How to Block IP Addresses
Web servers can host many different domains on one hosting account under Linux/Apache, and public access to each domain and its folders and files can be controlled through the use of a .htaccess file to block a specific IP address, range of IP addresses, or multipleseparate IP addresses. The .htaccess file is typically found in the root folder of your domain (where you would also find the starting page for your web site) and is used for other purposes other than just controlling access to folders and files.
Installing a .htaccess file is not limited to the web site root folder, however. You can install the .htaccess file in any of your sub-folders and the server will apply the rules only to site visitors that attempt to access a file in that folder or any sub-folders below.
Limiting access to certain folders or to entire web sites is sometimes necessary when you find that your web site forms are being abused, your forum or blog is being harassed by spammers, or you want to setup a protected area that only yourself or those you designate will have access. You might need to block a specific IP address, a range of IP addresses, or an entire country from accessing certain folders and files on your site.
A .htaccess file is also used for other purposes as well, such as creating redirect rules for files and folders that have been moved to different locations, or for redirecting an entire web site to a different domain.
The format of a .htaccess file is plain text, and can be created with a simple text editor. The file must be saved as an ASCII text file, so make sure that you use an ASCII text editor such as Notepad or a programmer's text editor. You must also use an FTP tool for uploading the .htaccess file into the right folder within your web site structure.
Many hosting services allow the use of .htaccess files in your web site, and some provide access to the .htaccess file only through a site manager. Some hosting services don't allow access to a .htaccess file at all. Check with your host for specific instructions on how to update the .htaccess file for your site if it isn't obvious from your site manager control panel. Our virtual servers allow you to use a .htaccess file wherever you need it.
Be aware that the file name of .htaccess appears to have only an extension (the part of the file name following the dot). On a UNIX based system, a file name that begins with a period (.) indicates a hidden system file, and as such, may be invisible when viewing the file list on the web server through your FTP program. All FTP programs provide the option to view hidden system files so check the documentation provided with your FTP application.
When a .htaccess is downloaded to a Windows based PC, it can appear to have no file name — only an extension. This is normal for PC based systems and your text editor should not have any problems loading and editing a file with no name and only an extension. If you find yourself having problems, rename the file on your PC to something like text.htaccess or htaccess.txt, make your changes, upload the file to your hosting account, remove the existing .htaccess file, and then rename the edited file to .htaccess using your FTP software.
Allow from All but Deny from a Specific IP Address(es)
The format of the instructions to place into the .htaccess file for blocking access to a protected area is as follows:
order deny,allow deny from 99.999.999.991 deny from 99.999.999.992 deny from 99.999.999.993 allow from all
These instructions tell the web server to deny all requests to the web site protected area from IP addresses 99.999.999.991, 99.999.999.992, and 99.999.999.993, but allow requests from all other IP addresses.
Although it is typical to block access to an entire site from certain IP addresses, it might be necessary to only block access to a particular page or class of pages, i.e., all forms on the site. In order to accomplish this, move your form pages such as a signup page into an isolated directory where you can upload a .htaccess file into the same folder to control access to the critical pages. For instance, if I have a register.html page in my site and I want to block access only to this page, I would first create a new folder such as "/signup" and move my register.html page into this new folder. Then, create and upload a .htaccess file into this new folder. Here is an example of how the folder structure would then look:
root folder (where you store your main site html files) /signup (new signup folder and where I will install the .htaccess file) /signup/register.html (my new signup form) /signup/.htaccess (to block access from specific IP addresses to this folder and still allow access to rest of the web site)
You should also add a new entry into your main site's .htaccess file (the one in your root folder) to redirect traffic from the old form location to the new form location.
redirect 301 /register.html http://www.mydomain.com/signup/register.html
Once you create or update the .htaccess file with these instructions, use your FTP program to upload the file to your web site in the root folder or the sub-folder you want to protect. It is not necessary to reboot the web server software when adding instructions to an .htaccess file because the changes take effect immediately (the .htaccess file is read by the web server on every request for a page).
Deny from All but Allow from a Specific IP Address(es)
You may also want to limit access to a folder only to a specific IP address or range of IP addresses. The format is the same but the contents of the .htaccess is slightly different.
order deny,allow deny from all allow from 99.999.999.991 allow from 99.999.999.992 allow from 99.999.999.993
In this case you are denying access from everyone but allowing access to only specific IP addresses or domain names.