web browser patterns (also called user agents)
- Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
- Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean ‘AND’)
Before you start creating custom block patterns, we recommend you read our Whois Lookup article to understand what Whois lookup is, how you can use it to find out which network an IP address belongs to, and how you can use Whois combined with Blocking to quickly block networks or blocks of IP addresses. The real power of blocking is the ability to view Wordfence Live Traffic, do a quick Whois on an IP address to find out which network it belongs to and then click that network to block it. Live Traffic, Whois, and Blocking work closely together in Wordfence to let you block attacks from entire networks with just three clicks.
How to block a range of IP addresses
To block a range of IP addresses, simply enter the starting IP address followed by a space, a dash, a space and then the ending IP address. For example:
10.1.0.1 - 10.1.0.22
That will block IP address range 10.1.0.1 to 10.1.0.22 which is 22 addresses and includes the addresses ending in 1 and 22.
Enter a reason you’re blocking this IP address range and then hit the Block button. That IP address range will be instantly blocked.
How to block a web browser pattern
Web browsers from Android devices generally contain the keyword ‘Android’ without quotes. If you want to block all Android browsers, in other words all user agents that contain the word ‘Android,’ you can use the following pattern:
The asterisk character acts like a wildcard so the pattern above means: Block all user-agents that contain the word android and that have any text at the start or end.
You can also do this:
Which means: Block all user agents that start with ‘Android’ without quotes. Or
Which means: Block all user agents that end with ‘Android’ without quotes.
Hopefully you get the idea of how you can use an asterisk to mean “any text.” All patterns are case insensitive.
How to block a referer (or referring website)
This feature lets you block traffic arriving from any individual website. Why would you want to do this? Because many spammers visit your site claiming they arrived from their own website, when in fact they didn’t. They’re sending you a fake “referer” header which they’re hoping will appear in your logs so that you might click on them. Also, if you show referers anywhere on your public-facing site, this will give the spammers’ links more visibility and more clicks. So this feature gives you a way to block those bad referers. Here’s how:
Let’s say there’s a website called www.example.com that you know is spam. If you ever get a visitor arriving at your website who claims to have arrived from www.example.com you may want to block them. Simply enter:
as your blocking pattern. Just like in the web browser examples above, referer blocking uses the asterisk (*) as a wildcard to let you specify patterns that either start with, end with or contain your text.
Blocking a combination of IP address range, browser pattern and referring website
If you’re being attacked by several hosts on a network and they are all using the same user-agent string to identify themselves, this can be useful. Simply follow the instructions in the section above, but enter any combination of IP address ranges, user agents and referer patterns that you want to block. Then enter a reason and hit the button to block the combination.
Remove a block
To remove a block, just select the corresponding rule in the list on the Block page, then click the “Unblock” button.
Filter the block list
To view a smaller portion of your block list, you can filter the list of blocks by the columns labeled Block Type, Detail, or Reason. Just type in the “Filter by …” text box, and click the Filter button.
For the Block Type column, you can search for words “Lockout”, “IP Block”, or “Advanced Block” to show only those types of blocks.
When searching for an IP address, typing the entire address will show you whether that address is individually blocked or locked out, or whether it appears within an IP range that you have blocked.
You can also search for partial IP addresses, by typing at least the first two “octets”, or the numbers between the dots. For example, if you wanted to find an address like 10.2.3.4, you can search for “10.2.” to find IP addresses beginning with those numbers. Partial wildcard support is included for IP addresses, but it only matches an entire octet. Referring to the example address above, you will find 10.2.3.4 if you search for *.2.3.4, but searching for 1*.2.3.4 will not work. Similar searches also work for IPv6 addresses.
In the Detail and Reason columns, you can also search for any text that you entered when the block record was originally added, as well as the text of automatic blocks.
If you have blocked any IP address ranges, searching for any part of an IP address will match the text of the range displayed. Partial IP addresses will not be matched against the contents of the range between the first and last displayed IP.
Sort the block list
You can sort the block list by any column by clicking on the column name. After sorting, clicking the column name a second time will sort it in the opposite direction. This is the best way to find recent automatic blocks that have not yet expired.