WordPress Integration

Protect wp-login and wp-admin from blacklisted IPs. Step-by-step setup guide with code examples.

186,817 IPs 8,269 reports Free API

Quick Install

WordPress 5.0+

WooCommerce

PHP 7.4+

Apache

Nginx

Cloudflare

Install via WordPress Admin (recommended):

Download the ZIP, then go to Plugins → Add New → Upload Plugin in your WordPress admin:

Download Plugin ZIP

Or install via SSH (mu-plugin, no activation needed):

cd /path/to/wordpress && mkdir -p wp-content/mu-plugins
curl -sL https://bl.ipwhois.net/api/wordpress/plugin -o wp-content/mu-plugins/ipwhois-guard.php

Or auto-detect all WordPress sites on server:

No API key needed (500 reports/day):

curl -sL https://bl.ipwhois.net/api/wordpress/install | sudo bash

Blocks blacklisted IPs on wp-login, wp-admin and XML-RPC. Reports brute-force attempts automatically.

Requires: WordPress 5.0+ PHP 7.4+ FTP or SSH access

What does it do?

The IPWhois.net Blacklist Guard is a must-use plugin (mu-plugin) that checks every visitor's IP against the IPWhois.net Blacklist before allowing access to sensitive WordPress pages. It uses WordPress transients for caching, so blocked IPs are only checked once per hour.

Block

Blocks blacklisted IPs on wp-login.php, wp-admin and XML-RPC with 403 response.

Report

Reports IPs to IPWhois.net Blacklist after 3+ failed login attempts or XML-RPC attacks.

Manual Installation

Create wp-content/mu-plugins/ipwhois-guard.php:

wp-content/mu-plugins/ipwhois-guard.php

<?php
/**
 * Plugin Name: IPWhois.net Blacklist Guard
 * Description: Blocks blacklisted IPs on login and admin pages
 */

function ipwhois_is_blocked($ip, $min_confidence = 70) {
    $key = 'ipwhois_' . md5($ip);
    $cached = get_transient($key);

    if ($cached !== false) {
        return $cached === 'blocked';
    }

    $response = wp_remote_get(
        "https://bl.ipwhois.net/api/check?ip=" . urlencode($ip),
        ['timeout' => 3, 'sslverify' => true]
    );

    if (is_wp_error($response)) {
        set_transient($key, 'ok', 300);
        return false;
    }

    $data = json_decode(wp_remote_retrieve_body($response), true);
    $blocked = !empty($data['listed']) && ($data['confidence'] ?? 0) >= $min_confidence;

    set_transient($key, $blocked ? 'blocked' : 'ok', HOUR_IN_SECONDS);
    return $blocked;
}

add_action('login_init', function() {
    if (ipwhois_is_blocked($_SERVER['REMOTE_ADDR'])) {
        wp_die('Access denied.', 'Forbidden', ['response' => 403]);
    }
});

add_action('xmlrpc_call', function() {
    if (ipwhois_is_blocked($_SERVER['REMOTE_ADDR'])) {
        status_header(403); exit('Forbidden');
    }
});

add_action('admin_init', function() {
    if (defined('DOING_AJAX') && DOING_AJAX) return;
    if (ipwhois_is_blocked($_SERVER['REMOTE_ADDR'])) {
        wp_die('Access denied.', 'Forbidden', ['response' => 403]);
    }
});

MU-plugins load automatically. No activation needed. Just upload the file.

Configuration

Adjust $min_confidence: 70 (default), 50 (aggressive), 90 (conservative).

Behind Cloudflare? Change the IP detection:

// Add to wp-config.php (before "That's all, stop editing!")
if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}

Troubleshooting

Plugin not loading: Ensure path is exactly wp-content/mu-plugins/ipwhois-guard.php. Create the mu-plugins directory if needed: mkdir -p wp-content/mu-plugins
Blocking legitimate users: Increase threshold to 90 or whitelist IPs in the plugin.
Behind Cloudflare: Use HTTP_CF_CONNECTING_IP instead of REMOTE_ADDR.
Behind Nginx proxy: Use HTTP_X_REAL_IP or HTTP_X_FORWARDED_FOR.
Clear cache: Run wp transient delete --all via WP-CLI to reset blacklist cache.