1. IP Deny Tool:
– Log into your hosting control panel.
– Look for the IP Deny tool.
– Enter the IP address you want to block.
– Click “Add” to save the changes.
2. Cloudflare:
– Log into your Cloudflare account.
– Go to the Firewall tab.
– Click on the “IP Firewall” tab.
– Enter the IP address you want to block.
– Click “Add” to save the changes.
3. Nginx:
– Log into your server via SSH.
– Edit the Nginx configuration file.
– Add the following line: deny IP_ADDRESS;
– Save the changes and restart Nginx.
4. Apache:
– Log into your server via SSH.
– Edit the Apache configuration file.
– Add the following line: Deny from IP_ADDRESS
– Save the changes and restart Apache.
Dealing with a bot, spammer, or hacker constantly hitting your site? Depending on the severity it could have a big impact on your visits and bandwidth, in which case you might want to try blocking them.
All Kinsta plans come with a free IP Deny tool which lets you block specific IP addresses and ranges from hitting your site. In this article, we’ll cover several methods you could use for blocking IP addresses.
Ready?
Let’s get started!
How to Identify Troublesome IP Addresses
WordPress is a dynamic CMS, which means uncached pages are generated on demand by PHP workers. Since uncached requests require significantly more CPU and RAM resources to serve (when compared to cached requests), it’s possible for a malicious actor to force a server to stop responding by sending a lot of requests.
If you ever find yourself in this situation, one strategy that can help reduce server load is to block the troublesome IP addresses.
MyKinsta’s analytics dashboard lets you view a list of the top IP addresses that hit your site. To view these IP addresses, go to Analytics > Geo & IP, and scroll down to “Top Client IPs”.
If you see an IP address that is making many more requests than other IPs (e.g. by a factor of 5-10x), you may want to investigate further to determine whether the IP is a bot or spammer. The easiest way to check whether an IP is malicious is to use a reputation checker like CleanTalk or Spamhaus.
If the reputation checker identities the IP address as bot or spammer IP, you can take further action to block the IP. Keep in mind even if the reputation checker does not list the IP as a malicious one, it could simply mean the IP is not yet in their database.
If you see that the IP is causing your server to return an HTTP 502 error or go down completely, it’s worth testing whether blocking the IP address makes things any better.
How to Block IP Addresses Using MyKinsta
The IP Deny tool in the MyKinsta dashboard lets you block both individual IP addresses as well as IP address ranges without having to edit web server configuration files. If you’re hosted on Kinsta, the IP Deny tool is the recommended method for blocking IP addresses.
To block an IP address in MyKinsta, navigate to Sites > Your Site > IP Deny.
Next, click the “Add IP Addresses” button in the top right corner of the page.
In the “Add IP Addresses to Deny” modal, you can add IPV4 addresses, IPV6 addresses, and CIDR (Classless Inter-Domain Routing) IP address ranges to the block list. CIDR ranges are useful for blocking a sequential range of IP addresses (e.g. 127.0.0.1 to 127.0.0.255). To generate a valid CIDR range, we recommend using a tool like this one.
Here are a few examples of IP addresses you can block:
- IPV4 Address – 103.5.140.141
- IPV6 Address – 2001:0db8:0a0b:12f0:0000:0000:0000:0001
- CIDR Range – 128.0.0.1/32
Once you’ve added the IP addresses to block, click the “Add IP Addresses” button.
You should now see the IP addresses added to the block list. On this page, you also have access to two actions (Edit and Delete) in the “Actions” column. The “Edit” action lets you update the IP address or range, while the “Delete” action lets you delete the blocked IP address.
How to Block IP Addresses in Cloudflare
If you’re a Cloudflare user, you can use the “IP Access Rules” tool in the Cloudflare dashboard to block IP addresses and IP ranges.
In the Cloudflare dashboard, navigate to Firewall > Tools.
To create a new IP access rule, add an IP address, select the “Block” action, select “This Website” (or “All Websites in Account” if you want the rule to apply across all your Cloudflare domains), and click “Add”.
After adding the access rule, it’ll appear in the “IP Access Rules” list. Here, you can make changes to the access rule such as changing the action, adding notes, and deleting the rule.
In addition to the “Block” action, Cloudflare also supports “Challenge”, “Allow”, and “JavaScript Challenge”. Depending on what you’re trying to achieve, you may want to use one of these other actions instead of “Block”.
Block IP Range, Country, and ASN in Cloudflare
In addition to single IP addresses, Cloudflare’s IP access rules also support IP ranges, country names, and ASNs (autonomous system numbers).
- To block an IP range, specify a CIDR range for the IP access rule value.
- To block a country, specify it’s Alpha-2 country code.
- To block an ASN (a list of IPs controlled by a single network operator), specify a valid ASN that starts with “AS”.
How to Block IP Addresses in Nginx
If your site is self-hosted with the Nginx web server, you can block IP addresses directly in the web server configuration. While this method is not as user-friendly as blocking IPs with MyKinsta’s IP Deny tool or Cloudflare’s firewall, it may be the only option in certain situations.
To block an IP address in Nginx, SSH into your server and open up your Nginx configuration file with the nano
text editor like so:
nano /etc/nginx/nginx.conf
How to Block a Single IP Address With Nginx
To block a single IP (IPV4 or IPV6) address in Nginx, use the deny
directive like so:
deny 190.60.78.31;
deny 4b73:8cd3:6f7b:8ddc:d2f9:31ca:b6b1:834e;
How to Block a CIDR IP Range With Nginx
To block a CIDR IP range in Nginx, use the following directive:
deny 192.168.0.0/24;
Advanced Nginx IP Blocking Techniques
If you want to block access to a specific directory (e.d. domain.com/secret-directory/), you can use the Nginx directive below:
location /secret-directory/ {
deny 192.168.0.0/24;
}
The deny
directive accepts all
as a value. This is useful for situations where you want to block all IP addresses to your site. The deny all;
directive is often used in conjunction with the allow
– this lets you allow specific IP addresses while blocking everything else.
location /secret-directory/ {
allow 192.168.0.0/16;
deny all;
}
Save Nginx Configuration and Reload Nginx
When you’re finished editing the configuration with nano, be sure to save your changes by pressing Ctrl + O. After saving the file, press Ctrl + X to exit nano.
To activate the new IP block rules, you’ll need to reload the Nginx configuration with the command below as well:
sudo systemctl reload nginx
How to Block IP Addresses in Apache
If your site is self-hosted with the Apache web server, you can block IP addresses directly in the web server configuration. To block an IP address in Apache, you’ll need to use a .htaccess file, which lets you apply unique rules to specific directories. To apply rules across your entire site, the .htaccess file should be placed in your site’s root directory.
To get started, SSH into your server, navigate to your site’s root directory, and create the .htaccess file with the command below:
touch .htaccess
Next, open up the .htaccess file with the nano
text editor like so:
nano .htaccess
The exact rules to block IPs depend on whether you’re using Apache 2.2 or 2.4, so we’ll include rules for both versions. When editing your .htaccess file, use the rules for your Apache version.
How to Block a Single IP Address With Apache
To block a single IP (IPV4 or IPV6) address in Apache, use the rules below:
# Apache 2.2
order allow, deny
allow 192.168.0.0
deny from all
#Apache 2.4
Require all granted
Require not ip 192.168.0.0
How to Block a CIDR IP Range With Apache
# Apache 2.2
order allow, deny
allow 192.168.0.0/16
deny from all
#Apache 2.4
Require all granted
Require not ip 192.168.0.0/16
Summary
Depending on your site configuration, there are different ways to block IP addresses from reaching your site. If you’re a Kinsta user, we recommend using MyKinsta’s built-in IP Deny tool.
If your site is not hosted on Kinsta, we recommend securing it with Cloudflare, which lets you create unique IP access rules to block IP addresses, ranges, and more. Finally, if you’re unable to set up Cloudflare for your site, you can implement IP blocking rules directly in your web server configuration file.
Get all your applications, databases and WordPress sites online and under one roof. Our feature-packed, high-performance cloud platform includes:
- Easy setup and management in the MyKinsta dashboard
- 24/7 expert support
- The best Google Cloud Platform hardware and network, powered by Kubernetes for maximum scalability
- An enterprise-level Cloudflare integration for speed and security
- Global audience reach with up to 35 data centers and 275 PoPs worldwide
Get started with a free trial of our Application Hosting or Database Hosting. Explore our plans or talk to sales to find your best fit.