Using .htaccess to block IP

Forum Moderators: phranque

Message Too Old, No Replies

Using .htaccess to block IP

What is proper script in .htaccess for blocking IP from vising site

lzr0

8:18 pm on Mar 17, 2014 (gmt 0)

Hi,
I am trying to block certain IPs from visiting my site by using .htaccess script like this:

Order Deny,Allow
Deny from xx.xxx.xxx.xx
Allow from all

but it does no work (I checked it by entering my own IP).

The .haccess file is my root directory. Should Deny, Allow directives be placed within some containers such as <Directory></Directory>, or it can be "stand-alone" directives?
Does it matter in which part of .htaccess it's placed (in my case there is a preceding WordPress script like <IfModule mod_rewrite.c>....</IfModule>

My site is hosted on apache server with linux hosting and GoDaddy tech support told me .htaccess should work there although they can't provide scripting help.
Thanks

lucy24

10:09 pm on Mar 17, 2014 (gmt 0)

Order Deny,Allow

That's backward. Ordering means that if a request matches both* sides-- like "deny from this IP" and "allow from all" --the second one prevails. Here that would be Allow; you want Deny.

This has nothing to do with the physical sequence of your respective "Allow" and "Deny" directives.

* Or, theoretically, neither side. But this is rare, because most sites will have a "from all" on one side or the other.

lzr0

12:10 am on Mar 18, 2014 (gmt 0)

lucy24,

Thanks, it works!

lzr0

7:38 pm on Mar 18, 2014 (gmt 0)

Hi,
I saw some webmasters put Allow, Deny directives inside <Limit GET>...</Limit> brackets. Is it desired/necessary? In my case it works without <Limit GET>...</Limit> (after I fixed the order per Lucy explanation).

lucy24

10:05 pm on Mar 18, 2014 (gmt 0)

There's no reason for <Limit> envelopes unless you're making different rules for different types of requests. In practice, you'll only see GET HEAD and POST, and generally those are treated the same for everyone. (There's also PUT, but your host has probably got those blocked already.)

I honestly can't think of a rule that you would constrain only to GET requests. I mean, if they're not allowed to see the page, you're not going to let them POST-- let alone PUT-- either.