New Bookstore! Save 20% on books with discount code: LAUNCH
Web Dev + WordPress + Security

Block Tough Proxies

If you want to block tough proxies like, my previously posted .htaccess methods won’t work. Those methods will block quite a bit of proxy visits to your site, but won’t work on the stealthier proxies. Fortunately, we can use a bit of PHP to keep them out.

Block Tough Proxies with PHP

To stop tough proxy visits from sites like, add the following slice of finely crafted PHP to the top of your header.php file:

<?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
die("Proxy access not allowed"); ?>

If you’re not using WordPress, just place the code at the top of your web page(s). No editing is necessary, so just add the code, upload the file, and done. You can check that it works by visiting your site via your favorite proxy service. If it works, access will be denied.

This method works for me on a Linux server running Apache 2.2.3, MySQL 5.0, and PHP 5.2.6. It should work on similar setups as well, but your results may vary depending on your server configuration.

Block Other Proxies with .htaccess

If for whatever reason you aren’t using the above PHP method, you can still block a majority of the “lesser” proxies by adding the following block of HTAccess code to your site’s root .htaccess file:

<ifModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP:VIA}                 !^$ [OR]
 RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
 RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
 RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
 RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
 RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
 RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
 RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
 RewriteRule .* - [F]

This proxy-blocking technique is less-effective than the PHP method, but should help reduce overall proxy traffic to your site. Using HTAccess to filter proxies requires fewer system resources than the PHP method. So if you get tons of traffic or have lots of pages, you’re better off sticking with the HTAccess technique. It’s sort of a trade-off between effective proxy-blocking and optimum performance, which will vary depending on your needs and server configuration.

My Strategy

On most of my personal sites, I allow proxy access. I understand the need for privacy, but there are situations where denying proxy visits makes sense. Most often, the .htaccess code is a suitable solution. But for sites where anonymity isn’t an option, the PHP method is the way to go.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

10 responses to “Block Tough Proxies”

  1. PhpMyCoder 2011/07/18 2:21 pm


    I agree that your PHP solution is a nice little trick, but I think it is possible it will do more harm than hurt.

    By blocking requests from computers (or servers) that listen to port 80 you would basically be blocking anybody who has a home testing server setup. I have a LAMP and an XAMPP setup (and expose one to the internet) so this PHP would block me and I suspect would block a majority of the web development community. This code could also block Google’s spiders because if you navigate to a Googlebot IP, it redirects you to Google’s homepage (at least it did the last time I checked).

    You also add the overhead of making a request before serving content to the user. Since PHP isn’t non-blocking like Node.JS, the script would have to wait for the request to fail or timeout for computers that don’t listen to port 80.
    Personally I’d stick with the htaccess rules. They won’t block everything, but with them legitimate users won’t be identified as proxies.


    • Jeff Starr
      Jeff Starr 2011/07/18 2:27 pm

      I agree – all good points. I should’ve gone into more detail in the post. The htaccess rules work great at reducing overall proxy visits, but for those (hopefully) rare situations where visitor identity is required, the PHP snippet does the job. Hopefully it well help those who need it, and maybe inspire someone to produce a more widely applicable method. Thanks for the feedback :)

  2. Simon Sigurdhsson 2011/07/18 2:11 pm

    Be aware that the “Tough proxy” block will also block any visitors that have a web server set up on their own network.

  3. Jeff,
    what about who’s using a secure VPN to avoid having their traffic unencrypted on a public WIFI network? Is this script gonna stop that traffic too?

    • Jeff Starr

      I think it should, but don’t have anything like that set up for testing, so can’t say for sure.

      • I understand. I think you might setup something together with Chris Coyer to simulate this situation. You might use this little utility to setup a VPN server; then configure another machine on a different network to use that VPN server as gateway. Don’t know if I’m saying a bunch of crap and there’s actually a faster way (ie a free VPN service) to test this thing.

        Actually the number of people that is getting these VPN services on untrusted WIFI is growing; moreover people living in countries with a government limitation on internet are using these services too.

      • Jeff Starr

        Thanks for the suggestion – sounds like another great idea :)

  4. I tried with my blog in the header.php put it at very beginning. With most
    proxies it works but with it doesnt work.

    Great blog.

    All the best

  5. Fabian Wolf 2011/07/21 9:56 am

    hi there,

    comment via mail cause comments seem to be already closed – OT: definitely
    NOT good (see my comments on your post over there) – so here we go:

    Its plainly said dumb to let a local development server run open to the
    public – thats why my local server is NOT publicy accesible; although I
    sometimes open access to it using a DynDNS provider.

    This also automatically solves problems like being blocked from using a site
    because it “thinks” you’re homing in via proxy ;)

    cu, w0lf.

    ps: another question – does this block access by any proxy? Any mobile phone
    provider I know of (at least in Germany) is using proxy servers – so won’t
    mobile users get blocked, too?

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Take a screenshot with Firefox (no extension required). Open Developer Tools Settings and enable the “Take a screenshot” button. Then click the button :)
Take a screenshot with Chrome (no extension required). Open DevTools, type Cmd + Shift + P, then type screenshot.
After 10 years working on my 2010 iMac, my upgrade finally arrived. Shiny new iMac shipped from Ireland :)
Too much caffeine weirds me out. But I love the taste of coffee. So once in a while I enjoy a small cup of decaf. Hits the spot.
Chris Coyier is a truly awesome person. One of the finest people I've ever worked with. Just #gottasayit
Excel won't open CSV file because SYLK format? Open it with text editor and add an apostrophe ' at the beginning of the file, save changes, done.
Displaying too many social media buttons and links all over the place imho makes you look desperate and frankly kinda sad.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.