How to Block IP Addresses in WordPress using PHP

There may be times when you need to block certain IP addresses from accessing your WordPress site, whether due to malicious activity, repeated login attempts, or other security concerns. While there are plugins available to manage this, you can achieve the same result with a simple custom code snippet.

In this post, we'll show you how to block specific IP addresses in WordPress using a PHP function. By adding the code below to your theme’s functions.php file, you can prevent users from accessing your site based on their IP addresses and display a custom message to them.

function themesdna_block_ip_address() {
    // List of blocked IP addresses
    $blocked_ips = array( 
        '123.45.67.89', 
        '98.76.54.32'
    );

    // Get the user's real IP address, accounting for proxies
    $user_ip = '';
    if ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
        $user_ip = $_SERVER['HTTP_CLIENT_IP']; // IP from shared internet
    } elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
        $user_ip = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] )[0]; // IP passed from proxy
    } else {
        $user_ip = $_SERVER['REMOTE_ADDR']; // Direct IP
    }

    // Ensure IP is sanitized
    $user_ip = filter_var( $user_ip, FILTER_VALIDATE_IP );

    // Check if the user's IP is in the blocked list
    if ( $user_ip && in_array( $user_ip, $blocked_ips ) ) {
        wp_die(
            wp_kses_post( '<h1>Access Blocked</h1><p>Your IP address (' . esc_html( $user_ip ) . ') has been blocked from accessing this site. Please contact the administrator if you believe this is a mistake.</p>' ),
            esc_html__( 'Access Blocked', 'themesdna' ),
            array( 'response' => 403 ) // Send a 403 Forbidden HTTP response
        );
    }
}
add_action( 'init', 'themesdna_block_ip_address' );

Important Notes:

• The $blocked_ips array contains the IP addresses you want to block. The values "123.45.67.89" and "98.76.54.32" are sample addresses; be sure to replace them with the specific IPs you wish to block. You can easily add or remove IP addresses from this list as needed.
• You can also customize the message that’s displayed to blocked users by modifying the text in the wp_die() function.
• Regularly update the $blocked_ips array as needed and keep an eye on any suspicious activity on your site.

This solution gives you flexibility and control over which IP addresses are blocked without needing to install additional plugins.