How to block an IP address in Apache with htaccess

Block an ip address in apache

If you are using shared website hosting, or just want a quick and easy way to block an IP address from accessing your website, and you're running an Apache web server, you're in luck. It's quick and easy to block an IP using a .htaccess file which is normally found within your root web folder. Depending on your setup, that will be named public_html or httpdocs folder.

Apache has changed how IPs are granted access since version 2.4 of Apache. If you're running 2.4 or higher, using the older method (i.e. not RequireAll) it is now considered deprecated and you should use the Apache 2.4 and above method list below instead. But if you're running anything under version 2.4 you should add the following to your htaccess file.

Prior to Apache 2.4

Order Allow,Deny
Deny from 123.456.789
Allow from all

Apache 2.4 and above

<RequireAll>
 Require all granted
 Require not ip 123.456.789
</RequireAll>

Where the IP is the address you want to block, in this case: 123.456.789

Save your htaccess file and upload it to the root folder of your website, and you're done. No matter what resource the blocked IP tries to access, it'll be shown a 403 Forbidden HTTP status.

You can also add more than one IP address at once, so if you have a batch of IPs you can add them all under one block within your htaccess file.

If you've got the luxury of a firewall or more accurately you actually have access to one, either that be via iptables, Plesk's built-in firewall, or an enterprise Cisco firewall, you should block an IP here instead of using htaccess. Both IPv4 and IPv6 can be used here as well as partial IP addresses and IP addresses in CIDR notation.

How to block multiple IP addresses

If you want to block more than one IP address using htaccess you can easily, depending on your Apache version again. In version 2.4 and above, in order for "Require" to work, because the directive is part of the mod_authz_core module, this must be enabled in your Apache configuration.

# Prior to Apache 2.4
Deny from 123.456.789
Deny from 321.654.987
# Apache 2.4 and above
Require not ip 123.456.789
Require not ip 321.654.987

How to block an IP address accessing a particular file

Instead of blocking an IP address from accessing your whole website, you can instead just block them from accessing a single file. All you need to do is wrap the blocking statement around "files" tags, with the file you want to block in the header of the block. The file is relative to your htaccess location. Therefore, if your file is within a folder, which is up a level from your htaccess, you should include the folder too. That's because the file must be placed in the directory that you want to protect, or placed in the root like in this example.

# Prior to Apache 2.4
<Files "myfolder/secert-file.ext">
 Order Allow,Deny
 Deny from 123.456.789
 Allow from all
</Files>
# Apache 2.4 and above
<Files "myfolder/secert-file.ext">
 Order Allow,Deny
 Deny from 123.456.789
 Allow from all
</Files>

How to block an IP address to certain folders

This method of blocking is very common in the industry, particularly if you have sensitive folders that you don't want to access online. Most commonly you'd block everyone apart from your own IP, that could be because maybe you're building a dev website before production and you need access, but don't want others to see it just yet, but want it put online.

# Prior to Apache 2.4
<Directory "/var/www/secert-folder">
 Order Allow,Deny
 Deny from 123.456.789
 Allow from all
</Directory>
# Apache 2.4 and above
<Directory "/var/www/secert-folder">
 Require all granted
 Require not ip 123.456.789
</Directory>

How to block an IP address to certain HTTP request methods

A less common function of blocking IP addresses is blocking people via the connection request action method, known as the HTTP request method. This method could be useful if, for example, you have a page with no requirement for the user to post data to it, maybe it's a static page. In this case, blocking POST requests to your website from the IP 123.456.789 would look similar to the two examples below.

# Prior to Apache 2.4
# Blocks POST to IP address 123.456.789
<Limit POST>
 Order Allow,Deny
 Allow from all
 Deny from 123.456.789
</Limit>
# Apache 2.4 and above
# Blocks POST to IP address 123.456.789
<Limit POST>
 Order Allow,Deny
 Allow from all
 Deny from 123.456.789
</Limit>

List of different HTTP request methods

There are many different HTTP request methods. Below are the current valid ones you'll see in your access logs. Many of them you will not see very much, if not at all. The Get, Head, and Post verbs are the most common with, Patch, Put, and Delete, normally used in API calls. It's generally not necessary to block access to the uncommon HTTP verbs but is particularly useful if you're building an API service for your application to be used by others. You'll likely notice that in your logs you'll mainly see Get and Post requests. Get requests are when people are requesting a resource from your server, such as an image, whilst Post is someone sending data to your server. It's generally considered that Get requests are safer than Post requests, where Post requests could be, for example, someone attempting to SQL inject your web application. Either way, using a WAF (web application firewall) can be a good way to block unwanted traffic especially bots, from abusing your website.

# Common HTTP request verbs
GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH

Conclusion

Using htaccess is a great way to block unwanted users from accessing your website, it's quick and easy to do and can be modified at any time.

  • Remember to check which Apache version you're running before copying the examples in
  • You can add as many IPs as you wish
  • For added protection, install a WAF to block unwanted traffic from your website

Senior PHP developer. Author of Dev Lateral guides and tools. The complete place for PHP programmers. Available to hire to help you build or maintain your PHP application.

Looking for industry-leading PHP web development?

API development WordPress Hosting ★ and more 🐘

We use cookies to enhance your browsing experience, and analyse website traffic in accordance with our Privacy and Cookie Policy. Our cookies, including those provided by third parties, collect anonymous information about website usage and may be used for targeted advertising purposes. By clicking "Reject non-essential" you can opt out of non-essential cookies. By clicking "Accept all" you agree to the use of all cookies.


Reject non-essential Accept all