Block IP Address Using .htaccess: Websites, Bad Bots, or User Agents

Got a problem maker who constantly shows up as a problematic guy and eating up your server resources? Here you go with Blocking his IP address from accessing your website. Put a full stop to this behavior. The problem may not be a single guy. A bot or website which constantly leeches all your bandwidth is also a problem that needs your action. In this article on How to Block IP Address Using .htaccess, I will show you the method to block them from accessing your website.

Caution: Before making any changes to the .htaccess file, be sure to keep a copy of it. Any misconfigurations could lead to a 500 error while trying to access your website. So, be careful. For backing up the .htaccess file, you could use an FTP software.

Banning An IP Address Using .htaccess

It is very simple to ban an IP address using .htaccess. To do this, just copy-paste this code to your .htaccess file.

order allow,deny
deny from 192.168.44.201
deny from 224.39.163.12
deny from 172.16.7.92
allow from all

The code given above will block those three different IP addresses from accessing your website. Just replace them with the IP address you want to block. You may remove the lines or add them according to the number of IP addresses.

For ex: If you have only 1 IP address to block from the access, Just remove “deny from …………” lines other than the required one. If you have more than 3 IP addresses, just add that line alongside the IP address to block.

If you have a lot of IP addresses to block which come from a specific range as “192.168.xx.xx”, don’t waste your sweat. Just copy the code given below to the .htaccess file.

order allow,deny
deny from 192.168.
deny from 10.0.0.
allow from all

This will block the whole range of IPs that starts as “192.168….” and “10.0.0…..”. Replace them with the IP address range you want to block.

Blocking a Specific ISP Using .htaccess

If you need to block a specific ISP from accessing your website, use this code:

order allow,deny
deny from isp1.com
deny from subdomain.isp1.com
allow from all

This will block the access of the “isp1.com” and “subdomain.isp1.com” Replace them with the specify ISP you want to block from accessing your website.

Blocking Bots with .htaccess

Sometimes, You may have to block some specific bots from access.

# block bad bot
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^HarmfulBot
RewriteRule ^(.*)$ http://go.away/

The above code will tell your web server to check for any bot whose user-agent string starts with “HarmfulBot”. When it finds a bot that matches the string, it redirects them to a non-existing website namely”go.away”. If you want to block multiple bots, use the following code:

# block bad bots
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^HarmfulBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EvilScraper [OR]
RewriteCond %{HTTP_USER_AGENT} ^FakeUser
RewriteRule ^(.*)$ http://go.away/

This will block 3 different bots namely “HarmfulBot”, “EvilScraper”, “FakeUser”. Replace them with the right ones. Don’t remove the ‘[OR]’ from the list. It tells the server there is more in the list. Add it in every line according to the number of bots you have to add.

Blocking Bandwidth Leeches Using .htaccess

If there is a certain website that eats your bandwidth by showing the content of your websites like images and videos. Blocking them will solve the problem. To block that kind of websites from accessing your content. Just use the code below.

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*badwebsite\.com [NC]
RewriteRule .* - [F]

This code will return a 403 Forbidden error to anyone who tries to access your website referred from ‘badwebsite.com’. Replace it with the correct one which you want to block. If you have multiple ones to block, use the code below.

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*badwebsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*example\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*anotherexample\.com [NC]
RewriteRule .* - [F]

Replace them with the correct one. If you have only one website to block, remove the other lines alongside with the ‘[OR]’ on the same line of the non-removed website. For ex: If you need to block only ‘badwebsite.com’ The code looks like the previous code. If you have five websites to block, the code will look like below one.

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*badwebsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*example\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*example2\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*example3\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*anotherexample\.com [NC]
RewriteRule .* - [F]

The last one shouldn’t have the ‘[OR]’ in it as shown in the above examples.

Additional blocking options

• Block visitors from a certain country in WordPress
• Prevent users from accessing wp-admin

I think you got what you are looking for and were able to block those who were being a threat to your website or consuming your valuable bandwidth.

If, at some point, you mess up, here is the default WordPress .htaccess file that can be used to restore your website.