Cantech Knowledge Base

Your Go-To Hosting Resource

  1. cPanel
  2. Steps to block IP address with .htaccess

Steps to block IP address with .htaccess

Whether you have spammy bots giving your site a beating, malicious attacks happening, or you just want to stop certain visitors from accessing your site, blocking IPs with .htaccess is the easiest and best way to do it. In this guide, we will show you how to block IPs with .htaccess in strong language, perfect examples and simple actions. Let’s jump in!

A .htaccess file is a configuration file on the web server running the Apache Web Server software. It allows for configuration changes per-directory without editing the main configuration file. Whether you want to make a redirect or implement some security measures, .htaccess makes managing your own site so easy from the root directory, or any subdirectory.

One of the most potent uses? Blocking IP addresses.

Why Block an IP Address?

There are several reasons you might want to block an IP address:

  • Repeated malicious attempts to access your site
  • Spam comments or fake form submissions
  • Brute-force attacks on login pages
  • Country-based restrictions
  • Reducing server load from unwanted traffic

Whatever the reason, .htaccess gives you a direct way to deal with it.

How to Block a Single IP Address

To block a specific IP, open your .htaccess file (usually located in your website’s root folder) and add:

Order Allow,Deny
Deny from 123.456.789.123
Allow from all

Or, for Apache 2.4+:

<RequireAll>
Require all granted
Require not ip 123.456.789.123
</RequireAll>

Replace 123.456.789.123 with the actual IP you want to block.

Save the file, and you’re done!

How to Block Multiple IP Addresses

Got a few troublemakers? Just stack up the Deny from lines:

Order Allow,Deny
Deny from 123.456.789.123
Deny from 234.567.890.234
Deny from 111.222.333.444
Allow from all

Or, using Apache 2.4 syntax:

<RequireAll>
    Require all granted
    Require not ip 123.456.789.123
    Require not ip 234.567.890.234
    Require not ip 111.222.333.444
</RequireAll>

This will keep multiple IPs out of your website.

How to Block a Range of IP Addresses

To block a subnet or IP range, use this format:

Order Allow,Deny
Deny from 192.168.1.
Allow from all

It blocks every IP that starts with 192.168.1.*
Or, use CIDR notation for precision:

<RequireAll>
    Require all granted
    Require not ip 192.168.1.0/24
</RequireAll>

Be cautious—blocking a range can unintentionally restrict legitimate users.

How to Allow Specific IPs and Block the Rest

If you want to go the other way around and only allow a few specific IPs, try this:

Order Deny,Allow
Deny from all
Allow from 123.456.789.123
Allow from 234.567.890.234

This denies everyone except the IPs you listed. Useful for development or internal tools.

Block Access to WordPress Login Page by IP

Disabling unwanted access to wp-login.php for WordPress users can help lessen brute-force attacks on your site.

<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from 123.456.789.123
</Files>

Only your IP will be allowed to reach the login screen.

Important Tips Before You Start

  • Backup First: Always back up your .htaccess file before editing. A small mistake can take down your site.
  • Know Your Server Version: Apache 2.4+ uses Require directives, while older versions use Order and Deny.
  • Be Careful With IP Ranges: Blocking an entire subnet can affect more people than intended.
  • Dynamic IPs: Remember that some users (or even you) may have to change IPs.
  • Test Everything: After changes, test your site in incognito/private mode or from a different IP to confirm everything works.

Conclusion

Blocking IPs with .htaccess is a quick and easy way to help improve your site’s security and performance. Whether you’re stopping bots, a brute-force attack, or blocking unauthorized access to pages, you have the strategy.

And the best part? No plugins or fancy tools are required—just a simple, powerful config file.

Do you have any questions or are you stuck while editing your .htaccess? Reach out to us — we’re here to help!

Frequently Asked Questions (FAQs)

Where is the .htaccess file located?
It is usually located in the root directory of your website (often public_html/). If you don’t see it make sure your file manager or FTP client shows hidden files.

What happens if I block my IP by mistake?
If you block your IP, you could lose access to your website. That is why you should never make any changes without a backup of your .htaccess file. You could also use your hosting control panel or FTP to access the server and fix the file.

Can I block users by country using .htaccess?
Not directly. You’d need to use IP ranges associated with that country or rely on a firewall or third-party service to block entire countries.

Will blocking an IP affect SEO or Googlebot?
Blocking search engine crawlers (such as Googlebot) is not great for SEO if you do so by accident. If you are blocking an IP, you should double-check before acting, especially with known ranges of crawlers IP.

Is this method safe for live websites?
Yes, but only if done carefully. If possible, always back up your .htaccess file and test changes on a staging site.

What if I am working on Nginx instead of Apache?
The .htaccess file works on an Apache server but does not apply to nginx. If you are working on nginx, you will need to block IP’s via the server config file (for example: nginx.conf).

Can I automate IP blocking?
Not with .htaccess alone. For dynamic or automatic blocking, consider exploring firewall tools like Fail2Ban, Cloudflare, or ModSecurity.

June 16, 2025