WordPress Security - htaccess for banning IPs

Brute force attacks form a sizeable chunk of the attacks in the Internet today. In an attempt to crack login information, our WordPress sites are endlessly bombarded with login attempts. You can obtain more details about these failed login attempts such as the IP address from your logs. The next obvious step is to block these users from accessing your site. The htaccess file is one way of achieveing it.

Htaccess files are configuration files that are present on your web server. They are used to control access to files at a directory level or even for the entire site. If you want to block an IP address, say 192.168.20.10, using htaccess, you can do so by adding the following lines –

order allow,deny
deny from 192.168.20.10
allow from all

The above lines will successfully block the user with IP address 192.168.20.10. You can add this at a site level or at a directory level depending on what you want to protect. You can also add multiple IP addresses, each on a separate line.

Attackers often use a network of bots to attack other users. Each bot will have a unique IP address assigned to it from a range of addresses. When your site comes under attack, it is easy to spot the range of IP addresses from your logs. What’s easier is to block them all in one shot. All you’ve got to do is add the following lines in your htaccess file –

order allow,deny
deny from 192.168.20.
allow from all

It is also possible to ban users or even an ISP using the hostname. The following is one such example –

order allow,deny
deny from thebadguy.com
allow from all

The htaccess file is a very strong tool to control access to your site. Owing to this, a small error while typing can break parts of your site. So always backup your htaccess file before making any changes to it. When WordPress adds configuration to the htaccess file, it is always done between the comment lines #BEGIN WordPress and #END WordPress. So remember to add your custom lines outside of these comments for better tracking.