In this tutorial, we show you how to block bad visitors by their IP addresses using only Apache .htaccess file. No WordPress plugin required.

Your public website is on the internet for anyone, including bad visitors like bad bots, spammers, hackers, malicious users. They are annoying, taking up your web server resources, and potential security risk.
The good news is that you can “blacklist” them by blocking their IP address. An IP address is a string of 4 numbers separated by a single dot (IPv4) or 8 groups of 4 hexadecimal digits (IPv6). Each device on the internet is identified by an unique IP address.

At RunCloud, we support 4 different web server stack:

If you are using NGINX+Apache2 Hybrid web server stack, then you can easily block IP address using the .htaccess file in your WordPress root folder.

What is .htaccess file

.htaccess is a configuration file for Apache web server. You can create and edit an .htaccess file using any plain text editor.

When the Apache server loads a web folder, it detects and execute the .htaccess file. .htaccess file can be used to modify Apache server configuration, enable or disable functionality and features — including blocking visitors by IP address.
One of the advantages of using .htaccess is that it is executed before website is loaded. It also does not take up system resources like PHP & MySQL.

Identify bad IP addresses

We need to identify a bad IP address before we can block it. Here we show two ways to find bad IP addresses that visit your WordPress site.

1. Find IP address of spammers

WordPress dashboard comments IP address

Login your WordPress dashboard then goto Comments. Click on “Spam” to list all the spam comments. The spammer’s IP address is displayed in the “Author” column. Identify the repeating spammers then copy their IP addresses. We will block them later.

2. Find IP address of brute force attacks or login attempts

We can find all visitors IP addresses in the web server access log file. It is a bit tricky and takes some experiences to identify a bad visitor.

Apache access log file path on RunCloud is:

  • runcloud is the RunCloud default system user name. Replace it with your own system user name.
  • Replace app-name with your web application name.

Check the Apache server log file and identify IP addresses that repeatedly visit (flooding) your website pages in a short period (every few seconds).

RunCLoud Log file

Who is the IP address?
Write down the suspicious IP addresses. It is a good idea to check who owns the IP addresses before blocking them. You do not want to mistakenly blocking a genuine visitor like Google bots, right? Simply visit to check the owner of an IP address.

Block IP address using WordPress .htaccess file

Warning: Your website may not be accessible if you mess up the .htaccess file. Please make sure you backup your .htaccess file before edit it.

Now you have a list of bad IP addresses you want to ban them from visiting your website. You can easily block the IP addresses using .htaccess file.

Please note that .htaccess file only works if you are using Apache or NGINX+Apache2 Hybrid web server stack.
A default WordPress .htaccess file will look like the below:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Depends on your site configuration, your .htaccess file may look different. It is fine. Make sure you make a backup copy of the .htaccess file.

Edit your WordPress .htaccess file using any plain text editor (or RunCloud web based file editor) and add the following lines to the top of the file:

        Order Allow,Deny
        Allow from All
        # add new line to block eacg IP address

Add each IP address that you want to block as a new line below the above lines. Save the .htaccess file and any visitors with the IP addresses are unable to access your site.

Tip: You can temporary unblock an IP address by comment it — add a “#” at the beginning of the line.

Bonus: 6G Firewall

Now that you know how to block an IP address using WordPress .htaccess file. It is a small step to fight malicious visitors.

Blocking visitor by IP address is a temporary solution because IP addresses change constantly. It is best for quickly blocking certain visitors.

Check out the 6G Firewall by Jeff Starr, if you are looking for more complete WordPress security protection using only .htaccess file. It is free and open source.

Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks.

Hope this article is helpful to you fighting annoying malicious visitors to your WordPress site. Please share with us about how do you ban bad website visitors in the comment.

Wrapping Up

RunCloud is a powerful and easy-to-use platform that helps you manage your websites on any cloud server. With RunCloud, you don’t need to be a Linux expert to set up, secure, and optimize your web applications. You can do everything from a simple and intuitive dashboard, saving you time and hassle.

RunCloud supports various web servers, PHP versions, databases, and frameworks. You can also monitor your server performance, back up your data, and automate your tasks with RunCloud. Whether you are a developer, a freelancer, or a business owner, RunCloud can help you run your websites faster and smoother.

What are you waiting for? Join RunCloud today and enjoy the best web hosting solution for your websites. It’s free for 7 days, no strings attached!