This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Advanced Blocking

From Wordfence Documentation
Revision as of 20:54, 26 January 2017 by WFMattr (Talk | contribs)

Jump to: navigation, search

Advanced Blocking is located on a tab of the Firewall page.

Before reading Advanced Blocking, we recommend you read our Whois Lookup article to understand what Whois lookup is, how you can use it to find out which network an IP address belongs to and how you can use Whois combined with Advanced Blocking to quickly block networks or blocks of IP addresses. The real power of Advanced blocking is the ability to view Wordfence Live Traffic, do a quick Whois on an IP address to find out which network it belongs to and then click that network to block it using Advanced Blocking. So Live Traffic, Whois and Advanced Blocking work closely together in Wordfence to let you block attacks from entire networks with just three clicks.

Advanced Blocking in Wordfence gives you a way to block:

  • Ranges of IP addresses (which are also called networks).
  • Certain web browsers or web browser patterns (also called user-agents)
  • Certain referers. These are the websites your traffic arrives from, or claims to have arrived from.
  • Any combination of the above. For example, if you specify an IP address range combined with a web browser pattern, then only if BOTH match will the visitor be blocked. (The logic is a boolean 'AND')

How to block a range of IP addresses

To block a range of IP addresses, simply enter the starting IP address followed by a space, a dash, a space and then the ending IP address. For example: -

That will block IP address range to which is 22 addresses and includes the addresses ending in 1 and 22.

Enter a reason you're blocking this IP address range and then hit the Block button. That IP address range will be instantly blocked.

How to block a web browser pattern

Web browsers from Android devices generally contain the keyword 'Android' without quotes. If you want to block all Android browsers, in other words all user-agents that contain the word 'Android' you can use the following pattern:


The asterisk character acts like a wildcard so the pattern above means: Block all user-agents that contain the word android and that have any text at the start or end.

You can also do this:


Which means: Block all user-agents that start with 'Android' without quotes.



Which means: Block all user-agents that end with 'Android' without quotes.

Hopefully you get the idea of how you can use an asterisk to mean "any text". All patterns are case insensitive.

How to block a referer (or referring website)

This is a really cool feature we added in Wordfence 5.3.2 which lets you block traffic arriving from a certain website. Why would you want to do this? Because many spammers visit your site claiming they arrived from their own website when in fact they didn't. They're sending you a fake "referer" header which they're hoping will appear in your logs and that you might click on. Also if you show referers anywhere on your site this will give them more visibility and more clicks. So this feature gives you a way to block those bad referers. Here's how:

Lets say you have a website called and if you ever get a visitor arriving at your website who claims to have arrived from you want to block them. Simply enter:


as your blocking pattern. Just like in the web browser examples above, referer blocking uses the asterisk (*) as a wildcard to let you specify patterns that either start with, end with or contain your text.

Blocking a combination of IP address range, browser pattern and referring website

If you're being attacked by several hosts on a network and they are all using the same user-agent string to identify themselves, this can be useful. Simply follow the instructions above but enter any combination of IP address range, user-agent and referer pattern that you want to block. Then enter a reason and hit the button to block the combination.

Removing a block

To remove a block, just click the link below where all the current blocking patterns are listed that is titled "Delete this blocking pattern" and the block will be instantly removed.

Notes on using Falcon Engine with Advanced Blocking

First the good news: Falcon Engine uses your .htaccess to block IP addresses and address ranges. It also uses .htaccess to block web browser patterns. The good news is that this is VERY fast because the blocked IP does not get a chance to execute PHP or touch WordPress and so consumes very little resources on your site when they try to access it after being blocked.

The bad news, and this is a minor issue, is that you can not use IP address range, user-agent, referer combination patterns when Falcon is enabled.

So if you have a blocking pattern than includes both an IP address range and browser pattern (for example), this pattern will be disabled when Falcon is enabled. We have done this because it's not technically possible to block these combinations using .htaccess rules without your .htaccess becoming very large and potentially unstable.

More good news though: Falcon uses a clever and very efficient algorithm to turn your IP address ranges that have been blocked into CIDR notation networks which are understood by your web server. This keeps things very efficient and fast when you're blocking individual IP addresses or networks. Another reason why Falcon Cache and Wordfence are such a great combination.