How to Block IPs Attacking Your WordPress REST API

calendar_month Last updated: June 2, 2026

Rate limiting slows down attacks. Blocking stops them. When a single IP is repeatedly hitting blocked endpoints, testing routes they have no business accessing, the right response is to remove their access entirely — not throttle it.

Endpoint Manager Pro 1.3 adds a full IP blocklist to the security hardening toolkit: manual blocking, auto-block rules, temporary and permanent bans, and an IP allowlist for trusted sources.

How Attacks Surface in the Security Log

Before you can block an IP, you need to see it. Endpoint Manager Pro’s security log records every request that hits a blocked endpoint: the IP address, the route that was attempted, the user agent, and the timestamp.

In practice, this log is where attacks become visible. A single IP hitting /wp/v2/users once after you’ve blocked it is noise. The same IP hitting eight different blocked endpoints across three namespaces over ten minutes is a reconnaissance pattern. The log gives you the evidence to act.

With the updated IP filter UX in 1.3, clicking any IP address in the log immediately scopes the view to that IP — all their attempts, all the routes they probed, in chronological order. An active filter badge shows the filter is applied, and a single click resets it.

Manual IP Blocking

Once you’ve identified a bad actor in the log, block them with one click directly from the logs screen. No server config, no firewall rules, no leaving the WordPress admin. The block takes effect immediately and is reflected in subsequent log entries.

Blocks can be set as temporary (configurable duration) or permanent. Temporary blocks expire automatically — useful for aggressive crawlers that may not be malicious but are generating noise. Permanent blocks stay in place until you remove them.

Blocked IPs attempting to access any REST API endpoint — blocked or not — receive a 403 Forbidden response (or whichever status code you’ve configured in Custom Error Responses). Their requests never reach the route handler.

Auto-Block: Hands-Off Protection

Manual blocking requires someone to notice the log and act on it. For continuous protection without constant monitoring, auto-block sets a threshold that triggers automatically.

Configure the rule: block any IP that hits N blocked endpoints within M minutes. When the threshold is crossed, the IP is added to the blocklist automatically — temporary or permanent, depending on your settings.

This is particularly effective against scripted enumeration attacks, where a single IP works through a list of common routes looking for exposed endpoints. The attacker hits a few blocked routes, crosses the threshold, and is locked out before they finish their scan.

IP Allowlist

Any IP-based blocking system needs an escape hatch. Auto-block rules are good at catching bad actors but can occasionally catch legitimate traffic — an office IP behind NAT, a monitoring service, a headless integration hitting an endpoint more frequently than expected.

Add any IP to the allowlist to bypass all blocklist rules entirely. Allowlisted IPs are never auto-blocked, and manual blocks can’t be applied to them. Your own infrastructure stays accessible regardless of what the auto-block rules are doing.

Custom Error Responses: Don’t Confirm What You’re Protecting

By default, blocked endpoints and blocked IPs return 403 Forbidden. That’s accurate — the resource exists, access is denied. But it also tells an attacker something useful: you have rules in place, and this route is one of them.

Endpoint Manager Pro 1.3 lets you configure the HTTP status code returned for blocked requests sitewide. The most effective alternative is 404 Not Found. From the requester’s perspective, the endpoint doesn’t exist. There’s no signal that a block is active, no confirmation that a route exists, nothing to probe further.

You can also set a custom error message alongside the status code — a generic “Not found” rather than any WordPress-flavored error text that identifies the platform.

Layered Defense

These features are designed to work together, not in isolation:

  1. Block the endpoints that have no legitimate public use (free)
  2. Rate limit the endpoints that do — slow down abuse before it becomes a problem (Pro, rate limiting)
  3. Watch the security log for IPs that probe blocked routes (Pro, security logs)
  4. Auto-block IPs that exceed your threshold — or block them manually with one click (Pro, IP blocklist)
  5. Return 404 for everything blocked so attackers can’t map your defenses (Pro, custom error responses)

Each layer reduces the information and access available to an attacker. Together, they turn the REST API from a passive data surface into an actively monitored boundary.

Get Started

IP blocklisting, auto-block, and custom error responses are available in Endpoint Manager Pro 1.3. Existing Pro license holders receive the update automatically via the license server.

Not on Pro yet? Start with the free version on WordPress.org — it covers endpoint blocking across all namespaces. Upgrade to Pro when you need rate limiting, IP blocklisting, and security logging.

Block Malicious IPs Automatically

Endpoint Manager's IP blocklist lets you ban attacking addresses with one click — no server config needed.

View Pricing