Contents In Page
What is .htaccess?
Before we get into the details of how to block an IP address using the .htaccess method, let’s first start by defining what .htaccess is and what it can do.
The ‘ht’ in .htaccess stands for HyperText. It is the name of a file used to specify access to the contents of a file directory from the Internet or intranet.
Several web servers support .htaccess, including the Apache HTTP server, which was launched in 1995 and is used by most commercial web hosting providers.
In addition, many content management systems rely on these files to configure our sites because they allow the administrators to specify options for individual directories.
Therefore, they can be used to enable or disable certain functionalities and features.
Where is it located?
The .htaccess configuration file should be in our web root folder (the folder that holds all our website content).
It will probably be labeled ‘Public_HTML’ or ‘www.’ Also, if we have multiple website subdirectories, then there should be a .htaccess file in the main root directory (Public_HTML) and one in each subdirectory (/sitename).
Why can’t I find it?
File names that begin with a dot (.) are hidden and are consequently not visible by default.
Usually, all we’d have to do is change the settings. Our FTP (File Transfer Protocol) client or File Manager usually has a setting that enables the visibility of any hidden files.
We can try ‘Preferences,’ ‘Settings,’ ‘Folder Options’ or ‘View.’
Can I create one?
Yes, you can. Here’s how:
- First, you will need a text editing program like Notepad’ or ‘TextEdit.’ It should be capable of producing plain text files.
- Don’t forget to select ‘Plain Text’ in the ‘Preferences’ menu if that’s available.
- Next, save your document and name it ‘.htaccess.txt’ or something similar. Note that without the ‘.txt,’ your computer will automatically hide the file.
- Open your website’s FTP utility or File Manager.
- Upload your file to the exact directory you want to modify.
- Finally, once uploaded, rename it to ‘.htaccess.’
What can a .htaccess file do?
Knowing how to correctly utilize a .htaccess file can give us control over a variety of features.
Here are just a few examples:
- Generate an error code (i.e., 400 – Bad request, 401 – Authorization Required, 403 – Forbidden, 404 – File Not Found, 500 – Internal Server Error, etc.)
- Restrict access to certain directories with password protection
- Block web traffic from a particular country
- Block users from a specific IP address (blacklisting)
- Set server time zones
- Block everyone except visitors from a specific IP address (whitelisting)
- Block users by referrer
- Enable SSI (Server Side Includes)
- Block offline browsers and bad bots
- Block Hotlinking
- Change a server signature
- Specify a default file or a specific directory
- URL redirects and rewriting
Why would I use .htaccess to block an IP Address?
First, let’s discuss what an IP Address is. An IP address is, essentially, the Internet address of every connected device. ‘IP’ stands for Internet Protocol.
It is a string of four numbers separated by a single dot or eight groups of four hexadecimal digits.
Every device using the Internet has its own unique IP address, and it is used for location addressing and network interface identification.
Blocking an IP Address from our website can be incredibly useful because sometimes, we just want to get rid of annoying visitors, malicious users, website scrapers, and/or spammers.
The only real way to do that is by blocking their IP addresses from accessing our site.
So how do I do it?
The first step would be to identify the IP addresses we would like to block.
Once identified, the next and easiest way to go about it is to just add this to the .htaccess file in our Public_HTML directory:
Deny from 123.123.123.123
We would, of course, replace the example IP addresses with the actual IP addresses we wish to block.
Now, let’s say we want to block out a specific domain. We could add this to the .htaccess file in our Public_HTML directory (simply replace the IP address and netmask values to match the domain that you wish to block):
Deny from 123.456.789.123/124.124.124.0
To block out more than one IP address (here, we are blocking three specific IPs), we can add this:
Deny from 111.111.111.111 222.222.222.222 333.333.333.333
Similarly, we could also opt to block out an entire range of IPs. Here we are blocking every IP that begins with 123.456:
Deny from 123.456
To block out more than one specific range, we can do this:
Deny from 111 222.222 333.333.444
Want to be more accurate?
It is important to note that while all of the above should work, there is a more accurate syntax like this one:
order allow,deny
deny from 123.45.67.89
deny from 98.76.543.21
allow from all
We can add as many IP addresses as we want, as long as we have a separate ‘deny from…’ line for each one.
This method is more accurate than the previous ones because it provides a specific ‘order’ directive. However, we could also go for this one:
order deny,allow
deny from all
allow from 123.456.789.123
Notice that the ‘order’ directive first denies access to everyone and then allows only the specified address; hence the ‘order deny, allow.’
More options
In contrast, another option is to redirect those particular IPs. This means that if they try to access our website, they will instead be redirected to a URL we have previously specified.
Here’s what we would need to add to the .htaccess file in our Public_HTML directory to make that happen:
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^123.45.67.8
RewriteCond %{HTTP_HOST} !^$
RewriteRule /* http://www.goaway.com/ [R,L]
Goaway.com is an actual domain, but we can also opt to use a non-existent or ‘dead’ URL. By doing that, our unwanted visitor will get a “The page cannot be displayed” message. It would be as though our site was offline. Well, for them at least.
Let’s take this a tad bit further; let’s say we want to block a certain visitor from posting content on our website.
We could use this syntax:
<Limit POST>
Order Allow,Deny
Allow from all
Deny from 123.123.123.123
</Limit>
We also don’t necessarily need numbers to block out unwanted visitors; we have this option too:
order allow,deny
deny from bad-abc-company.com
allow from all
In the above syntax, bad-abc-company.com would be replaced with a domain name or sub-domain name. This means that we could potentially block all users from a particular Internet service provider.
Keep in mind, though, that blocking out an entire range of ‘visitors’ could also block out innocent users.
Things to consider
If you’ve never done this before, know that messing around with the .htaccess file can basically result in a server seizure and a ton of Internal Error Server messages.
To err on the side of caution, you could take on the services of a professional web developer who has the experience and knowledge needed to configure all of this.
Otherwise, remember to go one step at a time. That way, if something goes wrong, you’ll know exactly which directive is causing the problem.
Do it all at once without testing, and it’ll be a guessing game you won’t win.
Also, (and we can’t stress this enough) — back up, back up, back up! Save your files in restorable saved archives.
In case things don’t work out as planned, you should always have the ability to revert to the latest working version. Remember that even the slightest typo can have disastrous results, so you really can’t be too careful.
Other potential issues
There are also speed and security concerns when it comes to utilizing .htaccess. We should really only use it if the main server configuration file cannot be accessed.
Speed is affected because of the processing that occurs each time a directive is made.
Thus, the speed of our website can be negatively affected because our directives need to be applied to all the files and folders affected by the file.
Evidently, this can depend on whether we are on a high-speed dedicated server (in which case, we might not even notice the time increase) or on a slower shared hosting solution where the effects are more obvious.
Security is another concern because a malicious user or hacker can take advantage of an unsecured .htaccess file configuration.
If a malicious user gains unauthorized access to our website, that can result in irreparable damage. Therefore, we ought to be very careful about how we use directives and configuration settings.
Also, it’s a good idea to consider our hosting environment and how it can affect the impact of our .htaccess directives.
Final thoughts
So there you go. You’ve learned the basics of what the .htaccess file is and how you can use this method to block an IP address from visiting your site. In fact, you now know that there are so many other options available too. You can opt to block just one particular IP address, or block a whole range of IP addresses.
Still, while it does seem like the possibilities of .htaccess are endless, taking the necessary precautions should help prevent any disastrous results. And like we said earlier, ensuring you have that backup will most certainly serve you well.
