Block IP Address
There may be times when you need to block an IP address (or addresses) to prevent malicious behavior from bots, spammers, or others. All Kinsta plans include a free IP Deny tool, which lets you block specific IP addresses and ranges from hitting your site.
Identifying IP addresses to block in MyKinsta
One example of an IP address you may need to block is one that’s making a lot of uncached requests to your site in a short amount of time. Uncached requests can lead to excessive resource usage and cause issues for your site.
To view the top IP addresses that are visiting your site, you can use MyKinsta’s analytics dashboard. Log in to MyKinsta and go to WordPress Sites > sitename > Analytics > Geo & IP. Under the Top client IPs section, look for any IP addresses that are making more requests than other IPs by a factor of 5-10x or more. These are usually the IP addresses you want to investigate further.
You can use a reputation checker like CleanTalk or Spamhaus to see if the IP address has been identified as a bot, spammer, or other malicious IP address. Even if the IP address isn’t listed, it isn’t a guarantee that it’s legitimate. The IP address may not yet be identified and listed in their database as malicious. If the IP address is making a request that is causing your site to return an error or go down, blocking the IP address as a troubleshooting step is worth a try.
Blocking an IP address in MyKinsta
To block an IP address or range of IP addresses in MyKinsta, you can use the IP Deny tool.
The IP Deny tool is a powerful feature and, if used incorrectly, could block a legitimate service or individual. If you have questions about a certain IP address, please open a chat with our Support team.
In MyKinsta, go to WordPressSites > Your Site > IP Deny and click Add IP Addresses.
In the Add IP Addresses to Deny modal/pop-up that appears, you can add IPV4 addresses, IPV6 addresses, and CIDR (Classless Inter-Domain Routing) IP address ranges to the block list. With CIDR ranges, you can block a sequential range of IP addresses (e.g. 127.0.0.1 to 127.0.0.255). To generate a valid CIDR range, we recommend using a tool like IPAddressGuide.com.
Here are a few examples of IP addresses you can block:
- IPV4 Address – 103.5.140.141
- IPV6 Address – 2001:0db8:0a0b:12f0:0000:0000:0000:0001
- CIDR Range – 128.0.0.1/32
Once you’ve added the IP address(es) to block, click the Add IP Addresses button.
The IP address and any others you’ve added will now be shown on the IP deny list. On this same page, you can Edit (edit/pencil icon) or Delete (delete/trash can icon) any IP address or range.
Block IP addresses in Cloudflare
If you’re a Cloudflare user, you can use the IP Access Rules tool in the Cloudflare dashboard to block IP addresses and IP ranges.
In the Cloudflare dashboard, navigate to Firewall > Tools.
To create a new IP access rule, add an IP address, select the Block action, select This Website (or All Websites in Account if you want the rule to apply across all your Cloudflare domains), and click Add.
After adding the access rule, it appears in the IP Access Rules list. Here, you can make changes to the access rule, such as changing the action, adding notes, and deleting the rule.
In addition to the Block action, Cloudflare supports Challenge, Allow, and JavaScript Challenge. Depending on your goal, you may want to use one of these other actions instead of Block.
Block IP range, country, and ASN in Cloudflare
In addition to single IP addresses, Cloudflare’s IP access rules also support IP ranges, country names, and ASNs (autonomous system numbers).
- To block an IP range, specify a CIDR range for the IP access rule value.
- To block a country, specify it’s Alpha-2 country code.
- To block an ASN (a list of IPs controlled by a single network operator), specify a valid ASN that starts with “AS”.
Block IP addresses in Nginx
If your site is self-hosted with the Nginx web server, you can block IP addresses directly in the web server configuration. While this method is not as user-friendly as blocking IPs with MyKinsta’s IP Deny tool or Cloudflare’s firewall, it may be the only option in certain situations.
To block an IP address in Nginx, SSH into your server and open up your Nginx configuration file with the nano
text editor like so:
nano /etc/nginx/nginx.conf
Block a single IP address with Nginx
To block a single IP (IPV4 or IPV6) address in Nginx, use the deny
directive like so:
deny 190.60.78.31;
deny 4b73:8cd3:6f7b:8ddc:d2f9:31ca:b6b1:834e;
Block a CIDR IP range with Nginx
To block a CIDR IP range in Nginx, use the following directive:
deny 192.168.0.0/24;
Advanced Nginx IP blocking techniques
If you want to block access to a specific directory (e.d. domain.com/secret-directory/), you can use the Nginx directive below:
location /secret-directory/ {
deny 192.168.0.0/24;
}
The deny
directive accepts all
as a value. This is useful when blocking all IP addresses to your site. The deny all;
directive is often used in conjunction with the allow
– this lets you allow specific IP addresses while blocking everything else.
location /secret-directory/ {
allow 192.168.0.0/16;
deny all;
}
Save Nginx configuration and reload Nginx
When you’re finished editing the configuration with nano, save your changes by pressing Ctrl + O. After saving the file, press Ctrl + X to exit nano.
To activate the new IP block rules, you’ll need to reload the Nginx configuration with the command below as well:
sudo systemctl reload nginx
Block IP addresses in Apache
If your site is self-hosted with the Apache web server, you can block IP addresses directly in the web server configuration. To block an IP address in Apache, you’ll need to use a .htaccess file, which lets you apply unique rules to specific directories. To apply rules across your entire site, the .htaccess file should be placed in your site’s root directory.
To get started, SSH into your server, navigate to your site’s root directory, and create the .htaccess file with the command below:
touch .htaccess
Next, open up the .htaccess file with the nano
text editor like so:
nano .htaccess
The exact rules to block IPs depend on whether you’re using Apache 2.2 or 2.4, so we’ll include rules for both versions. When editing your .htaccess file, use the rules for your Apache version.
Block a single IP address with Apache
To block a single IP (IPV4 or IPV6) address in Apache, use the rules below:
# Apache 2.2
order allow, deny
allow 192.168.0.0
deny from all
#Apache 2.4
Require all granted
Require not ip 192.168.0.0
Block a CIDR IP range with Apache
# Apache 2.2
order allow, deny
allow 192.168.0.0/16
deny from all
#Apache 2.4
Require all granted
Require not ip 192.168.0.0/16
Summary
Depending on your site configuration, there are different ways to block IP addresses from reaching your site. If you’re a Kinsta user, we recommend using MyKinsta’s built-in IP Deny tool.
If your site is not hosted on Kinsta, we recommend securing it with Cloudflare, which lets you create unique IP access rules to block IP addresses, ranges, and more. Finally, if you’re unable to set up Cloudflare for your site, you can implement IP-blocking rules directly in your web server configuration file.