Help/plugin
plugin

IP blocking and rate limiting

Updated May 11, 2026 2 views 0 found this helpful

Beyond brute-force protection, PowerSEC lets you block specific IPs, IP ranges, or set general rate limits for your site.

Manual IP blocking

To block a specific IP (or range):

  1. PowerSEC → Firewall → IP Blocklist
  2. Click Add rule
  3. Enter:
    • IP or CIDR range (e.g., 203.0.113.0/24)
    • Reason (for your records)
    • Expires (permanent or temporary)
  4. Save

The IP is blocked at the WAF — it never reaches WordPress.

Automatic IP reputation

PowerSEC subscribes to threat intel feeds:

  • Project Honey Pot — known spam IPs
  • Spamhaus DROP — known botnet IPs
  • AbuseIPDB — community-reported abuse
  • PowerSEC threat intel — IPs we've seen attacking other PowerSEC sites

You can toggle each feed on/off. The combined list is updated every 4 hours.

Geo-blocking (Pro)

Block all traffic from selected countries:

  1. Firewall → Geo Blocking
  2. Select countries to block
  3. Optionally allow specific IPs from blocked countries (e.g., your VPN)
  4. Save

Use cases:

  • E-commerce restricted to US/EU shipping zones
  • Government sites compliant with regional rules
  • Reducing bot traffic from common attack origins

Rate limiting

For requests that aren't outright blocked, you can rate-limit:

  • Login endpoint (/wp-login.php) — covered by brute-force protection
  • WP REST API (/wp-json/*) — N requests per minute per IP
  • Comments endpoint — N comments per hour per IP
  • Search endpoint — N searches per minute per IP
  • Custom URLs — define your own (e.g., contact form)

Allowlist (whitelist)

Some IPs should never be blocked or rate-limited:

  • Your office IP
  • Monitoring tools (Pingdom, UptimeRobot)
  • Payment processor webhooks (Stripe, PayPal)

Add these to the Allowlist before any rate-limit kicks in.

Reading firewall logs

Firewall → Logs shows the last 1000 firewall events:

  • Action — Blocked, Rate-limited, Allowed, Logged-only
  • IP + Country
  • URL
  • Trigger — which rule fired
  • User-Agent
  • Timestamp

Filter by action / IP / time range to investigate patterns.

Trust your CDN

If you use Cloudflare, AWS CloudFront, or similar, your real client IP arrives in an HTTP header (CF-Connecting-IP, X-Forwarded-For). Configure PowerSEC's Trust Proxy to read the right header — otherwise all blocks affect your CDN's IP.

See Cloudflare integration setup for details.

Couldn't find what you're looking for?

Browse more articles or reach out to our support team.

Browse all articles Email support