How to Block IP Addresses with PHP
Figuratively speaking, hunting down and killing spammers, scrapers, and other online scum remains one of our favorite pursuits. Once we have determined that a particular IP address is worthy of banishment, we generally invoke the magical powers of htaccess to lock the gates. When htaccess is not available, we may summon the versatile functionality of PHP to get the job done.
This method is straightforward. Simply edit, copy and paste the following code example into the top of any PHP for which you wish to block access:
<?php $deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
header("location: https://example.com/");
exit();
} ?>
The code basically creates an array of the IP addresses that you wish to block, and then checks incoming addresses against the array. If the incoming (i.e., remote) address matches against any value in the array, the function will deny access with a redirect header to the specified URL, which in this case is the majestic Google home page. It all happens quickly behind the scenes.
Usage
When using this code in your pages, simply replace the “dummy” IP addresses (i.e., "111.111.111", "222.222.222", ...
) with those that you wish to block (e.g., "123.456.789", "123.456.*", "123.*", ...
). Yes, PHP understands wildcard operators (i.e., *
). Also you may want to change the redirect location. Currently it is set to https://example.com/
, so feel free to change that to whatever URL is desired.
After making any changes, upload the file to your server. If you would like to verify this method, simply lookup your own IP address, add it to the array, and try loading the target page. That’s all there is to it — “grab, gulp, and go”.
Using this method, you may also wish to create a customized page to which blocked addresses are redirected, perhaps to explain the situation, provide contact information, or display a macro shot of your greasy bum, or perhaps send them to the blackhole.
109 responses to “How to Block IP Addresses with PHP”
Jeff, thank you very much for the quick response. I added an htaccess file but it did not have any effect either. It may be because my site is running on Windows IIS platform. I will try your suggestion and let you know.
Thanks agin,
Cemal
Well, I placed the code snippet into three files:
wp-blog-header.php
wp-comments-post.php
wp-trackback.php
The first one seemed to be the header for all the files, so there it went. The other two by virtue of their names received the same treatment. The code snippet I inserted is below (I hope it does not get gobbled up):
After this, the code that was there starts, again with <?php and so on.
The spammers are still able to post, not visible but they are not blocked. What am I doing wrong? Am I supposed to take the part that begins with $deny and ends with exit(); and place it inside the original code? I know as much about php as I know how to jump over tall buildings!
If this is too much, I certainly can keep deleting the posts. I don’t mean to be bugging you.
Thanks,
Cemal
@Cemal: If the goal is to prevent spam from reaching your post comments, there may be no need to fiddle around with PHP, htaccess, and other intrusive methods of protection. Fortunately, there are several excellent WordPress plugins that do an excellent job preventing and eliminating comment spam, among which are Akismet, Bad Behavior, and Spam Karma. Check these out and see if any suit your needs; if not, try searching for alternates on Google — there should be several.
Regards,
Jeff
Hi I want to write a script to block some ip address on my
index.php
i have tried the script above.
it only block when i type
domain.com
as my urlbut it will not block when i type in
www.domain.com
anyone know why? and how can i rewrite the script to block
www.domain.com
too?here is the script i used:
$deny = array("11.111.1.1");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
echo " exit please";
exit();
@kristy: this sounds like a canonicalization issue. Your best bet is to get all URL requests resolving to either
www
or non-www
versions of your pages. This should not only remedy the IP-blocking script, but also improve the overall SEO-quality of your site as well.I have a huge problem i have blocked like 40 ip addresses, always who is spamming to my website, is changing ip address, how i make him stop, soon ill go his home and rip his computer out of the wall and throw it out of the window
Greetings from finland, ITS FREEZING HERE
HAAA i god it i make him stop like you Jeff said, got an idea form this sentence “if he is always spamming you using the same keywords or phrases”, now i have blocked 3 links what he pasted to my site, no there hasn’t been any spams, last night was clean :D thanks for all help Jeff.
PHP <3
@Tomi Teirikangas: I feel your pain! Unfortunately, if someone wants to spam your site bad enough, there is really no way of stopping them from doing so. You can target different aspects of the spam attacks, however. For example, instead of blocking via IP, you may check to see if he using the same user agent and then block that instead (or in addition to). Likewise, if he is always spamming you using the same keywords or phrases, you could use some regex magic and block them as well. It really all depends on your setup and the nature of the attacks. I recently went into great depth explaining several strategies for preventing spam and malicious activity; you can read through the articles that are summarized here for more information on this topic.
You could also physically destroy his machine, but it sounds like you might prefer to stay indoors where it’s warm ;)
hey jeff,
so where should i start? do you have any link that can show me how to solve the canonicalization issue ?
thanks,
Hi kristy, here is an article I wrote on Universal www-Canonicalization via htaccess. It has everything you need to resolve essential canonicalization issues for your site.
Jeff,
I am 70 years old and not very computer savvy. I want to thank you for the list of IPs to block when they come up. I was never quite sure when they mention they are trying to connect with remote IP #…..so, I always select “block” to be safe. Thank you for your help and I will keep your site in my “favorites” for reference and to learn.
Sandy
@Sandy: Thank you for the positive feedback — it is my great pleasure to provide assistance to the community! Cheers! :)