How to block a country in WordPress?

Listen to this article

How to Block a Country in WordPress? (Geoblocking in WordPress) If your website is not related to people in certain countries, you would expect little or no traffic from those places. Then you see a sudden spike, your server resources are depleted and your site suffers. It turns out that traffic is created by hackers and bots.

Many website administrators then block countries in WordPress by IP to protect their website and its visitors from harm. In this article, I will introduce you to the different ways to implement geoblocking on your WordPress website.

The content of the article:

• What does geoblocking mean in WordPress?
• How to determine the IP address of which country to block in WordPress?
• How to block country IP addresses from accessing your WordPress site?
• Why Block a Country IP Address in WordPress?
• Why blocking IP addresses by country is not a good idea?
• Other Options for Country Blocking in WordPress
• Conclusion

What does geoblocking mean in WordPress?

Before we get started, let's talk a little about what geoblocking is in WordPress. If you've heard the term before, it essentially means that you can block visitors or traffic from other countries from accessing your website.

Blocking by country occurs by IP addresses, individual device identifiers. Countries often have IP ranges, so if you want to block China, for example, you need to have that IP range.

Website owners and administrators often see geo-blocking as a solution to the bot problem. However, each administrator determines the source of bot traffic based on their own websites. Opinions are often mixed, but you'll see some recurring ones, like the US and the EU, on almost every list.

How to determine the IP address of which country to block in WordPress?

If you don't yet know for which countries you want to block access to your WordPress website, but still want to stop unwanted traffic, there are several ways to find out.

Use a security plugin with a firewall

The benefits of having a firewall on your website are manifold, and one of the great features is logging. Firewalls log every request your site receives and analyze them based on parameters. Here is an example of the log output by the security plugin on my site:

As you will see, each request to your site is logged in detail. You can see which country has the most requests coming from and determine if those requests are legitimate users. These logs record all suspicious traffic towards your website. They can immediately identify unwanted bots.

Using Google Analytics

On the Google Analytics Dashboard, go to the section Sessions by Country > Location Overviewto find information about your users. Here you will see a visual representation of your world traffic.

Google Analytics will only list the source of the traffic, not the type of traffic you are receiving. Based on your website content and audience profile, you will be able to determine if any country's traffic is harmful to your website.

How to block country IP addresses from accessing your WordPress site?

There are two ways to implement geoblocking on your WordPress site: manually or with a plugin. I must say right away that the manual method is tedious and time-consuming. I strongly recommend that you use the plugin method to block country IP addresses in WordPress.

Using a WordPress Plugin to Block a Country

Easily block the countries you want to use with the plugin. The manual method requires editing core WordPress files, adding thousands of lines of repetitive code, and updating the code regularly. This is a significant investment of your time, which you could spend on something much more valuable. Here are plugins to help you with this:

MalCare allows you to block country IP addresses in WordPress with a few clicks right from your control panel. The big benefit here is that you can access other diagnostic tools like login and traffic logs to help you determine which countries need blocking.

The process is simple and fast. In addition, the plugin uses smart signals to analyze the behavior of an IP address. Therefore, if someone tries to use a VPN or proxy server, MalCare will analyze if this IP address is indeed malicious and then block it. This way, blocked country IP addresses on your WordPress are effectively blocked and you don't have to worry about your site being hacked!

Wordfence is a popular WordPress security plugin with built-in geoblocking. Again, we recommend using a WordPress security plugin instead of a dedicated geo-blocking plugin. Wordfence offers two options for country blocking in WordPress. If you want to block access to the entire website, select both options: " Login with " And "Block access to the rest of the site". Wordfence recommends that Google Ads users only block access to their login form.

iQ Block Country is a plugin with one task - geo-blocking. There are a few more options available with this plugin, and it's free to use. You can also block access to the backend of your website, posts, pages, categories. You can also prevent search engines from visiting your site if you need to.

I have listed several plugin options here for your convenience.

Blocking country IP addresses with .htaccess file (manual method)

I highly recommend using one of the plugins I suggested above. The manual method of blocking country IP addresses in WordPress is time consuming. You will need to access your WordPress files and then add thousands of lines of code to block individual suspicious IP addresses and ranges.

Also, every time you tamper with the internal files of a WordPress site, such as the .htaccess file, you run the risk of breaking your site. This is due to the fact that even the slightest mistake made in coding can lead to malfunctions of the entire device.

If you still want to implement country blocking manually, make a new backup of your website. This step will save you grief if something goes wrong.

Step 1: Create an access control list with IP address ranges of certain countries that you want to block. To do this, you can use services such as ip2location and countryipblocks.

Step 2: Select the country you want to block from the dropdown list and create a list of IP addresses.

Step 3: Select the .htaccess option for the output format. The service will create a text file with IP addresses.

Step 4: Then, to paste the list into your .htaccess file, open the .htaccess file from the public_html directory, either via cPanel or VestaCP, or via FTP.

Step 5: Copy the contents of the text file to an .htaccess file and save it.

Remember to update this list every month or so to make sure the information is up to date as IP addresses can change.

Why Block a Country IP Address in WordPress?

There are several reasons why you would like to block access to your website for certain countries.

Malicious traffic

Unfortunately, every website owner has to deal with malware attacks sooner or later. Since malware is universal, the attacks themselves can take many forms.

You may be seeing a spike in failed login attempts (perhaps brute force attacks) or your server is being overwhelmed with requests, causing your site to go down. If these attacks originate from one location, you should block all access from that country, especially if there is no good reason to allow traffic from there.

Your business site may not serve certain regions: for example, your online store does not ship to the United States. So if you're seeing a lot of malicious traffic from the US and Americans don't have a compelling business reason to visit your site, you might think it's a safe idea to completely ban traffic from the US.

Signs that you may be experiencing increased bot traffic

Bad bots are incredibly harmful to your site and can result in huge losses. It's always best to have a security plugin installed, however there are other ways to determine if your site is receiving bot traffic:

• Your website monitoring services will show spikes in CPU and network usage.
• A good web host will send you a warning if your site is consuming excessive server resources.
• Login logs will show multiple failed login attempts in a short period if your website is under attack to crack passwords.
• Your website can go completely down if the bots are consuming all available resources.

If you see any or all of these signs, you are experiencing bot traffic. While blocking country IP addresses can be a temporary solution, installing a firewall is the best way to protect your site from more threats in the long run.

Only local audience

If your website is only relevant to one country, you may want to prevent visitors from other countries from visiting it altogether.

Apart from the lack of relevance, if you follow the security news regularly, some countries are mentioned quite often when it comes to hackers and bots. You can stop this early, especially if you have a small site with limited server resources.

Distorted Analytics

In your analytics, you may see a high percentage of traffic coming from certain countries. If there is no interaction on your site with this segment of traffic, such as shopping, then this traffic is useless for you and wastes site resources pointlessly.

In addition, spam traffic and bots distort important metrics such as conversion rates. For this reason, you may get a completely inaccurate picture from your analytics. This will affect your marketing decisions and for this reason, you will end up wasting resources.

Premium Content

Geoblocks are also used on sites that restrict access to premium media such as movies and TV shows. This is done to comply with copyright and licensing terms. You will see this on streaming services like Netflix or Amazon Prime.

Legal obligations

In “grey” industries such as online gambling, laws differ not only by country, but often also by region. In these cases, websites will need to restrict access and enforce laws applicable to the specific regions they wish to serve and block everyone else.

Why blocking IP addresses by country is not a good idea?

Depending on your reasons for implementing geo-blocking, there are usually better and more robust solutions that serve this purpose.

I don't recommend using geo-blocking on your WordPress site for several reasons. If your primary goal is to block threats, install a security plugin on your website and avoid all that hassle.

IP resolution is not ideal

There are two consequences of incorrect resolution of IP addresses:

• firstly, you can inadvertently block the users you need from another country;
• secondly, the block may not work completely. In any case, the solution is not ideal.

There are servers all over the world

If you ban traffic from the whole country, it's like throwing the baby out with the water. There may be legitimate traffic from these countries, and you will lose their visits altogether.

For example, one user saw a large number of phishing messages from Germany on his website. He wanted to block traffic from Germany as well, but he couldn't. Services that his website used on servers located in Germany, such as health monitoring and backup.

The other user has US suppliers and therefore needs to keep the US unlocked for these reasons.

You can block Google

This is a serious entry on the list. Blocking countries by IP address can affect Google rankings because blocking can inadvertently prevent Google bots from crawling your website. This is especially true if you want to block countries in North America and Europe where Google bots are located. Depending on the method you use, country blocking may or may not make an exception for friendly site crawlers.

In some cases it is possible to whitelist googlebot, but some bots masquerade as googlebot, so doing this is risky and without good results.

You can block yourself

It sounds absurd, but it happens quite often. There have been instances where website owners have been blocked from their own websites due to the inaccurate nature of geo-blocking. Then it is a difficult task to reverse an unintentional block.

Malware is universal

Country blocking does not guarantee that your website is protected from malware and phishing attacks. In order to have a multi-sided and more successful attack, malware can be hidden on devices around the world and possibly in whitelisted countries. Compromised hosts often do not pay attention to the infection of their devices and, for example, unwittingly become part of botnets.

In my opinion, this is a poor substitute for a good firewall.

Needs constant updates

If your geoblocking relies on a database for searches, a database error could result in something being blocked unintentionally or not being blocked when it should be.

This is especially true as IP addresses, and therefore IP address ranges, are constantly changing. If you have used one of the manual methods with ACLs to block countries, you will need to refresh the list periodically to make sure it still works.

Not bulletproof

More experienced attackers will use proxies or VPNs to get around the blocking country's rules. You may actually succeed in blocking direct traffic, but then a percentage of the bad ones will find a way around it.

Google Ads may not work

There is some evidence that Google Ads penalizes sites with geo-blocking. Many users report that their ads were disapproved after restricting traffic from other countries.

As I said earlier, to prevent bad traffic, use a firewall that has automatic protection against bad requests. A firewall is better than a WordPress geo-blocking plugin because it will stop bad traffic before it reaches your site. Most firewalls also log request data so you can use it to better analyze your website traffic.

Other Options for Country Blocking in WordPress

When you think about blocking a country, you usually want to block traffic from multiple countries. However, there are other ways to implement blocks:

• Block everyone and whitelist certain IP addresses as needed: This is obviously a very drastic measure, so it depends heavily on the use case of the website. Often this method is used when the site has a small and specific audience or may contain confidential information.
• Block access to the login page only: as opposed to the entire website interface. This method is often suggested as a workaround for the Google Ads issue I described in the previous section.

Conclusion

In my opinion, blocking countries by IP - or in any other way - is not a good solution. As I listed above, there are several disadvantages and ways to get around the lock, so the benefits are greatly reduced as a result.

If you want to protect your website from malicious bots and hackers, which is the main reason a website administrator considers geoblocking in the first place, then a firewall is the best option.

Reading this article:

• 16 WordPress security issues (vulnerabilities)
• How to protect your site from WordPress brute force attacks?

Thanks for reading: SEO HELPER | NICOLA.TOP