Blocking
Aside from the firewall rules that protect against various attacks, Wordfence also has custom features for additional blocking.
Blocking in Wordfence gives you a way to block an IP address, specific countries, and custom patterns.
IP Address
An IP address is a numerical representation of a computer or server connected to the Internet. To block an IP address open the “Blocking” tab at the top of the “Firewall” page and then use the “Block Type” button that says “IP Address”. Simply enter the IP address, include a reason, and click on “Block this IP address”. Make sure that you know that the IP address is malicious before you block it. You can find more information about examining IP addresses in the section about WHOIS Lookup. When you block an IP address as outlined above it is a permanent block.
You can also block an IP address on the Live Traffic tool page, with instructions on that documentation page.
In the “Current blocks” section there are also IP address blocks with an expiration time. IP address blocks with an expiration time were either blocked by breaking certain rules on the “Firewall” > “Firewall Options” page or blocked manually on the “Live Traffic” tool page. IP addresses blocked with an expiration time are temporary blocks controlled by the option “How long is an IP address blocked when it breaks a rule”. You can find this option in the “Rate Limiting” section on the “Firewall” > “Firewall Options” page.
If you want to permanently block an IP address that is listed with an expiration time in the “Current blocks” section then you can select that block using the checkbox and then use the “Make Permanent” button.
If you are considering manually blocking many IP addresses then this is not always the best solution. See details from our research in the post Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking?
Country Blocking
Wordfence country blocking is an effective way to stop an attack, content theft, or other malicious activity that originates from a geographic region. Wordfence country blocking uses a commercial geolocation database that we have licensed to determine which country an IP address is located in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP address lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.
Learn more about Country Blocking
Custom Pattern
A custom block pattern allows you to block based on these criteria:
- Ranges of IP addresses (which are also called networks).
- Hostname.
- Certain web browsers or web browser patterns (also called Browser User-Agents).
- Certain Referers. These are the websites your traffic arrives from or claims to have arrived from.
- Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if both conditions match will the visitor be blocked (the logic is a boolean ‘AND’).
The Custom Pattern blocking feature is found under the “Blocking” tab on the “Firewall” page.
Before you start creating custom block patterns, we recommend you read our WHOIS Lookup article to understand what WHOIS lookup is, how you can use it to find out which network an IP address belongs to, and how you can use WHOIS combined with blocking to quickly block networks or ranges of IP addresses. The real power of blocking is the ability to view the Wordfence “Tools” > “Live Traffic” page to do a quick WHOIS search of an IP address to find out which network it belongs to. You can then choose to block that network if you want to.
How to block a range of IP addresses
To block a range of IP addresses, simply enter the starting IP address followed by a space, a dash, a space, and then the ending IP address. For example:
10.1.0.1 - 10.1.0.22
That will block IP address range 10.1.0.1 to 10.1.0.22 which is 22 IP addresses and includes the addresses ending in 1 and 22.
Enter a reason for why you are blocking this IP address range and then hit the “Block” button. That IP address range will be instantly blocked.
How to block a hostname
To block all requests from a particular hostname you can use the example wildcards below as a guide:
*.amazonaws.com
*.linode.com
The asterisk character acts as a wildcard, so the patterns above equate to blocks for all subdomains for these hostnames. Be careful that you do not block hostnames used by internet service providers as you will block any legitimate visitors that use those internet service providers. Also, make sure that any plugins you use do not need to send incoming requests to your site from an external server with a hostname that you have blocked, as this might cause certain plugin functionality to malfunction.
How to block a browser User-Agent
Web browsers from Android devices generally contain the keyword ‘Android’ (without quotes). If you want to block all Android browsers with a User-Agent that contains the word ‘android’, you can use the following pattern:
*Android*
The asterisk character acts as a wildcard so the pattern above translates to block all User-Agents that contain the word android and that have any text at the start or end.
You can also do this:
Android*
This means blocking all User-Agents that start with the word ‘Android’.
*Android
This means blocking all User-Agents that end with the word ‘Android’.
Hopefully, you understand the principle of how you can use an asterisk to mean any text. All patterns are case insensitive.
Note that you can only block one User-Agent at a time and this blocking option does not support comma separated values for multiple User-Agents.
How to block a Referer (or referring website)
This option lets you block traffic arriving from any individual site. Why would you want to do this? Because many spammers visit your site claiming they arrived from their own website, when in fact they did not. They are sending you a fake “Referer” header which they are hoping will appear in your logs so that you might click on them. Also, if you show Referers anywhere on your public-facing site, this will give the spammers’ links more visibility and more clicks. So this feature gives you a way to block those bad Referers.
For example, there is a site called www.example.com that you know is spam. If you ever get a visitor arriving at your site who claims to have arrived from www.example.com you may want to block them and you can use the following pattern:
*example.com
Just like in the web browser examples above, referer blocking uses the asterisk as a wildcard to let you specify patterns that either start with, end with or contain your text.
Blocking a combination of IP address range, browser pattern, and referring website
If you are being attacked by several hosts on a network and they are all using the same User-Agent string to identify themselves, this can be useful. Simply follow the instructions in the section above, but enter any combination of IP address ranges, User-Agents, and Referer patterns that you want to block. Then enter a reason for the blocking rule and hit the button to block the combination.
Remove a block
To remove a block, just select the corresponding rule in the list and then click the “Unblock” button.
Filter the block list
To view a smaller portion of your block list, you can filter the list of blocks by the columns labeled “Block Type”, “Detail”, or “Reason”. Just type in the “Filter by Type, Detail, or Reason…” text input field and click the “Filter” button.
For the “Block Type” column, you can search for words “Lockout”, “IP Block”, or “Advanced Block” to show only those types of blocks.
When searching for an IP address, typing the entire address will show you whether that IP address is individually blocked or locked out, or whether it appears within an IP range that you have blocked.
You can also search for partial IP addresses, by typing at least the first two “octets”, or the numbers between the dots. For example, if you wanted to find an address like 10.2.3.4, you can search for “10.2.” to find IP addresses beginning with those numbers. Partial wildcard support is included for IP addresses, but it only matches an entire octet. Referring to the example address above, you will find 10.2.3.4 if you search for *.2.3.4, but searching for 1*.2.3.4 will not work. Similar searches also work for IPv6 addresses.
In the “Detail” and “Reason” columns, you can also search for any text that you entered when the block record was originally added, as well as the text of automatic blocks.
If you have blocked any IP address ranges, searching for any part of an IP address will match the text of the range displayed. Partial IP addresses will not be matched against the contents of the range between the first and last displayed IP.
Sort the block list
You can sort the block list by any column by clicking on the column name. After sorting, clicking the column name a second time will sort it in the opposite direction. This is the best way to find recent automatic blocks that have not yet expired.
Frequently Asked Questions
- I am locked out of my site
Make sure that it’s Wordfence that is locking you out of your site. If you have been locked out by Wordfence, the block page will mention “Wordfence” and state a reason for the block. If you contact Wordfence support, include that reason in your message for faster assistance.
For detailed instructions on determining the cause of a block and how to fix unintended blocking, see the Blocking Troubleshooting page here.
- Extracting blocked IPs from the database
If you want to extract blocked IPs from the database so that you can process them with other software then you can run a MySQL query like this below. Read the additional notes prior to running the query to prevent the query from failing.
SELECT INET6_NTOA(IP) FROM wp_wfBlocks7
If you want to output the results to a file, you can do that with this code:
SELECT INET6_NTOA(IP) FROM wp_wfBlocks7
INTO OUTFILE '/writable_directory_by_mysql/blocked_IPs.csv'
LINES TERMINATED BY '\n';Notes:
1) Please note that MySQL >= 5.6 is required.
2) Don’t forget to update the prefix before running your query if you have changed the default WordPress database table prefix.
3) You will need to change the table name to all lowercase letters if you installed version 7.1.12 or greater when you first installed Wordfence on your site:
wfblocks7
4) If you are running a version of Wordfence prior to version 7.3.1 and you first installed Wordfence prior to version 7.1.12 being released then the table name is:
wfBlocks