Need to block malicious visits to your WordPress site?
Putting the word malicious into any statement related to your WordPress website is obviously not a good thing. The internet is the Wild Wild West and it is full of many bank robbers and train hijackers.
A malicious visit to a WordPress website is intended to do one of the two things below or sometimes both.
- The first and most common intention is to share spammy content that includes click-bait.
- The second intention which is the worst of the two is to infect and harm your website.
Now before we dive in deep about how to block malicious visits to your WordPress website, it is important to first understand that these visits are not being brought upon because of something that you are not doing.
Hackers and spam bot programs alike are constantly on the hunt for websites that they can inject their malicious activity into your website. You could be one of those targeted locations that is being hit with malicious activity and you are not even aware of it.
This malicious activity that may be happening on your website might never lead to anything that causes worry but it can affect the overall performance of your website.
You see every visit to your website triggers resources on your server that need to run in order for that visit to take place. If these resources are being used by malicious activity, it is pulling away server power that can be used for the visits that are not malicious.
In this article we are going to identify any malicious visits to your WordPress website and then show you exactly how to block malicious visits to your WordPress website.
1. How to Identify Malicious Visits to Your WordPress Site
In order for us to take action to block malicious visits to your WordPress site, we need to identify which visits are malicious and where they are coming from.
Every visit to your website has a unique IP address which is the address of the visitor’s origin device. We need to find this information and there are a few plugins that are free to use which will be our visitor detectives.
They are going to be a few ingredients that we will need on our website in way of plugins to identify and block malicious visits to your WordPress site.
😎 THE INGREDIENTS:
1. Akismet Spam Protection Plugin
Akismet checks your comments and contact form submissions against our global database of spam to prevent your site from publishing malicious content. You can review the comment spam it catches on your blog’s “Comments” admin screen.
The main reason for this plug-in is to take a proactive approach in isolating malicious or spam focused comments on your WordPress website. If you are running a WordPress website that does not allow the ability to comment on content you can ignore the use of this plugin. It is only used to filter and target comments that are visitor generated.
There definitely are other spam fighting plugins available and you are welcome to use another one versus what we are recommending here as long as it will be a plugin that takes action in the background to isolate spam generated comments on your WordPress website.
Once you have this plugin installed and set up it will add a category under the comments section in your administrative area called “Spam“. This plugin will automatically identify the spam comments on your WordPress website using dynamic spam filters.
We will now have a place where we can look at the malicious visits that are happening in the comments section of our WordPress website and identify the IP address in which these visits are coming from. Please take a look at the image below.
The main reason we will be using this plugin is for the feature included which is the Activity Log.
With this feature, you can monitor in detail the activity of registered, unknown and blocked visitors. If your site is being hacked, a user or a plugin was compromised, you can always use the quick tools to block their future actions.
The Activity Log feature of this plugin will give you a snapshot of each visit to your website in regards to what URL is being visited and from what unique IP address.
Take a look at the image below on how you can use the Activity Log in this plugin to view the visits to your website and know instantly the URL that is being visited and the IP address that is generating the visit.
2. Auto Trash Spam to Block Malicious Visits to Your WordPress Site
There is a power move that you can do in order to auto trash the majority of spam comments that are created on your WordPress website. This is an important step as well to block malicious visits to your WordPress website.
What this means is that you can set up certain words that will trigger an automatic response from your WordPress website to not approve the submitted comment and directly move it to the trash bin.
Check out the image below to see an example of comments that were submitted to a site which contained trigger words and were automatically put into the trash bin in the Comments area.
We have compiled a detailed post on how you can set up these trigger words which you can read all about at the link below.
https://www.wpfixit.com/stop-wordpress-spam/
3. How to Block Malicious Visits to Your WordPress Site
Let’s now move on to the next phase in order to block malicious visits to your WordPress website.
In the first phase we talked about using some free WordPress plugins in order to identify the malicious visits and gather some information on where those visitors are coming from.
The information that we gathered is the unique IP address that the visitor was using to deliver their malicious visit.
Now simply put, we are going to take action and block that IP address from visiting your website.
Doing this will make sure that if another visit is delivered from that IP address, that visit will not be completed.
Ban IP Addresses From Commenting on Your Site
If you just want to stop users with a specific IP address from leaving a comment on your site, then you can do that inside your WordPress admin area.
You would use the information that you gathered earlier in this post which is the IP addresses of these malicious visits that we tracked down.
Head over to Settings » Discussion page and scroll down to ‘Comment Blacklist’ text box.
Copy and paste the IP addresses that you want to block and then click on the save changes button.
WordPress will now block users with these IP addresses from leaving a comment on your website. These users will still be able to visit your website, but they will see an error message when they try to submit a comment.
Ban IP Addresses From Your Site Completely
Of course, you may also want to block users with a pattern of suspicious activity from accessing your site altogether. To do that, you can make a simple addition to one of your WordPress files. Make sure you have a recent backup in place first, as a security precaution.
This is a much better approach because while you may identify that these malicious visits are generating spammy comments, they also may be trying to infiltrate and attack the integrity of your website through infectious processes.
It is better just to block the entire IP address altogether.
You will need to log into your site directly using File Transfer Protocol (FTP). If you’ve never done this before, you can check out a beginner’s guide to FTP.
With your FTP client open and running, look for your website’s root folder. This is often named after your domain, but might also be called www or root. With this folder highlighted, find the .htaccess file:
Right-click on this file, and select View/Edit. This will open the file in your default text editor, enabling you to make changes.
On a new line at the bottom of the file, paste in the following snippet:
Order Allow,Deny
Allow from all
Deny from 111.222.333.444
You will want to replace the string of numbers in the final line with the first IP address you want to block.
Then you can add additional Deny lines, each with a new IP. Save the file, and users from those IP addresses will no longer be able to access your site.
If you don’t like editing your .htaccess file directly, you can also use the free IP2Location Country Blocker:
This plugin enables user to block unwanted traffic from accessing your front end (blog pages) or back end (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
Conclusion – Block Malicious Visits to Your WordPress
Blacklisting might initially sound like a bad thing, but it’s actually a very useful method for protecting your website.
By learning how to block IP addresses in WordPress, you can keep hackers and spammers at bay without inconveniencing your legitimate users.