Block unwanted users from your web site using Apache .htaccess

If you run a website, then by default it is accessible to the whole planet internet.

If your web statistics are showing that most of your traffic is not your intended target you may not want to let any foreign countries index or waste bandwidth on your server.

You can block unwanted users or bots from accessing your website via .htaccess rules. The .htaccess file is a hidden file on the server that can be used to control access to your website among other features.

Following the steps below we'll walk through several different ways in which you can block unwanted users from being able to access your website.
Edit your .htaccess file

To use any of the forms of blocking an unwanted user from your website, you'll need to edit your .htaccess file.

  • Login to your Plesk Panel.
  • Under the Files tab, click on File Manager.
  • Select the Document Root (/httpdocs) for: option, and choose your domain from the drop-down.
  • Ensure that Show Hidden Files is selected.
  • Then click Go.
    Then:
    • Right-click on the .htaccess file and select Edit or if your .htaccess file doesn't exist already, click on New File at the top-left, name the file .htaccess, and finally set the directory for the file to be created to /httpdocs/ or the document root of your site.
    • You might have a text editor encoding dialog box pop-up, you can simply click on Edit in Text Editor.

Block by IP address

You might have one particular IP address, or multiple IP addresses that are causing a problem on your website. In this event, you can simply outright block these problematic IP addresses from accessing your site.
Block a single IP address

If you just need to block a single IP address, or multiple IPs not in the same range, you can do so with this rule:

deny from 123.123.123.123

Block a range of IP addresses

To block an IP range, such as 123.123.123.1 - 123.123.123.255, you can leave off the last octet:

deny from 123.123.123

You can also use CIDR (Classless Inter-Domain Routing) notation for blocking IPs:

To block the range 123.123.123.1 - 123.123.123.255, use 123.123.123.0/24
To block the range 123.123.64.1 - 123.123.127.255, use 123.123.123.0/18

deny from 123.123.123.0/24

Block bad users based on their User-Agent string

Some malicious users will send requests from different IP addresses, but still using the same User-Agent for sending all of the requests. In these events you can also block users by their User-Agent strings.
Block a single bad User-Agent

If you just wanted to block one particular User-Agent string, you could use this RewriteRule:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Baiduspider [NC]
RewriteRule .* - [F,L]

Alternatively, you can also use the BrowserMatchNoCase Apache directive like this:

BrowserMatchNoCase "Baiduspider" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots

Block multiple bad User-Agents

If you wanted to block multiple User-Agent strings at once, you could do it like this:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.(Baiduspider|HTTrack|Yandex).$ [NC]
RewriteRule .* - [F,L]

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase "Baiduspider" bots
BrowserMatchNoCase "HTTrack" bots
BrowserMatchNoCase "Yandex" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots

Block by referer

Block a single bad referer

If you just wanted to block a single bad referer like example.com you could use this RewriteRule:

RewriteEngine On
RewriteCond %{HTTP_REFERER} domain.com [NC]
RewriteRule .* - [F]

Alternatively, you could also use the SetEnvIfNoCase Apache directive like this:

SetEnvIfNoCase Referer "domain.com" bad_referer

Order Allow,Deny
Allow from ALL
Deny from env=bad_referer

Block multiple bad referers

If you just wanted to block multiple referers like example.com and example.net you could use:

RewriteEngine On
RewriteCond %{HTTP_REFERER} domain.com [NC,OR]
RewriteCond %{HTTP_REFERER} domain.net
RewriteRule .* - [F]

Or you can also use the SetEnvIfNoCase Apache directive like this:

SetEnvIfNoCase Referer "domain.com" bad_referer
SetEnvIfNoCase Referer "domain.net" bad_referer

Order Allow,Deny
Allow from ALL
Deny from env=bad_referer


Properties ID: 000432   Views: 5566   Updated: 9 years ago