How to block a country's IP ranges in htaccess
The .htaccess file is a hidden text file within your hosting account that can be very powerful. It is designed so that you can modify it to change the behavior of your website that normally would take higher access beyond your account. It acts as a liason between your domain and the server and can perform many functions.
The cpanel has an IP blocking mechanism to help you secure your site from individuals who you deem suspicious or malicious. This works fine for a single IP or even a handful. It is not advisable however, if you want to block an entire country.
Many people want to block certain countries for different reasons. Some coutnries are more notorious for having hackers or spammers. Other people want to block a country simply because they do not do business with them. In any case, you can set the code within the htaccss file to block the IP ranges of certain countries. Follow the instructions below to perform this task.
Blocking a country from accessing your site via htaccess
- First you will need to collect the data. You want to find a reliable list of IPs for the country you want to block. Doing a search, we find that you can get your deny list generated at IP2Location's free visitor-blocker generator. Using this tool will let you download a text file with the code needed to block a country. In our example, we randomly chose Algeria. The output format we chose is the Apache .htaccess deny. Follow the steps to download your file.
- Open your file in the text editor of your choice and highlight and copy the information in the file.
- Next, we will need to log into your cPanel to access the htaccess file.
- Find the Files category and click on the File Manager icon.
- A popup box will appear. For the primary domain, click on the Web Root radio button. For addon domains, click on the dropdown and find your desired addon domain name. Be sure the checkbox next to Show Hidden Files is checked. Click the Go button to enter the File Manager.
- You should now be in the root folder of the domain you chose. Look for the .htaccess file and right click on it. This brings up a menu. Find and click on the Edit option. If you get a popup box, simply find and click the Edit button in the lower right corner to continue to the editor.
- You are now in the htaccess editor. Paste your code into your htaccess so that it forces the visitor to download that type of file.The code should be formatted similar to that below but be much longer. Some countries like China and the US can have thousands of lines in their block code
<Limit GET HEAD POST>
deny from 188.8.131.52/23
deny from 184.108.40.206/32
deny from 220.127.116.11/32
allow from all
- Be sure to hit the Save Changes button in the upper right corner to save your new htaccess configuration. Now any IP from those ranges are now denied access to your site.
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
new! - Enter your name and email address above and we will post your feedback in the comments on this page!
2014-03-01 12:17 pm
I am new to this but I think I understand. I have been entering the IP's one by one into the Domain Deny Manager so when I looked a the htaccess file I could see my list. This has been alot of work. Should I delete these and start fresh, or just add the list of IP's to this list which I generated to the ones alreay there.
Before I do this the pop up box advises I sould back up my existing file first. Where should I do this? Should I make a new file on the left side of the screen called BackUp and put the original in there?
Thanks for the help.
2014-03-03 10:43 am
It is always a good idea to back up your files before making any changes. The easiest way to do so would be to copy the file as a different file name such as .htaccess.old.
2014-05-14 3:48 pm
I would like to block all countries except for the US with IP deny in htaccess. Is this file size going to impact my alotted bandwidth and will it impact the wp load times? The file would be huge.
Another approach - Is it worth considering using IP allow for just the U.S. and deny all for anyone else, or may there be a down side to this approach?
2014-05-14 4:26 pm
Hello DS, and thanks for your comment.
Adding a very large list of IP addresses to your .htaccess file can cause overhead on your site's loading time, and it's usually advisable to have a narrow blocking ruleset to start off with.
Same thing for denying all traffic and then only allowing US traffic in. For example the US IP ranges downloaded from IP2Location Block Visitors by Country is about 4.4MB in size and is 167,985 line long.
Every time a request comes into your site the .htaccess rules need to be processed. So keep in mind that a normal good visitor could have to sit and wait while the server is checking to make sure they aren't blocked.
In my experience many times you aren't going to get a lot of bad traffic from a wide array of IPs within a country and need to cast such a large net. Your particular site will probably be hit by a few IP ranges here and there but you might be missing out on some legit traffic from a country you wouldn't expect it.
I'd recommend you use AWStats to review website stats for hosts, see which IP ranges are actually sending decent amounts of traffic to your website and then block users from your website using some .htaccess rules. You can even block by User-Agent or referer with just a few lines of code, and I've found this can sometime be more effective than blocking by IP address alone because if someone is attacking you they can just go through an IP address proxy, but attackers sometimes will keep the same User-Agent even while spoofing their IP address.
Please let us know if you were having any issues with current bad traffic on your website and we'd be glad to take a look. Also let us know if you had any further questions at all!
2014-05-14 6:09 pm
How do I track down the user agents of these offending IPs? I could not find that information in the AWstats. I use a plugin that lists IPs receiving 404 after attempting to login to WP. But I am not finding user agent info.
2014-05-14 6:58 pm
Hello again DS,
You can use the steps from my guide on how to identify and block bad robots from a website if you are on a VPS or dedicated server.
If you have a shared hosting account, I'd recommend you create a PHP script that can run the commands for you to go through and parse User-Agents from archived raw access logs which is much easier to do then simply accessing your raw access logs and having to download them off the server for manual review.
An example PHP script that would look for all the User-Agent strings from the domain example.com for May, which already had cPanel raw access log archiving enabled would look like this:
Please let us know if you had any other questions at all!
2014-06-03 5:33 pm
hi, what does the number after the slash mean?
for example in this case "32"
deny from 18.104.22.168/32
2014-06-03 5:52 pm
The 32 is part of what is called CIDR notation(Classless Inter-Domain Routing). This is used to represent a range of IP addresses. This means that the first 32 bits of the IP address given are considered significant for the network routing. Click on the link I've provided for a more in-depth tutorial about CIDR notation.
If you have any further questions, please let us know.