Celebrating 20 years online :)
Web Dev + WordPress + Security

Worst IPs: 2016 Edition

[ Worst IPs: 2016 Edition ] A little late this year, but following tradition here is my list of the absolute worst IP addresses from 2016. All in nice numerical order for easy crunching. These IPs are associated with all sorts of malicious activity, including exploit scanning, email harvesting, brute-force login attacks, referrer spam, and everything in between. Really obnoxious stuff that degrades your site’s performance and potentially threatens security.

Word to the wise..

Blocking by IP address is not recommended unless you know what you are doing. I have explained numerous times the reasoning behind this, so I won’t waste our collective time repeating it all here. If you are new to the game, you can visit those links to learn more about when, where, and why to block IP addresses.

How I collect this information

Securing sites is a big part of what I do professionally. I’ve been researching web security for over 10 years. This ongoing research provides an abundance of useful data, including IP information associated with malicious requests. I use this data when writing tutorials, books, and when developing WordPress plugins. This article provides a snapshot of this research: a list of the top worst IPs of the previous year.

Please also read the notes following the next section.

The worst IP addresses from 2016

So without further ado, here is my collected list of really nasty IPs from last year:


The lists provided here at Perishable Press are for informational purposes only. I am not responsible for anything that happens once the code leaves this site. That said, this 2016 Bad-IP List is entirely open source and you can republish or use however you want for any purpose. Credit links and shouts out are appreciated, but not required.


It is important to understand that just because an IP address is associated with bad activity, it doesn’t imply that the owner or primary user of the IP has done anything wrong. In many cases, bad actors use hacked machines and devices to scan sites remotely, so the victim’s IP is associated with the activity instead of the perpetrator’s actual address.

So if you find a familiar IP on this list, don’t panic; but do investigate your machine (site, server, local device, whatever) for any security breaches. Chances are high that the machine using the IP is compromised. If this sounds like you, let me know and I’ll do my best to help out however possible.

(Dis)Honorable mention

Out of all the hundreds of bad IPs I encountered in 2016, there is a handful of especially horrible IPs that are absolutely worth blocking on any site:


Whoever/whatever is behind these four IPs are real scumbags, making endless requests for the stupidest resources imaginable in the entire history of exploit scanning. Who knows how much memory and bandwidth these idiots cumulatively have wasted in their vain pursuit of pointless vulnerabilities. Seriously, learn how to log your scans to avoid wasting everyone’s time and resources, including your own.

So to protect your site against these four losers (or maybe the same loser, I have no idea), convert the previous list of IPs into the following .htaccess snippet:

# block worst ips
	Order Allow,Deny
	Allow from All
	Deny from
	Deny from
	Deny from
	Deny from

Then add to your site’s .htaccess file, upload, and done. Moving on with my life..

How to block by IP address

If and when you need to block someone or something based on their IP address, .htaccess can do the job quite nicely. Here is an example:

# block some IPs
	Order Allow,Deny
	Allow from All
	Deny from
	Deny from 111.222.333.44
	Deny from 555.444.333.22

So to implement, you would paste that code into your site’s root .htaccess file. Then you would replace each of the three example IP addresses with real ones. Or remove whatever is not needed if you only want to block one or two. Or you can add more IPs by replicating the pattern, etc.

To add massive numbers of IPs to the list, you can use any good code/text editor and simply prepend “Deny from ” to each line in your list of bad IPs. Automation really is the only way to go for this sort of work; check out the useful online tools linked up in the next section.

Essential Tools

By the way, here are some essential online tools for sorting massive lists of IP addresses:

Completely awesome that these time-saving tools are available for free online :)

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »

2 responses to “Worst IPs: 2016 Edition”

  1. Glad to see all the new posts, Jeff! Although I use CloudFlare to (hopefully) block some of the “bad traffic” out there on the net, I’ve also been refining my .htaccess for maximum security and spam request reduction. Do you feel like there’s a point where listing TOO many IPs in a site’s root .htaccess will affect performance? I’d imagine it takes the web server some time to cross check that list on every page load.

    Just wanted to know your thoughts. :-)

    • Jeff Starr 2017/04/12 8:34 am

      Great question, but keep in mind that Apache is just checking the IP headers; it’s not “cross-checking” or anything like that. So blocking by IP is just as fast as any other technique, but you’re correct in thinking that too many directives can have an impact on performance. My own strategy is always to keep the content of .htaccess down to an absolute minimum.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
BBQ Pro: The fastest firewall to protect your WordPress.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.