Blog > Cyber Security / Guides / Security Plugins > Block Logins By Country In WordPress [How To Do It]

Block Logins By Country In WordPress [How To Do It]

Enhance your WordPress website’s security with our guide on how to block logins by country

| December 1, 2023 | 7 Min Read

In the world of cybersecurity, protecting your WordPress website is paramount to safeguarding sensitive information. One often-overlooked yet critical aspect of your defense is the implementation of country-based login restrictions. As the digital landscape evolves, so do the sophisticated methods employed by malicious actors seeking unauthorized access to websites. By adopting such measures, website administrators can mitigate the risks associated with unauthorized access and protect against brute force attacks. In this article, we'll explain how to block logins by country in WordPress, and why it's essential for your website's login security.

Importance of Blocking Countries from your Login Page

Implementing block by country in WordPress is crucial for keeping your login page protected from unauthorized logins.

Enhance login security

Restricting access based on geographical origin acts as an initial line of defense against potential threats. By blocking IPs by country that are known for high cybercrime activities, website administrators can reduce the risk of unauthorized access.

image by CyberProof. 2021 data.
Countries with highest number of Cyber Attacks - 2021 data by CyberProof

Mitigate the impact of brute force attacks

Brute force attacks, where attackers systematically try various username and password combinations to gain unauthorized entry, can be orchestrated from specific regions. Implementing country-based IP blocks acts as a proactive measure against such attacks, preventing malicious actors from repeatedly attempting logins. This not only strengthens the overall security, but also helps conserve server resources that would otherwise be consumed by handling malicious login attempts.

Align with regulatory requirements and compliance standards

Many data protection laws and regulations necessitate a responsible and region-specific approach to managing user data. By restricting access from certain countries, website owners can demonstrate compliance with these regulations, ensuring that user information is handled in accordance with legal requirements.

Understanding IP Geolocation

IP geolocation, the process of determining the physical location of an IP address, plays a crucial role in various applications, from targeted advertising to enhancing cybersecurity measures. In this section, we delve into the intricacies of IP geolocation, shedding light on how it works, its level of accuracy, and the inherent limitations of this technology.

How geolocation works

At the heart of IP geolocation is the meticulous process of mapping an IP address to a physical location on Earth. This involves a complex interplay of databases, algorithms, and network infrastructure. IP geolocation works by analyzing various data points associated with an IP address, such as the registration details provided by Internet Service Providers (ISPs), the routing information within the internet's infrastructure, and in some cases, leveraging Global Positioning System (GPS) data. Through triangulation and cross-referencing, geolocation databases can pinpoint the geographic coordinates of an IP address, providing valuable insights into the location of devices accessing a network or website.

Accuracy and limitations

While the concept of IP geolocation is powerful, it's essential to recognize the nuances of its accuracy and limitations. The accuracy of IP geolocation can vary based on several factors, including the type of IP address (static or dynamic), the availability of precise location data from ISPs, and the sophistication of the geolocation service used. Additionally, certain limitations, such as the use of virtual private networks (VPNs) and proxy servers, can introduce challenges to accurate geolocation. Acknowledging these nuances is crucial for informed decision-making when implementing security measures that rely on IP geolocation data.

How To Block Logins By Country In WordPress

In this segment, we'll guide you through the process of restricting logins by country utilizing the Limit Login Attempts Reloaded plugin. Regarded as the forefront in login security plugins, Limit Login Attempts Reloaded boasts an impressive user base of over 2.5 million active installations. This plugin, available in both free and premium versions, empowers you to implement country-based login restrictions in both versions. Whether you opt for the free functionalities or explore the enhanced features in the paid version, this powerful tool equips you with the capability to fortify your website's security by blocking access from specific countries.

The team at LLAR has made blocking (and allowing) specific countries very easy. The IP databases are maintained and updated frequently, and support IPV6. It only takes minutes to block countries using this feature.

Step 1: Install and activate the Limit Login Attempts Reloaded Premium Plugin on your WordPress website.

Step 2: Purchase a premium + license that includes Deny By Country.

Step 3: Go to the LLAR dashboard inside the WordPress admin dashboard. Then go to the Login Firewall tab, and scroll down to Country Access Rules.

country access rules limit login attempts.

Step 4: Decide whether to allow specific countries, or choose all the ones you want to deny.

Blocking countries using the free version (manual)

We highly recommend using the paid version to block login by country because the manual method is a very time-consuming process. You would need to add hundreds if not thousands lines of IPs to block individual suspicious IP addresses and ranges. IP ranges are dynamic, and require frequent updates to the ranges. If you still want to go ahead and implement country blocking manually, here is our step by step guide. IPV6 ranges are not supported with this method.

Step 1: Install and activate the free LLAR plugin on your WordPress website.

Step 2: Go to the LLAR dashboard inside the WordPress admin dashboard. Then go to the Logs tab, and scroll down to the Denylist field.

Step 3: Create an access control list with the IP ranges of the specific countries you want to block. You can use services, such as ip2location and countryipblocks to do this.

Step 4: Copy and paste the IP ranges into the Denylist field.

limit login attempts reloaded denylist.


Implementing country-based login restrictions is a critical defense mechanism for enhancing the security of your WordPress site. Throughout this article, we discussed why it stands as a pivotal safeguard against potential threats. Whether you opt for the free version or premium, the capability to block entire countries provides a robust layer of protection.

Frequently Asked Questions

Can I block logins by country in WordPress?

Yes, you can block logins by country in WordPress. There are several plugins and manual tools that allow you to do this. Limit Login Attempts Reloaded is the most widely used plugin to deny logins by country effortlessly. Otherwise, you will have to manually maintain a list of IP ranges by country which is time consuming and inefficient.

Will blocking IP addresses by country prevent brute force attacks?

Yes, blocking IP addresses by country will prevent brute force attacks. Countries that are known for high rates of cybercrime will no longer be a threat, and greatly reduce the amount of failed login attempts. However, it will not eliminate the problem completely and additional security measures are needed.

Which WordPress plugins block countries from logging in?

Limit Login Attempts Reloaded is the most popular WordPress plugin for blocking countries from logging into your website. You also have the ability to allow certain countries to login.

About the Author

Greg Fisher is the CMO and co-founder of Limit Login Attempts Reloaded, spearheading the company’s content and user acquisition.