go top

How to block an IP address from visiting a website

There are many reasons you may need to block an IP address from visiting your website. For example, to prevent particular users doing malicious things with your website - trying to spam your web forms, or hack your shopping cart, etc. Using PHP, you can easily find your site visitors' website addresses and based on these addresses to redirect them to specific places on your site. If you use such IP ban protection on your website, you will also need to not only list individual addresses to be blocked but also IP masks and IP ranges.

Let's start! First, we will create an array to list all the IP addresses that we want to block. Besides single IP addresses, we will also use IP ranges such as 216.58.197.101-216.58.197.200 and IP masks 100.88.*.*. Here is the array

<?php
$ip_block = array(
'111.65.248.132',
'216.58.197.119',
'192.168.1.100',
'192.168.1.105',
'100.88.*.*',
'122.25.100.*',
'216.58.197.101-216.58.197.200',
'98.255.255.100-98.255.255.150'
);

When a visitor comes to your website you will need to find their IP address and store it in a variable. You can find out the IP address using this piece of code:

if (isset($_SERVER['HTTP_CLIENT_IP']))
{
$client_ip = $_SERVER['HTTP_CLIENT_IP'];
} else if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if(isset($_SERVER['HTTP_X_FORWARDED'])) {
$client_ip = $_SERVER['HTTP_X_FORWARDED'];
} else if(isset($_SERVER['HTTP_FORWARDED_FOR'])) {
$client_ip = $_SERVER['HTTP_FORWARDED_FOR'];
} else if(isset($_SERVER['HTTP_FORWARDED'])) {
$client_ip = $_SERVER['HTTP_FORWARDED'];
} else if(isset($_SERVER['REMOTE_ADDR'])) {
$client_ip = $_SERVER['REMOTE_ADDR'];
}

The code above will check every possible variable which may hold information about visitor's IP address. Once it is executed, you will have visitor IP address stored in $client_ip variable. Now we will have to create a loop and match visitor's IP address against each IP address that we have in our $ip_block array. In the code below there are 3 IF cases

1) if($client_ip == $ip) - if visitor's IP addresses exactly matches the IP address defined in $ip_block array. If this is the case we set a variable $blocked to true and exit from the loop.

2) if(strpos($ip, '*') !== false) - if the blocked IP address has * or in other words if we use a mask to define the IP addresses that we need to block. If for example, you define
100.100.100.*
this will block all visitors with IP addresses 100.100.100.1, 100.100.100.2, 100.100.100.3, 100.100.100...... 255. If we have to check visitors IP address against such mask we split the IP addresses by . and match each of the 4 parts of the IP address. If there is a match, then we consider the IP address to be blocked and exit the loop

3) if(strpos($ip, "-") !== false) - with the last IF case we check if the visitors IP address should be checked against IP range. In that case we convert the IP address to an integer using ip2long() function and compare that interger with the start and end IP addresses from the range.

$blocked = false;
foreach($ip_block as $ip)
{
if($client_ip == $ip)
{
$blocked = true;
break;
}else if(strpos($ip, '*') !== false){
$digits = explode(".", $ip);
$client_ip_digits = explode(".", $client_ip);
if($digits[1] == '*' && $digits[0] == $client_ip_digits[0])
{
$blocked = true;
break;
}else if($digits[2] == '*' && $digits[0] == $client_ip_digits[0] && $digits[1] == $client_ip_digits[1]){
$blocked = true;
break;
}else if($digits[3] == '*' && $digits[0] == $client_ip_digits[0] && $digits[1] == $client_ip_digits[1] && $digits[2] == $client_ip_digits[2]){
$blocked = true;
break;
}
}else if(strpos($ip, "-") !== false){
list($start_ip, $end_ip) = explode("-", $ip);
$start_ip = preg_replace('/\s+/', '', $start_ip);
$end_ip = preg_replace('/\s+/', '', $end_ip);

$start_ip_long = ip2long($start_ip);
$end_ip_long = ip2long($end_ip);

if($client_ip_long >= $start_ip_long && $client_ip_long <= $end_ip_long)
{
$blocked = true;
break;
}
}
}

At the end we will have a variable $blocked which if set to true means that visitors IP address is found in our list with blocked IP addresses and we should block it.

if($blocked == true)
{
header('Location: blocked-page.html');
}

You can redirect the user to another page or just print some message.

The above code is useful if you want to redirect different website visitors to different pages on your website. Using third party service you can find out location country for an IP address and knowing visitor's country to redirect them to specific language version of your website.

5 Comments to "How to block an IP address from visiting a website"

  • John Doe

    John Doe

    October 2, 2017 at 02:34 am

    What if we want the users with blocked IPs to stay on the same page, but anyone without their IP in the list will be redirected to elsewhere, do we just do the following then by replacing 'true' to 'falese'?

    if($blocked == false)
    {
    header('Location: new-page.html');
    }

  • Doc Palmere

    Doc Palmere

    September 25, 2017 at 16:41 pm

    Two questions;
    Q1- how would I include the IP block code on my login.php page?

    Q2- If I created a redirect.php page with the blocking IP code in it, what is in the line of code I add to each page (i.e. login.php) to include this file?

    Q3- Can I use simple cms script to manage the IP addresses to be blocked?

    Q4-Is there a benefit to using the above solution over blocking IP at the cPanel level?

    Thanks,
    Doc

    • Sasho Valkanov

      Sasho Valkanov

      September 26, 2017 at 08:44 am

      Hi Doc,

      the best would be for you to create a function which can be called on each page that you need. So you can put blockip.php file and make function

      function blockip() {
      the php code
      }


      then each page that you need to protect should include this


      <?php
      include("blockip.php");
      blockip();
      ?>


      It's not be possible to use Simple CMS script to edit this code as IP addresses need to be added in the PHP code - blockip.php file.

      Cpanel IP protection will block users to visit your entire website and with this IP protection you can block specific users to visit specific pages.

  • Rick

    Rick

    November 28, 2016 at 02:16 am

    Where should this code be placed on a website or on a server? I already know the IP address i need to block also.

    • Sasho Valkanov

      Sasho Valkanov

      November 28, 2016 at 18:31 pm

      You can put this code in a separate .php file and include that .php file in all your web pages (again .php pages).

Add your comment

Captcha