How to Block IP Addresses with PHP

♦ Posted by Jeff Starr in .htaccess, PHP, Security

Updated January 26, 2020 • 109 comments

[ Image: Skeletor Blocks a Move ] Figuratively speaking, hunting down and killing spammers, scrapers, and other online scum remains one of our favorite pursuits. Once we have determined that a particular IP address is worthy of banishment, we generally invoke the magical powers of htaccess to lock the gates. When htaccess is not available, we may summon the versatile functionality of PHP to get the job done.

This method is straightforward. Simply edit, copy and paste the following code example into the top of any PHP for which you wish to block access:

<?php $deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: https://example.com/");
   exit();
} ?>

The code basically creates an array of the IP addresses that you wish to block, and then checks incoming addresses against the array. If the incoming (i.e., remote) address matches against any value in the array, the function will deny access with a redirect header to the specified URL, which in this case is the majestic Google home page. It all happens quickly behind the scenes.

Similar tutorial: Block Multiple IP Addresses with PHP »

Usage

When using this code in your pages, simply replace the “dummy” IP addresses (i.e., "111.111.111", "222.222.222", ...) with those that you wish to block (e.g., "123.456.789", "123.456.*", "123.*", ...). Yes, PHP understands wildcard operators (i.e., *). Also you may want to change the redirect location. Currently it is set to https://example.com/, so feel free to change that to whatever URL is desired.

After making any changes, upload the file to your server. If you would like to verify this method, simply lookup your own IP address, add it to the array, and try loading the target page. That’s all there is to it — “grab, gulp, and go”.

Using this method, you may also wish to create a customized page to which blocked addresses are redirected, perhaps to explain the situation, provide contact information, or display a macro shot of your greasy bum, or perhaps send them to the blackhole.

apache domains ip spam tutorials websites

About the Author

Jeff Starr = Web Developer. Book Author. Secretly Important.

109 responses to “How to Block IP Addresses with PHP”

Scott 2007/07/22 12:06 pm

Many Thanks

we had some problem scrapers that were causing us some bandwidth problems… script did the trick thanks

Perishable 2007/07/22 3:18 pm • Post Author

Glad to help, Scott — thanks for the feedback!

Kym 2007/09/08 7:39 am

We had a customer site DOS attacked by the old webmaster when he was fired. Being able to ban his IP so easily was a god send.

Perishable 2007/09/08 1:06 pm • Post Author

Great, Kym!
That is good news, indeed ;)
Thank you for the feedback!

Trav 2007/09/15 5:38 pm

The full IP address works with this script, but wildcards don’t seem to catch the addresses.

Perishable 2007/09/16 9:30 am • Post Author

Trav,

Try using this format instead:

$deny = array("111.111..*..*", "222.222..*..*");

i.e, using two dots before each wildcard operator should do the trick..

August Klotz 2007/09/16 4:09 pm

You can also use something similar to this:

<? $block = "^123\.123\.";
if (in_array($_SERVER['REMOTE_ADDR'],$block)) {
      header("HTTP/1.1 403 Forbidden");
      exit;
} else {
      echo '<h1>Welcome to the site..</h1>';
} ?>

..which would block any IP addresses beginning with 123.123. This code should also work without the second escaped dot (\.) in the first line. The caret (^) indicates the beginning of the string, while the dots are escaped for clarity.

Trav 2007/09/16 5:18 pm

Thanks to both of you for those snippets. I kow very little php and have a hard time learning it so I appreciate it.

Dead Letter Art 2007/09/17 11:45 am

We use something along these lines to block specifically defined ranges of IP addresses:

$hulkSmash = array ("^123.(12[3-9]|1[3-9][0-9]).","^321.321.(32[1-9]|3[3-9][0-9]).");
foreach($hulkSmash as $smashed) {
   if (ereg($smashed, $_SERVER['REMOTE_ADDR'])) {
      echo "Sorry, but this site is not available..";
      exit();
   } else {
      echo "Welcome to our site, oh special ones..";
      exit();
   }
}

I agree with August that using a caret to denote the beginning of a string is a great approach — prevents false positives, etc.

j 2007/09/19 9:54 am

This PHP code doesn’t work for an array of IP addresses. I tried several times but none of the above techniques work! They only work if you know the complete IP address (i.e. xxx.yyy.zzz.aaa). Any clue on how to get this thing to work on an entire range? Thanks!

Robert 2007/09/26 4:28 am

i like this web because you can discover how to unblock some web. i want to know What is the code 222.22.222.

rick 2007/10/10 11:35 am

Ok, I’m new at PHP and this looks cool but what I want to do is allow all our IP’s access and if they don’t match then no access.
We have a lot of them (large gov’t agency).
So I’d want something like all
123.123.*.*
123.12.*.*
124.13.*.*
and then some
123.123.123.*
321.123.223.*
etc.
to get in ok.

Ideas?

Comments are closed for this post. Something to add? Let me know.

Scott 2007/07/22 12:06 pm

Many Thanks

we had some problem scrapers that were causing us some bandwidth problems… script did the trick thanks
Perishable 2007/07/22 3:18 pm • Post Author

Glad to help, Scott — thanks for the feedback!
Kym 2007/09/08 7:39 am

We had a customer site DOS attacked by the old webmaster when he was fired. Being able to ban his IP so easily was a god send.
Perishable 2007/09/08 1:06 pm • Post Author

Great, Kym!
That is good news, indeed ;)
Thank you for the feedback!
Trav 2007/09/15 5:38 pm

The full IP address works with this script, but wildcards don’t seem to catch the addresses.
Perishable 2007/09/16 9:30 am • Post Author

Trav,

Try using this format instead:

$deny = array("111.111..*..*", "222.222..*..*");

i.e, using two dots before each wildcard operator should do the trick..
August Klotz 2007/09/16 4:09 pm

You can also use something similar to this:

<? $block = "^123\.123\.";
if (in_array($_SERVER['REMOTE_ADDR'],$block)) {
      header("HTTP/1.1 403 Forbidden");
      exit;
} else {
      echo '<h1>Welcome to the site..</h1>';
} ?>

..which would block any IP addresses beginning with 123.123. This code should also work without the second escaped dot (\.) in the first line. The caret (^) indicates the beginning of the string, while the dots are escaped for clarity.
Trav 2007/09/16 5:18 pm

Thanks to both of you for those snippets. I kow very little php and have a hard time learning it so I appreciate it.
Dead Letter Art 2007/09/17 11:45 am

We use something along these lines to block specifically defined ranges of IP addresses:

$hulkSmash = array ("^123.(12[3-9]|1[3-9][0-9]).","^321.321.(32[1-9]|3[3-9][0-9]).");
foreach($hulkSmash as $smashed) {
   if (ereg($smashed, $_SERVER['REMOTE_ADDR'])) {
      echo "Sorry, but this site is not available..";
      exit();
   } else {
      echo "Welcome to our site, oh special ones..";
      exit();
   }
}

I agree with August that using a caret to denote the beginning of a string is a great approach — prevents false positives, etc.
j 2007/09/19 9:54 am

This PHP code doesn’t work for an array of IP addresses. I tried several times but none of the above techniques work! They only work if you know the complete IP address (i.e. xxx.yyy.zzz.aaa). Any clue on how to get this thing to work on an entire range? Thanks!
Robert 2007/09/26 4:28 am

i like this web because you can discover how to unblock some web. i want to know What is the code 222.22.222.
rick 2007/10/10 11:35 am

Ok, I’m new at PHP and this looks cool but what I want to do is allow all our IP’s access and if they don’t match then no access.
We have a lot of them (large gov’t agency).
So I’d want something like all
123.123.*.*
123.12.*.*
124.13.*.*
and then some
123.123.123.*
321.123.223.*
etc.
to get in ok.

Ideas?

123…10 • Newer Comments »