Last week, we wrote about one feature of the Wordfence Security plugin that doesn’t actually provide the protection that Wordfence has been able to convince people otherwise. Another feature that was brought up to us by the same person asking about the other feature was country blocking. That blocks requests based on the IP addresses of the request seemingly coming from a certain country. Interestingly, Wordfence’s own documentation for that feature can’t even muster an explanation for how that is supposed to protect websites. That isn’t surprising if you look at real world attacker activity.

What looked to be one recent attack on our own website involved a hacker trying to log in to our website seven times. They used a different IP address each time. Here are the locations of the IP addresses:

• Spain
• France
• United States
• United States
• Vietnam
• Nepal
• Singapore

A lot of the IP addresses clearly belonged to web hosting providers. That could be explained by the requests coming from websites that have already been hacked.

A hacker using numerous IP addresses is very common both with hacking attempts and also for requests after a website has been hacked.

While blocking countries could stop some attack attempts, it won’t stop others.

Country blocking might make sense for other purposes, but from a security perspective, having better protection against threats, no matter the IP address, makes more sense. When it comes to that, Wordfence Security provides significantly less protection than better free and paid options.

---

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025

See issues causing the plugin to get less than A+ grade