How to Block an IP Address (IP Deny Tool, Cloudflare, Nginx, Apache)

Dealing with a bot, spammer, or hacker constantly hitting your site? Depending on the severity it could have a big impact on your visits and bandwidth, in which case you might want to try blocking them.

All Kinsta plans come with a free IP Deny tool which lets you block specific IP addresses and ranges from hitting your site. In this article, we’ll cover several methods you could use for blocking IP addresses.

Ready?

Let’s get started!

How to Identify Troublesome IP Addresses

WordPress is a dynamic CMS, which means uncached pages are generated on demand by PHP workers. Since uncached requests require significantly more CPU and RAM resources to serve (when compared to cached requests), it’s possible for a malicious actor to force a server to stop responding by sending a lot of requests.

If you ever find yourself in this situation, one strategy that can help reduce server load is to block the troublesome IP addresses.

MyKinsta’s analytics dashboard lets you view a list of the top IP addresses that hit your site. To view these IP addresses, go to Analytics > Geo & IP, and scroll down to “Top Client IPs”.

If you see an IP address that is making many more requests than other IPs (e.g. by a factor of 5-10x), you may want to investigate further to determine whether the IP is a bot or spammer. The easiest way to check whether an IP is malicious is to use a reputation checker like CleanTalk or Spamhaus.

If the reputation checker identities the IP address as bot or spammer IP, you can take further action to block the IP. Keep in mind even if the reputation checker does not list the IP as a malicious one, it could simply mean the IP is not yet in their database.

If you see that the IP is causing your server to return an HTTP 502 error or go down completely, it’s worth testing whether blocking the IP address makes things any better.

How to Block IP Addresses Using MyKinsta

The IP Deny tool in the MyKinsta dashboard lets you block both individual IP addresses as well as IP address ranges without having to edit web server configuration files. If you’re hosted on Kinsta, the IP Deny tool is the recommended method for blocking IP addresses.

To block an IP address in MyKinsta, navigate to Sites > Your Site > IP Deny.

Next, click the “Add IP Addresses” button in the top right corner of the page.

In the “Add IP Addresses to Deny” modal, you can add IPV4 addresses, IPV6 addresses, and CIDR (Classless Inter-Domain Routing) IP address ranges to the block list. CIDR ranges are useful for blocking a sequential range of IP addresses (e.g. 127.0.0.1 to 127.0.0.255). To generate a valid CIDR range, we recommend using a tool like this one.

Here are a few examples of IP addresses you can block:

• IPV4 Address – 103.5.140.141
• IPV6 Address – 2001:0db8:0a0b:12f0:0000:0000:0000:0001
• CIDR Range – 128.0.0.1/32

Once you’ve added the IP addresses to block, click the “Add IP Addresses” button.

You should now see the IP addresses added to the block list. On this page, you also have access to two actions (Edit and Delete) in the “Actions” column. The “Edit” action lets you update the IP address or range, while the “Delete” action lets you delete the blocked IP address.

How to Block IP Addresses in Cloudflare

If you’re a Cloudflare user, you can use the “IP Access Rules” tool in the Cloudflare dashboard to block IP addresses and IP ranges.

In the Cloudflare dashboard, navigate to Firewall > Tools.

To create a new IP access rule, add an IP address, select the “Block” action, select “This Website” (or “All Websites in Account” if you want the rule to apply across all your Cloudflare domains), and click “Add”.

After adding the access rule, it’ll appear in the “IP Access Rules” list. Here, you can make changes to the access rule such as changing the action, adding notes, and deleting the rule.

In addition to the “Block” action, Cloudflare also supports “Challenge”, “Allow”, and “JavaScript Challenge”. Depending on what you’re trying to achieve, you may want to use one of these other actions instead of “Block”.

Block IP Range, Country, and ASN in Cloudflare

In addition to single IP addresses, Cloudflare’s IP access rules also support IP ranges, country names, and ASNs (autonomous system numbers).

• To block an IP range, specify a CIDR range for the IP access rule value.
• To block a country, specify it’s Alpha-2 country code.
• To block an ASN (a list of IPs controlled by a single network operator), specify a valid ASN that starts with “AS”.

How to Block IP Addresses in Nginx

If your site is self-hosted with the Nginx web server, you can block IP addresses directly in the web server configuration. While this method is not as user-friendly as blocking IPs with MyKinsta’s IP Deny tool or Cloudflare’s firewall, it may be the only option in certain situations.

To block an IP address in Nginx, SSH into your server and open up your Nginx configuration file with the nano text editor like so:

nano /etc/nginx/nginx.conf

How to Block a Single IP Address With Nginx

To block a single IP (IPV4 or IPV6) address in Nginx, use the deny directive like so:

deny 190.60.78.31;
deny 4b73:8cd3:6f7b:8ddc:d2f9:31ca:b6b1:834e;

How to Block a CIDR IP Range With Nginx

To block a CIDR IP range in Nginx, use the following directive:

deny 192.168.0.0/24;

Advanced Nginx IP Blocking Techniques

If you want to block access to a specific directory (e.d. domain.com/secret-directory/), you can use the Nginx directive below:

location /secret-directory/ {
        deny 192.168.0.0/24;
}

The deny directive accepts all as a value. This is useful for situations where you want to block all IP addresses to your site. The deny all; directive is often used in conjunction with the allow – this lets you allow specific IP addresses while blocking everything else.

location /secret-directory/ {
        allow 192.168.0.0/16;
        deny all;
}

Save Nginx Configuration and Reload Nginx

When you’re finished editing the configuration with nano, be sure to save your changes by pressing Ctrl + O. After saving the file, press Ctrl + X to exit nano.

To activate the new IP block rules, you’ll need to reload the Nginx configuration with the command below as well:

sudo systemctl reload nginx

How to Block IP Addresses in Apache

If your site is self-hosted with the Apache web server, you can block IP addresses directly in the web server configuration. To block an IP address in Apache, you’ll need to use a .htaccess file, which lets you apply unique rules to specific directories. To apply rules across your entire site, the .htaccess file should be placed in your site’s root directory.

To get started, SSH into your server, navigate to your site’s root directory, and create the .htaccess file with the command below:

touch .htaccess

Next, open up the .htaccess file with the nano text editor like so:

nano .htaccess

The exact rules to block IPs depend on whether you’re using Apache 2.2 or 2.4, so we’ll include rules for both versions. When editing your .htaccess file, use the rules for your Apache version.

How to Block a Single IP Address With Apache

To block a single IP (IPV4 or IPV6) address in Apache, use the rules below:

# Apache 2.2
order allow, deny
allow 192.168.0.0
deny from all

#Apache 2.4
Require all granted
Require not ip 192.168.0.0

How to Block a CIDR IP Range With Apache

# Apache 2.2
order allow, deny
allow 192.168.0.0/16
deny from all

#Apache 2.4
Require all granted
Require not ip 192.168.0.0/16

Summary

Depending on your site configuration, there are different ways to block IP addresses from reaching your site. If you’re a Kinsta user, we recommend using MyKinsta’s built-in IP Deny tool.

If your site is not hosted on Kinsta, we recommend securing it with Cloudflare, which lets you create unique IP access rules to block IP addresses, ranges, and more. Finally, if you’re unable to set up Cloudflare for your site, you can implement IP blocking rules directly in your web server configuration file.