Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

How to Block IP Addresses with PHP

[ Image: Skeletor Blocks a Move ] Figuratively speaking, hunting down and killing spammers, scrapers, and other online scum remains one of our favorite pursuits. Once we have determined that a particular IP address is worthy of banishment, we generally invoke the magical powers of htaccess to lock the gates. When htaccess is not available, we may summon the versatile functionality of PHP to get the job done.

This method is straightforward. Simply edit, copy and paste the following code example into the top of any PHP for which you wish to block access:

<?php $deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: https://example.com/");
   exit();
} ?>

The code basically creates an array of the IP addresses that you wish to block, and then checks incoming addresses against the array. If the incoming (i.e., remote) address matches against any value in the array, the function will deny access with a redirect header to the specified URL, which in this case is the majestic Google home page. It all happens quickly behind the scenes.

Usage

When using this code in your pages, simply replace the “dummy” IP addresses (i.e., "111.111.111", "222.222.222", ...) with those that you wish to block (e.g., "123.456.789", "123.456.*", "123.*", ...). Yes, PHP understands wildcard operators (i.e., *). Also you may want to change the redirect location. Currently it is set to https://example.com/, so feel free to change that to whatever URL is desired.

After making any changes, upload the file to your server. If you would like to verify this method, simply lookup your own IP address, add it to the array, and try loading the target page. That’s all there is to it — “grab, gulp, and go”.

Using this method, you may also wish to create a customized page to which blocked addresses are redirected, perhaps to explain the situation, provide contact information, or display a macro shot of your greasy bum, or perhaps send them to the blackhole.

About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
.htaccess made easy: Improve site performance and security.

109 responses to “How to Block IP Addresses with PHP”

  1. Jeff, thank you very much for the quick response. I added an htaccess file but it did not have any effect either. It may be because my site is running on Windows IIS platform. I will try your suggestion and let you know.

    Thanks agin,

    Cemal

  2. Well, I placed the code snippet into three files:
    wp-blog-header.php
    wp-comments-post.php
    wp-trackback.php

    The first one seemed to be the header for all the files, so there it went. The other two by virtue of their names received the same treatment. The code snippet I inserted is below (I hope it does not get gobbled up):

    After this, the code that was there starts, again with <?php and so on.

    The spammers are still able to post, not visible but they are not blocked. What am I doing wrong? Am I supposed to take the part that begins with $deny and ends with exit(); and place it inside the original code? I know as much about php as I know how to jump over tall buildings!

    If this is too much, I certainly can keep deleting the posts. I don’t mean to be bugging you.

    Thanks,

    Cemal

  3. Jeff Starr 2008/11/18 9:08 am

    @Cemal: If the goal is to prevent spam from reaching your post comments, there may be no need to fiddle around with PHP, htaccess, and other intrusive methods of protection. Fortunately, there are several excellent WordPress plugins that do an excellent job preventing and eliminating comment spam, among which are Akismet, Bad Behavior, and Spam Karma. Check these out and see if any suit your needs; if not, try searching for alternates on Google — there should be several.
    Regards,
    Jeff

  4. Hi I want to write a script to block some ip address on my index.php

    i have tried the script above.

    it only block when i type domain.com as my url
    but it will not block when i type in www.domain.com

    anyone know why? and how can i rewrite the script to block www.domain.com too?

    here is the script i used:

    $deny = array("11.111.1.1");
    if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
    echo " exit please";
         exit();

  5. Jeff Starr 2008/11/24 5:51 pm

    @kristy: this sounds like a canonicalization issue. Your best bet is to get all URL requests resolving to either www or non-www versions of your pages. This should not only remedy the IP-blocking script, but also improve the overall SEO-quality of your site as well.

  6. Tomi Teirikangas 2008/12/01 5:40 pm

    I have a huge problem i have blocked like 40 ip addresses, always who is spamming to my website, is changing ip address, how i make him stop, soon ill go his home and rip his computer out of the wall and throw it out of the window

    Greetings from finland, ITS FREEZING HERE

  7. Tomi Teirikangas 2008/12/02 10:20 am

    HAAA i god it i make him stop like you Jeff said, got an idea form this sentence “if he is always spamming you using the same keywords or phrases”, now i have blocked 3 links what he pasted to my site, no there hasn’t been any spams, last night was clean :D thanks for all help Jeff.

    PHP <3

  8. Jeff Starr 2008/12/02 9:39 am

    @Tomi Teirikangas: I feel your pain! Unfortunately, if someone wants to spam your site bad enough, there is really no way of stopping them from doing so. You can target different aspects of the spam attacks, however. For example, instead of blocking via IP, you may check to see if he using the same user agent and then block that instead (or in addition to). Likewise, if he is always spamming you using the same keywords or phrases, you could use some regex magic and block them as well. It really all depends on your setup and the nature of the attacks. I recently went into great depth explaining several strategies for preventing spam and malicious activity; you can read through the articles that are summarized here for more information on this topic.

    You could also physically destroy his machine, but it sounds like you might prefer to stay indoors where it’s warm ;)

  9. hey jeff,
    so where should i start? do you have any link that can show me how to solve the canonicalization issue ?

    thanks,

  10. Jeff Starr 2008/12/09 2:39 pm

    Hi kristy, here is an article I wrote on Universal www-Canonicalization via htaccess. It has everything you need to resolve essential canonicalization issues for your site.

  11. Jeff,

    I am 70 years old and not very computer savvy. I want to thank you for the list of IPs to block when they come up. I was never quite sure when they mention they are trying to connect with remote IP #…..so, I always select “block” to be safe. Thank you for your help and I will keep your site in my “favorites” for reference and to learn.

    Sandy

  12. Jeff Starr 2008/12/15 9:08 pm

    @Sandy: Thank you for the positive feedback — it is my great pleasure to provide assistance to the community! Cheers! :)

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.