How to Block IP Addresses with PHP

♦ Posted by Jeff Starr in .htaccess, PHP, Security

Updated January 26, 2020 • 109 comments

[ Image: Skeletor Blocks a Move ] Figuratively speaking, hunting down and killing spammers, scrapers, and other online scum remains one of our favorite pursuits. Once we have determined that a particular IP address is worthy of banishment, we generally invoke the magical powers of htaccess to lock the gates. When htaccess is not available, we may summon the versatile functionality of PHP to get the job done.

This method is straightforward. Simply edit, copy and paste the following code example into the top of any PHP for which you wish to block access:

<?php $deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: https://example.com/");
   exit();
} ?>

The code basically creates an array of the IP addresses that you wish to block, and then checks incoming addresses against the array. If the incoming (i.e., remote) address matches against any value in the array, the function will deny access with a redirect header to the specified URL, which in this case is the majestic Google home page. It all happens quickly behind the scenes.

Similar tutorial: Block Multiple IP Addresses with PHP »

Usage

When using this code in your pages, simply replace the “dummy” IP addresses (i.e., "111.111.111", "222.222.222", ...) with those that you wish to block (e.g., "123.456.789", "123.456.*", "123.*", ...). Yes, PHP understands wildcard operators (i.e., *). Also you may want to change the redirect location. Currently it is set to https://example.com/, so feel free to change that to whatever URL is desired.

After making any changes, upload the file to your server. If you would like to verify this method, simply lookup your own IP address, add it to the array, and try loading the target page. That’s all there is to it — “grab, gulp, and go”.

Using this method, you may also wish to create a customized page to which blocked addresses are redirected, perhaps to explain the situation, provide contact information, or display a macro shot of your greasy bum, or perhaps send them to the blackhole.

apache domains ip spam tutorials websites

About the Author

Jeff Starr = Web Developer. Book Author. Secretly Important.

109 responses to “How to Block IP Addresses with PHP”

Jeff Starr 2008/09/01 12:00 pm • Post Author

Sounds good, Jen. Glad to hear everything is back on track with your new blog. Hopefully your stalker will give up looking for you and move on with her life. Best of luck to you; let me know if I may be of any help in the future. :)
Cheers,
Jeff

use to be 'just jen'...shsh..stealth mode 2008/09/01 4:39 pm

Thanks for the well wishes :)
you can stop by and visit my blog any time you want but don’t expect anything too exciting…LOL
Keep me posted on that toolator :)

David 2008/09/10 1:31 pm

Hi Jeff, Could you help me out with some code that will block an IP on a Craigslist ad? Please? Someone is deleting my ad every day. I have their IP address, but can’t find a code that will work. Please help if you can. Thanks, David

Jeff Starr 2008/09/14 8:41 am • Post Author

Hi David, I feel your pain, but unfortunately blocking someone from accessing the Craigslist site requires access to the Craigslist server, unless I am missing something here..

David 2008/09/15 11:24 am

Thanks Jeff. I was ready for that answer. Do you, or does anyone have any neat little tricks that I can add to the html of the ad to get a little pay back?

Jeff Starr 2008/09/17 8:39 am • Post Author

Unfortunately, all of the fun stuff requires access to the server.. And even then, getting involved with “pay back”-type behavior may be risky, especially if you aren’t really familiar with what you are doing. The person whom you are targeting might be some deadly hacker ninja who could ruin your life. Not worth it, in my opinion.

Szektor 2008/09/30 6:47 pm

Hi,
this is a nice code.
Do you know about a free hacker/spammer ip database?
That is the only thing I miss now. ;)

Jeff Starr 2008/10/05 10:40 am • Post Author

Yes, that would be nice, eh! ;)

John Boyd 2008/11/02 11:03 am

Thanks for the post. Do you know how to deny a submission if keywords and .com etc. are in the message field?

John Boyd 2008/11/02 11:28 am

P.S.

Here’s a cool link to redirect them to rather than google: http://www.ftc.gov/bcp/conline/edcams/spam/report.html

: )

Cemal 2008/11/16 8:04 pm

I am trying to prevent a spam source from leaving comments or pingbacks. Although spam is caught by Akismet it clutters my mind more than anything else. I placed this snippet at the very top of the header.php file with no effect what so ever. Am I supposed to place it after the DTD declaration or HTML or any other part?

Thank you.

Cemal

Jeff Starr 2008/11/16 9:37 pm • Post Author

Hi Cemal, the problem is that comments and pingbacks are processed by a file other than those found in your WordPress theme files. The theme files display information from the database, but they aren’t generally involved in putting it there. Instead, look for a file called wp-comments.php (or something similar, depending on your particular WP version), and try adding the code to that file. The wp-comments.php is the actual file that must be accessed by commentators (or spammers, etc.) to leave comments. Placing the PHP block script at the very beginning of that file should do the trick, although I have not tested it because I prefer to block via htaccess instead.
Regards,
Jeff

Comments are closed for this post. Something to add? Let me know.

Jeff Starr 2008/09/01 12:00 pm • Post Author

Sounds good, Jen. Glad to hear everything is back on track with your new blog. Hopefully your stalker will give up looking for you and move on with her life. Best of luck to you; let me know if I may be of any help in the future. :)
Cheers,
Jeff
use to be 'just jen'...shsh..stealth mode 2008/09/01 4:39 pm

Thanks for the well wishes :)
you can stop by and visit my blog any time you want but don’t expect anything too exciting…LOL
Keep me posted on that toolator :)
David 2008/09/10 1:31 pm

Hi Jeff, Could you help me out with some code that will block an IP on a Craigslist ad? Please? Someone is deleting my ad every day. I have their IP address, but can’t find a code that will work. Please help if you can. Thanks, David
Jeff Starr 2008/09/14 8:41 am • Post Author

Hi David, I feel your pain, but unfortunately blocking someone from accessing the Craigslist site requires access to the Craigslist server, unless I am missing something here..
David 2008/09/15 11:24 am

Thanks Jeff. I was ready for that answer. Do you, or does anyone have any neat little tricks that I can add to the html of the ad to get a little pay back?
Jeff Starr 2008/09/17 8:39 am • Post Author

Unfortunately, all of the fun stuff requires access to the server.. And even then, getting involved with “pay back”-type behavior may be risky, especially if you aren’t really familiar with what you are doing. The person whom you are targeting might be some deadly hacker ninja who could ruin your life. Not worth it, in my opinion.
Szektor 2008/09/30 6:47 pm

Hi,
this is a nice code.
Do you know about a free hacker/spammer ip database?
That is the only thing I miss now. ;)
Jeff Starr 2008/10/05 10:40 am • Post Author

Yes, that would be nice, eh! ;)
John Boyd 2008/11/02 11:03 am

Thanks for the post. Do you know how to deny a submission if keywords and .com etc. are in the message field?
John Boyd 2008/11/02 11:28 am

P.S.

Here’s a cool link to redirect them to rather than google: http://www.ftc.gov/bcp/conline/edcams/spam/report.html

: )
Cemal 2008/11/16 8:04 pm

I am trying to prevent a spam source from leaving comments or pingbacks. Although spam is caught by Akismet it clutters my mind more than anything else. I placed this snippet at the very top of the header.php file with no effect what so ever. Am I supposed to place it after the DTD declaration or HTML or any other part?

Thank you.

Cemal
Jeff Starr 2008/11/16 9:37 pm • Post Author

Hi Cemal, the problem is that comments and pingbacks are processed by a file other than those found in your WordPress theme files. The theme files display information from the database, but they aren’t generally involved in putting it there. Instead, look for a file called wp-comments.php (or something similar, depending on your particular WP version), and try adding the code to that file. The wp-comments.php is the actual file that must be accessed by commentators (or spammers, etc.) to leave comments. Placing the PHP block script at the very beginning of that file should do the trick, although I have not tested it because I prefer to block via htaccess instead.
Regards,
Jeff

« Previous Comments • 1…34567…10 • Newer Comments »