IP ban using htaccess file

Last updated on December 15, 2009. Tags: htaccess, IP address, IP ban

An IP address is a set of 4 numbers separated by dots, with each number having one to three digits, which acts as a unique address for each computer connected to the internet. Changing ISP changes the IP address. Computers connected in the same network sometime have the same IP address. You can check this Wikipedia article about IP address for more information.

IP ban refers to the process wherein a webmaster bans certain user from accessing his or her website by preventing any access coming from that user IP address. It means the banned user's relatives, house mates or anyone who uses the same computer to access the website are also blocked from accessing that website. Accessing the website from a computer with banned IP address will display a message similar to the one below.

There several possible reasons why you would want to ban certain people (or bots) from accessing your website. One common reason is for forum administrator to permanently ban misbehaving members who keep on returning with a new account to repeat the same misbehavior all over again.

However, with the forums now becoming increasingly complicated, with membership hierarchy determined by the number of posts and with more privelage as you go up the hierarchy, it is now easier to discipline misbehaving members. Even though banned members can still sign up for new username, the possibility of losing the priveleges that they acquired in their original account is already a sufficient deterrent.

Still, why would you want to implement an IP ban? Any websites with existing user interaction if not a full-blown online community will need IP ban in one way or in another. For bloggers, one very good reason is to ban comment spammers from filling your blog with nonsense comments that aims only to build backlinks for their (or their clients') websites.

How to code it?

To implement an IP ban, open the .htaccess file and encode the following codes.

order allow,deny
deny from ___.___.___.___
allow from all

Simply replace the underscores with the numbers of an actual IP address you wish to ban. A real example is shown below. This sample IP address belongs to an evil comment spammers so feel free to IP ban it.

order allow,deny
deny from 194.8.74.220
allow from all

You can ban more than one IP address by using several lines of "deny from".

order allow,deny
deny from 194.8.74.220
deny from 82.194.62.220
deny from 212.116.219.154
allow from all

To ban a range of IP address, use less than four set of numbers and end each line with a dot. For example, in the code below:

order allow,deny
deny from 194.8.74.
deny from 82.194.
deny from 212.
allow from all

The first line of code bans all addresses that begins with 194.8.74, the second line bans all that begins with 82.194 and the third bans all that begins with 212.

IP ban redirect

Instead of providing the banned IP addresses an error message, you can choose to redirect them to another website by inserting the code below immediately below the line allow from all.

ErrorDocument 403 http://www.anotherwebsite.com/

You can simply replace http://www.anotherwebsite.com/ with whatever website you would like to redirect.

If you're using CPanel, you can experiment on this by banning your own IP address. Don't worry because you will still be able access your CPanel.

IP ban and subdomains

Suppose you have a domain name domain.com and it has subdomains such as sub1.domain.com and sub2.domain.com. If you want to ban certain IP address to only one of these subdomains (say sub1.domain.com), you can create .htaccess file in the subfolder of sub1.domain.com and encode the IP ban code discussed above. IP banning this way will still allow the owner of the banned IP address to access sub2.domain.com.

However, if the IP ban code is encoded in the .htaccess of the root directory domain.com, the owner of the IP address will not be able to access all the subdomains within domain.com.

Tip for WordPress users

If you are a blogger who uses WordPress and encounters lots of spam comments, do not IP ban the every IP address that submits spam comment. I suggest that first, you configure the setting of your blog such that the comments appear only once approved. Then, let these comment spams come; you can still read them from your dashboard while they are not visible in the blog.

You will be able to see the IP addresses of these comment spams. In most cases, while there are few unique IP addresses, there are certain IP addresses from where the majority of the spams come from. Ban only the IP addresses that produces the majority of the spams (my limit is usually 3 to 5 comment spams before I consider an IP address for banning; it's up to you to decide your limit).

I am not sure about other blogging platforms. For Blogger users, you cannot see the IP addresses of those who leave comments by default but I read somewhere that you can install pluggins that will enable you to do this.

The reason why I advise against banning all IP address is that some internet users have means to change IP address called dynamic IP address. Aside from that, it is possible for the spammers to install malwares in other computers and send spams from those computers. You might accidentally ban innocent parties if you ban all IP addresses that post comment spams. Banning the IP addresses of repeating comment spammers is usually enough.

Posted by Greten on April 18, 2009 under Server Configuration

Related Posts

• Listing ip addresses of WordPress comment spammers easier and faster
• Dealing with WordPress comment spam
• Redirecting visitors to update page during website maintenance
• Htaccess 301 redirect and subdomains
• Using htaccess 301 redirect in folder or subdirectory

You might also be interested (randomly generated):

• Using 301 redirect in htaccess file
• Hiding certain categories in WordPress navigation
• Displaying e-mail address while avoiding spammers
• How to permanently disable WordPress comment?
• WordPress post excerpt

Post Comments

Comment Rules and Reminders

• The links to the commentator's e-mail do not have nofollow tag. However, I will be very strict in approving comments.
• When you comment, please say something that indicates that you indeed read my post. If your comment is a general statement that can fit to any blog post about any topic, it will be regarded as spam.
• What you write in the name field may include keywords to your website provided that (1) it's only up to four words long and (2) at least one of these four words is your first name or nickname. I rather reply to Bob or to Joe Smith than to Online Marketing Tips.
• Please double check your comment before clicking the "Post" button. Once you clicked it, there will be no way for you to edit your comment.
• Fields marked with asterisks (*) are required. Your email will never be displayed in public.

• Recent Blog Entries

  • Displaying e-mail address while avoiding spammers
  • Javascript random text
  • Javascript-based random web banner
  • Displaying random image with Javascript
  • Generating random numbers using Javascript
  • Animated images using Javascript
  • Reducing image file size without reducing quality using Yahoo! Smush.it
  • Detecting mobile devices for your WordPress website

• Categories

  • Adsense / Ads Embedding Tips
  • Cascading Stylesheet
  • Designing for Mobile Devices
  • Hypertext Mark-up Language
  • JavaScript
  • Search Engine Optimization
  • Server Configuration
  • Webmasters' Tools
  • WordPress
  • Definitions

• RSS Feed

  • New content
  • New comments