How to Block IP Addresses with PHP

♦ Posted by Jeff Starr in .htaccess, PHP, Security

Updated January 26, 2020 • 109 comments

[ Image: Skeletor Blocks a Move ] Figuratively speaking, hunting down and killing spammers, scrapers, and other online scum remains one of our favorite pursuits. Once we have determined that a particular IP address is worthy of banishment, we generally invoke the magical powers of htaccess to lock the gates. When htaccess is not available, we may summon the versatile functionality of PHP to get the job done.

This method is straightforward. Simply edit, copy and paste the following code example into the top of any PHP for which you wish to block access:

<?php $deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: https://example.com/");
   exit();
} ?>

The code basically creates an array of the IP addresses that you wish to block, and then checks incoming addresses against the array. If the incoming (i.e., remote) address matches against any value in the array, the function will deny access with a redirect header to the specified URL, which in this case is the majestic Google home page. It all happens quickly behind the scenes.

Similar tutorial: Block Multiple IP Addresses with PHP »

Usage

When using this code in your pages, simply replace the “dummy” IP addresses (i.e., "111.111.111", "222.222.222", ...) with those that you wish to block (e.g., "123.456.789", "123.456.*", "123.*", ...). Yes, PHP understands wildcard operators (i.e., *). Also you may want to change the redirect location. Currently it is set to https://example.com/, so feel free to change that to whatever URL is desired.

After making any changes, upload the file to your server. If you would like to verify this method, simply lookup your own IP address, add it to the array, and try loading the target page. That’s all there is to it — “grab, gulp, and go”.

Using this method, you may also wish to create a customized page to which blocked addresses are redirected, perhaps to explain the situation, provide contact information, or display a macro shot of your greasy bum, or perhaps send them to the blackhole.

apache domains ip spam tutorials websites

About the Author

Jeff Starr = Web Developer. Security Specialist. WordPress Buff.

109 responses to “How to Block IP Addresses with PHP”

Cemal 2008/11/17 7:29 am

Jeff, thank you very much for the quick response. I added an htaccess file but it did not have any effect either. It may be because my site is running on Windows IIS platform. I will try your suggestion and let you know.

Thanks agin,

Cemal

Cemal 2008/11/17 6:53 pm

Well, I placed the code snippet into three files:
wp-blog-header.php
wp-comments-post.php
wp-trackback.php

The first one seemed to be the header for all the files, so there it went. The other two by virtue of their names received the same treatment. The code snippet I inserted is below (I hope it does not get gobbled up):

After this, the code that was there starts, again with <?php and so on.

The spammers are still able to post, not visible but they are not blocked. What am I doing wrong? Am I supposed to take the part that begins with $deny and ends with exit(); and place it inside the original code? I know as much about php as I know how to jump over tall buildings!

If this is too much, I certainly can keep deleting the posts. I don’t mean to be bugging you.

Thanks,

Cemal

Jeff Starr 2008/11/18 9:08 am • Post Author

@Cemal: If the goal is to prevent spam from reaching your post comments, there may be no need to fiddle around with PHP, htaccess, and other intrusive methods of protection. Fortunately, there are several excellent WordPress plugins that do an excellent job preventing and eliminating comment spam, among which are Akismet, Bad Behavior, and Spam Karma. Check these out and see if any suit your needs; if not, try searching for alternates on Google — there should be several.
Regards,
Jeff

kristy 2008/11/21 3:01 pm

Hi I want to write a script to block some ip address on my index.php

i have tried the script above.

it only block when i type domain.com as my url
but it will not block when i type in www.domain.com

anyone know why? and how can i rewrite the script to block www.domain.com too?

here is the script i used:

$deny = array("11.111.1.1");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
echo " exit please";
exit();

Jeff Starr 2008/11/24 5:51 pm • Post Author

@kristy: this sounds like a canonicalization issue. Your best bet is to get all URL requests resolving to either www or non-www versions of your pages. This should not only remedy the IP-blocking script, but also improve the overall SEO-quality of your site as well.

Tomi Teirikangas 2008/12/01 5:40 pm

I have a huge problem i have blocked like 40 ip addresses, always who is spamming to my website, is changing ip address, how i make him stop, soon ill go his home and rip his computer out of the wall and throw it out of the window

Greetings from finland, ITS FREEZING HERE

Tomi Teirikangas 2008/12/02 10:20 am

HAAA i god it i make him stop like you Jeff said, got an idea form this sentence “if he is always spamming you using the same keywords or phrases”, now i have blocked 3 links what he pasted to my site, no there hasn’t been any spams, last night was clean :D thanks for all help Jeff.

PHP <3

Jeff Starr 2008/12/02 9:39 am • Post Author

@Tomi Teirikangas: I feel your pain! Unfortunately, if someone wants to spam your site bad enough, there is really no way of stopping them from doing so. You can target different aspects of the spam attacks, however. For example, instead of blocking via IP, you may check to see if he using the same user agent and then block that instead (or in addition to). Likewise, if he is always spamming you using the same keywords or phrases, you could use some regex magic and block them as well. It really all depends on your setup and the nature of the attacks. I recently went into great depth explaining several strategies for preventing spam and malicious activity; you can read through the articles that are summarized here for more information on this topic.

You could also physically destroy his machine, but it sounds like you might prefer to stay indoors where it’s warm ;)

kristy 2008/12/09 2:30 pm

hey jeff,
so where should i start? do you have any link that can show me how to solve the canonicalization issue ?

thanks,

Jeff Starr 2008/12/09 2:39 pm • Post Author

Hi kristy, here is an article I wrote on Universal www-Canonicalization via htaccess. It has everything you need to resolve essential canonicalization issues for your site.

Sandy 2008/12/14 6:49 pm

Jeff,

I am 70 years old and not very computer savvy. I want to thank you for the list of IPs to block when they come up. I was never quite sure when they mention they are trying to connect with remote IP #…..so, I always select “block” to be safe. Thank you for your help and I will keep your site in my “favorites” for reference and to learn.

Sandy

Jeff Starr 2008/12/15 9:08 pm • Post Author

@Sandy: Thank you for the positive feedback — it is my great pleasure to provide assistance to the community! Cheers! :)

Comments are closed for this post. Something to add? Let me know.

Cemal 2008/11/17 7:29 am

Jeff, thank you very much for the quick response. I added an htaccess file but it did not have any effect either. It may be because my site is running on Windows IIS platform. I will try your suggestion and let you know.

Thanks agin,

Cemal
Cemal 2008/11/17 6:53 pm

Well, I placed the code snippet into three files:
wp-blog-header.php
wp-comments-post.php
wp-trackback.php

The first one seemed to be the header for all the files, so there it went. The other two by virtue of their names received the same treatment. The code snippet I inserted is below (I hope it does not get gobbled up):

After this, the code that was there starts, again with <?php and so on.

The spammers are still able to post, not visible but they are not blocked. What am I doing wrong? Am I supposed to take the part that begins with $deny and ends with exit(); and place it inside the original code? I know as much about php as I know how to jump over tall buildings!

If this is too much, I certainly can keep deleting the posts. I don’t mean to be bugging you.

Thanks,

Cemal
Jeff Starr 2008/11/18 9:08 am • Post Author

@Cemal: If the goal is to prevent spam from reaching your post comments, there may be no need to fiddle around with PHP, htaccess, and other intrusive methods of protection. Fortunately, there are several excellent WordPress plugins that do an excellent job preventing and eliminating comment spam, among which are Akismet, Bad Behavior, and Spam Karma. Check these out and see if any suit your needs; if not, try searching for alternates on Google — there should be several.
Regards,
Jeff
kristy 2008/11/21 3:01 pm

Hi I want to write a script to block some ip address on my index.php

i have tried the script above.

it only block when i type domain.com as my url
but it will not block when i type in www.domain.com

anyone know why? and how can i rewrite the script to block www.domain.com too?

here is the script i used:

$deny = array("11.111.1.1");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
echo " exit please";
exit();
Jeff Starr 2008/11/24 5:51 pm • Post Author

@kristy: this sounds like a canonicalization issue. Your best bet is to get all URL requests resolving to either www or non-www versions of your pages. This should not only remedy the IP-blocking script, but also improve the overall SEO-quality of your site as well.
Tomi Teirikangas 2008/12/01 5:40 pm

I have a huge problem i have blocked like 40 ip addresses, always who is spamming to my website, is changing ip address, how i make him stop, soon ill go his home and rip his computer out of the wall and throw it out of the window

Greetings from finland, ITS FREEZING HERE
Tomi Teirikangas 2008/12/02 10:20 am

HAAA i god it i make him stop like you Jeff said, got an idea form this sentence “if he is always spamming you using the same keywords or phrases”, now i have blocked 3 links what he pasted to my site, no there hasn’t been any spams, last night was clean :D thanks for all help Jeff.

PHP <3
Jeff Starr 2008/12/02 9:39 am • Post Author

@Tomi Teirikangas: I feel your pain! Unfortunately, if someone wants to spam your site bad enough, there is really no way of stopping them from doing so. You can target different aspects of the spam attacks, however. For example, instead of blocking via IP, you may check to see if he using the same user agent and then block that instead (or in addition to). Likewise, if he is always spamming you using the same keywords or phrases, you could use some regex magic and block them as well. It really all depends on your setup and the nature of the attacks. I recently went into great depth explaining several strategies for preventing spam and malicious activity; you can read through the articles that are summarized here for more information on this topic.

You could also physically destroy his machine, but it sounds like you might prefer to stay indoors where it’s warm ;)
kristy 2008/12/09 2:30 pm

hey jeff,
so where should i start? do you have any link that can show me how to solve the canonicalization issue ?

thanks,
Jeff Starr 2008/12/09 2:39 pm • Post Author

Hi kristy, here is an article I wrote on Universal www-Canonicalization via htaccess. It has everything you need to resolve essential canonicalization issues for your site.
Sandy 2008/12/14 6:49 pm

Jeff,

I am 70 years old and not very computer savvy. I want to thank you for the list of IPs to block when they come up. I was never quite sure when they mention they are trying to connect with remote IP #…..so, I always select “block” to be safe. Thank you for your help and I will keep your site in my “favorites” for reference and to learn.

Sandy
Jeff Starr 2008/12/15 9:08 pm • Post Author

@Sandy: Thank you for the positive feedback — it is my great pleasure to provide assistance to the community! Cheers! :)

« Previous Comments • 1…45678…10 • Newer Comments »