See How Much Ad Spend You’re Losing to Invalid Traffic

Run our IVT Calculator, backed by 10,000 advertisers, to uncover wasted spend.

How to Exclude IP Addresses in Google Ads

Share with your network:
exclude ip address in google ads
Competitors, bots and click farms drain Google Ads budgets by clicking ads that will never convert. The fastest manual fix is to add the offending IP addresses to your exclusion list, but Google caps you at 500 IPs per campaign and that list goes stale quickly. This blog covers how to exclude IPs at account and campaign level, how to work around the 500-IP limit, and when to switch to automated, real-time protection that maintains the list for you.

Competitors clicking your ads, bot traffic and click farms are three of the most common ways click fraud quietly drains a Google Ads budget. Blocking that traffic protects your spend and pushes more of your budget towards people who might convert. The simplest manual lever is the IP exclusion list, which stops chosen IP addresses from seeing your ads. It works, but it has limits worth understanding before you rely on it.

Action Why it matters
Exclude IPs at account or campaign level Stops known bad actors from seeing your ads and burning budget
Remove and rotate IPs regularly IPs are rarely fixed to one user, so stale entries block real customers
Work around the 500-IP cap Segmentation and geo-blocking extend coverage beyond the hard limit
Automate exclusion management Real-time updates close the gap manual lists leave open

What Are IP Exclusions in Google Ads?

IP exclusions let you name specific IP addresses that should not see your ads. Google allows up to 500 IP addresses per campaign, entered either individually or as blocks of addresses using an asterisk to wildcard the final part of the address. You can apply exclusions at account level, which covers every campaign, or at campaign level for more granular control.

One important caveat: campaign-level IP exclusions are not available for Performance Max, video, app, hotel or smart display campaigns. If a growing share of your spend sits in Performance Max, the manual IP exclusion list simply does not reach it, which is one reason advertisers eventually outgrow the manual approach.

How to Manually Exclude IP Addresses in Google Ads

Google makes it straightforward to apply IP exclusions at both account and campaign level.

Account level

This excludes the listed IP addresses from every campaign in your account.

  1. Log in to your Google Ads account and navigate to Settings.
  2. Click Account settings and find the IP exclusions section.
  3. Enter the IP addresses you want to block from seeing your ads, then click Save.

Campaign level

This gives you the flexibility to block invalid traffic on an individual campaign.

  1. Log in to your Google Ads account and click the Campaigns icon.
  2. Select the campaign you want to exclude IP addresses from.
  3. Click the settings icon, then on the settings page click Additional settings.
  4. Expand the IP exclusions section.
  5. Enter the IP addresses you want to exclude from the campaign and click Save.

To block a range rather than single addresses, replace the final part of the IP with an asterisk. This is useful when fraudulent clicks cluster within one network, but use it carefully, since broad ranges can catch genuine customers who share that block.

How to Remove IP Addresses From the Exclusion List

Removing IPs matters as much as adding them. IP addresses are rarely fixed to a single user, so an exclusion that stops a bad actor today may block a real customer next month. Apply each exclusion only for as long as it is needed, then review it.

There is a practical reason too. With Google’s 500-IP cap per campaign, you will eventually need to remove older entries to make room for new threats. To remove an exclusion, follow the same account or campaign steps above, delete the addresses you no longer want to block, and click Save.

Which IP Addresses Should You Exclude?

This is where manual exclusion gets difficult. Without a dedicated tool, it is hard to know which IP addresses are actually sources of invalid traffic, and neither Google Ads nor Google Analytics gives you that visibility.

The first step is to set up a way of seeing the IP addresses behind your ad engagement, either through a third-party tool or by checking your web server logs. For a full walkthrough of identifying which addresses are worth blocking, see our blog on finding the IP addresses worth excluding. The goal is to base exclusions on evidence of invalid traffic rather than guesswork, so you block the sources doing real damage and leave genuine customers untouched.

Working Around the 500-IP Exclusion Limit

The 500-IP cap is the constraint advertisers run into most. In a campaign under sustained or targeted click fraud, 500 slots fill fast, and once the list is full every new bad IP either pushes out an older one or goes unblocked. The cap is not a dead end, but it does demand a more strategic approach.

It helps to understand why the limit exists. Google’s own automated systems filter a large share of invalid clicks before they reach you, so it treats the IP exclusion list as a supplementary control rather than the primary defence. The 500 cap also keeps exclusion lists from placing excessive strain on Google’s infrastructure across millions of advertisers. The practical effect is the same: you have to be selective about which 500 addresses earn a place.

The stakes are real. TrafficGuard data shows 44% of tier-1 sports betting operators’ ad spend is lost to invalid traffic, and the same fraud patterns hit high-value Search campaigns across every vertical. When that much budget is exposed, 500 static entries are not enough. These tactics stretch your coverage further:

  1. Segment campaigns to multiply your coverage. Each campaign gets its own 500-IP allowance, so splitting a campaign by region, audience or objective effectively raises your total ceiling. Segment around where fraud actually concentrates, not arbitrarily.
  2. Exclude high-risk regions, not just individual IPs. Some geographies are persistent fraud hotspots. Blocking them at the campaign level, or applying geo controls, removes large volumes of invalid traffic without spending a single one of your 500 IP slots.
  3. Clear out low-value IPs to free slots. Not every flagged address is worth a permanent block. Addresses that generate no engagement or conversions can be removed to make room for the IPs causing measurable damage.
  4. Rotate exclusions as fraud shifts. Static lists go stale because fraud patterns move. Reviewing and refreshing your exclusions on a regular cadence keeps the 500 slots working on current threats rather than last quarter’s.
  5. Adjust bids in high-risk segments. Lowering bids where invalid traffic concentrates, while investing more in proven segments, reduces your exposure even before an IP is added to the list.

These tactics buy you headroom, but they all share the same weakness: they depend on someone spotting the threat and acting on it manually. That is the gap automation closes.

The Limitations of Manual IP Exclusion

Manual IP exclusion gives your Google Ads budget a basic layer of protection, but it has structural limits.

  • Timing. If you review traffic quality daily or weekly, you are almost certainly paying for invalid clicks in between checks.
  • Labour. Maintaining blacklists across every campaign is tedious work that pulls you away from higher-value tasks.
  • List size. The 500-IP cap forces constant pruning to keep the most dangerous addresses in the list at any given time.

Each of these gaps is widest at exactly the moment you can least afford it, when a coordinated attack drives a sudden spike in fraudulent clicks faster than a person can react.

How Automated IP Exclusion Works

Rather than relying on you to spot bad IPs and update the list, automated protection identifies and blocks fraudulent addresses in real time. TrafficGuard’s machine learning draws on data from billions of advertising engagements every day, processing more than 3 trillion data points monthly to determine which IPs to block, and which to release, without catching genuine traffic in the crossfire.

The difference shows up in three ways. Protection is real-time, so exclusions are applied the moment a threat is identified rather than weeks later. Prevention is reliable, because decisions are driven by data at a scale no manual review can match. And it removes the maintenance burden entirely, including the constant rotation the 500-IP limit demands. It also extends to campaign types where manual IP exclusion is not even available, so your Performance Max spend is not left unprotected.

What to Do Before You Commit to Anything

You can start tightening your defences today, even before adopting a tool. Get visibility on your traffic quality first, either through server logs or a free traffic audit, so any exclusions you add are evidence-based. Segment your most valuable campaigns now so each one carries its own 500-IP allowance. Set a recurring date to review and rotate exclusions so the list never goes stale. And quantify what is actually at stake by running the TrafficGuard IVT Calculator to see how much of your spend is exposed to invalid traffic.

The Bottom Line

Excluding IP addresses in Google Ads is a sound first move against click fraud, but the 500-IP cap, the maintenance burden and the lag between checks mean manual lists only ever deliver partial protection. Segmentation, geo-blocking and disciplined rotation extend your coverage, and real-time automation closes the gap for good. To protect every click across your Search campaigns without managing a list by hand, explore TrafficGuard’s real-time protection for Google Search or set up a free account in minutes.

Frequently Asked Questions

How many IP addresses can you exclude in Google Ads?

Google Ads lets you exclude up to 500 IP addresses per campaign. You can add them individually or as blocks using an asterisk to wildcard the final octet, and you can apply them at account level (across all campaigns) or campaign level. Because the 500-IP cap is per campaign, advertisers running large or fraud-heavy accounts quickly hit the ceiling, which is why many move to automated exclusion management with a tool like TrafficGuard.

Why does Google Ads cap IP exclusions at 500 per campaign?

Google caps the list at 500 because it treats IP exclusions as a supplementary control, not the primary defence, since its own systems already filter many invalid clicks. The limit also protects Google's infrastructure across millions of advertisers. The practical effect is that you must be selective about which 500 addresses earn a slot, and rotate them as fraud patterns shift.

How do I exclude a range or block of IP addresses in Google Ads?

Replace the final part of the IP address with an asterisk to block a whole range in a single entry, for example 203.0.113.*. This is efficient when fraudulent clicks come from one network, but use it carefully, because a broad range can also block genuine customers who share that block. Evidence-based blocking, informed by traffic-quality data, avoids cutting off real buyers.

What is the difference between account-level and campaign-level IP exclusions?

Account-level exclusions apply to every campaign in your account, which suits known internal IPs or persistent offenders, while campaign-level exclusions apply to one campaign and carry their own 500-IP allowance. Splitting spend across campaigns therefore multiplies your total exclusion coverage, a common workaround for the 500-IP limit.

Can you exclude IP addresses in Performance Max campaigns?

No. Campaign-level IP exclusions are not available for Performance Max, video, app, hotel or smart display campaigns. If a growing share of your budget sits in Performance Max, the manual exclusion list cannot protect it at all, so automated, real-time fraud prevention such as TrafficGuard is the only way to defend that spend.

How often should I update my Google Ads IP exclusion list?

You should review it on a regular cadence rather than setting it once, because IP addresses are rarely tied to one user and fraud sources move constantly. A stale list both misses new threats and risks blocking real customers on recycled addresses. TrafficGuard removes this burden by rotating thousands of IP exclusions automatically based on live threat analysis.

Will excluding IP addresses accidentally block real customers?

Yes, it can. Because IP addresses are often dynamic and shared, an address linked to fraud today may belong to a genuine customer next month, especially when you exclude broad ranges. This is why exclusions should be evidence-based, time-limited and reviewed often, and why behavioural detection that distinguishes bots from real users is more reliable than a static blocklist.

Is manually excluding IP addresses enough to stop click fraud, or do I need a tool?

Manual IP exclusion gives basic protection but is rarely enough on its own, because of the 500-IP cap, the lag between manual reviews, and gaps like Performance Max. TrafficGuard analyses more than 3 trillion data points monthly from billions of ad engagements to block invalid traffic in real time, which matters when TrafficGuard data shows up to 44% of tier-1 sports betting operators' ad spend is lost to invalid traffic.

Get started - it's free

You can set up a TrafficGuard account in minutes, so we’ll be protecting your campaigns before you can say ‘sky-high ROI’.

Share with your network:
Written By
TrafficGuard
At TrafficGuard, we’re committed to providing full visibility, real-time protection, and control over every click before it costs you. Our team of experts leads the way in ad fraud prevention, offering in-depth insights and innovative solutions to ensure your advertising spend delivers genuine value. We’re dedicated to helping you optimise ad performance, safeguard your ROI, and navigate the complexities of the digital advertising landscape.
Our Resources

Explore More Blogs

Subscribe

Subscribe now to get all the latest news and insights on digital advertising, machine learning and ad fraud.