There may be many reasons why you would want to block a specific IP address from accessing your WordPress site or any PHP-based website. There are of course, similar methods to block IP addresses in any language-based based web development but WordPress is written in PHP, so that’s what I’m focusing on here. The main reason you would want to block access, particularly with WordPress, is to stop comment spam, or the uninvited access of an ex-employer and/or general troublemaker. If it’s your website and your content, then it’s your appanage to allow or block people from accessing it as you see fit.

As a quick disclaimer: regardless of how you try and block someone, there are always ways around it and if Google is caching your site, they may well be able to see (an admittedly usually out-of-date) version of the content just by finding you on Google and clicking on the cache link – there are ways around that too but I cover that in another post.

tmb-ip
First things first, you need to get hold of the offender’s IP address (this is four groups of numbers that identify the user’s internet connection). This fortunately isn’t usually all that difficult although you must realise that a lot of people don’t always have the same IP address (called dynamic IP addresses) so this isn’t a totally fail-safe way of blocking regular individuals, but those using static IP addresses (which is most companies and regular automated spammers) don’t change IP unless they change service provider.

comment-ip
Identify your offender either through your server or statistics logs (for this I recommend a combination of Google Analytics and StatCounter although there are many good services out there), or in the case of comment spam, check out your WordPress Dashboard and look in the comments section, their IP address is shown against their comment. See the two images to the right for screenshots.

Now, armed with your IP addresses, open up the header.php file from wp-content/themes/your-theme/ in your favourite editor and add these lines of PHP into the very top of the page:

< ?php
$deny = array("82.109.236.62", "62.172.184.2", "86.0.74.19");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com");
   exit();
}
?>

Change the IP addresses in the array to your offenders (you can add as many as you like and you can also use wild cards, so to block an entire chunk of IP addresses starting with 82.109.236.xxx just put 82.109.236.*). Once you’re done, decide where you want to redirect the users (Rick Astley’s Never Gonna Give You Up on YouTube is a personal favourite of mine), and up the file back onto your server. That’s it! Never be bothered again.

For other PHP-based websites, you have to make sure that you include the code at the top of every page you’re serving, otherwise they may still be able to access certain pages. With WordPress this is less of a problem because the contents of the header.php file will always be included when a (non-admin) page on your site is accessed.

Just as quick final words: be careful who’s website you redirect to, some webmasters may not appreciate the visitors any more than you do; and it’s best practice not to redirect anywhere too offensive: remember that much as you don’t want their visitors, you don’t have to offend them at the same time. This will also only block access to your pages, they may still be able to get to your images if they know the right path.

My thanks to Perishable Press who taught me this little trick. If you want to thank someone, they’re the guys you should be sending your praises to!