Beyond brute-force protection, PowerSEC lets you block specific IPs, IP ranges, or set general rate limits for your site.
Manual IP blocking
- PowerSEC → Firewall → IP Blocklist
- Click Add rule
- Enter IP or CIDR range, reason, and expiry
- Save — the IP is blocked at the WAF
Automatic IP reputation
PowerSEC subscribes to threat intel feeds:
- Project Honey Pot — known spam IPs
- Spamhaus DROP — known botnet IPs
- AbuseIPDB — community-reported abuse
- PowerSEC threat intel — IPs attacking other PowerSEC sites
The combined list is updated every 4 hours.
Geo-blocking (Pro)
Block all traffic from selected countries:
- Firewall → Geo Blocking
- Select countries to block
- Optionally allow specific IPs from blocked countries (e.g., your VPN)
Rate limiting
- Login endpoint (
/wp-login.php) — covered by brute-force protection - WP REST API (
/wp-json/*) — N requests per minute per IP - Comments endpoint — N comments per hour per IP
- Search endpoint — N searches per minute per IP
- Custom URLs — define your own
Allowlist (whitelist)
Some IPs should never be blocked:
- Your office IP
- Monitoring tools (Pingdom, UptimeRobot)
- Payment processor webhooks (Stripe, PayPal)
Add these to the Allowlist before any rate-limit kicks in.
Trust your CDN
If you use Cloudflare, configure PowerSEC's Trust Proxy to read the CF-Connecting-IP header — otherwise all blocks affect your CDN's IP, not the actual attacker.