Cyber security threats are getting worse.

And, that’s why Magento website owners use various methods to protect their store from spam bots, hackers, spyware and more.

At Bobcares, we often receive requests from Magento shop owners to secure their Magento application as part of our Server Support Services for web hosts.

Blocking IP address that looks suspicious is one of the steps we take during Magento hardening.

Today, we’ll discuss the 5 different methods to block an IP address in Magento.

Magento : block IP address – 5 easy ways to do it

It’s easy to block IPs, but the harder part is to find out malicious IPs.

At Bobcares, our Support Engineers monitor website and system log files, connections to ports, server resource usage, etc. to identify suspicious network traffic and block such IPs.

Now, let’s see the different methods to block IPs in Magento.

1) Using .htaccess file

The most basic method to restrict IP address in Magento is to modify the .htaccess file.

Our Hosting Engineers add deny rules in this file to block suspicious IP addresses.

For instance, to block the IP address 125.xx.10x.11x, we add the following deny rule in the .htaccess file.

<Directory>
order deny,allow
deny from  125.xx.10x.11x
</Directory>

Similarly, in situations where we see attacks from a particular country, we block that specific IP range in the .htaccess file.

For instance, to block the IP address range 125.xx.10x.* , we add the below rule in .htaccess file.

order allow,deny
deny from 125.xx.10x.*/24

Extreme care should be given while modifying the .htaccess file, because improperly configured .htaccess rules can take your website down.

That’s why, our Support Engineers always take a backup of the .htaccess file before making any changes.

[If you have no experience in dealing with .htaccess rules, don’t go for it. Our Support Experts can help you.]

2) Using index.php

In some cases, Magento owners don’t use .htaccess file on their website.

Therefore, our Support Engineers make IP restrictions at PHP level.

In other words, we add the below code in website’s index.php to block the suspicious IP addresses.

<?php
$banned = array('129.xxx.1.1');
if(in_array($_SERVER['REMOTE_ADDR'], $banned))
{
exit();
}

Better take a backup of this file, as misplaced rules can take down your website landing page.

3) Using Magento modules/extensions

Similarly, there are many extensions available in market which help Magento shop owners to restrict IPs .

Some modules allow traffic restrictions from different countries, selected products or CMS pages.

For example, extensions such as Geo-IP Ultimate Lock, Magento Geo Lock, etc. can fit for this purpose.

But, always make sure you buy the module according to your requirements(need to block a single IP, need a country level block, etc.).

[Need help in selecting appropriate modules after assessing your website requirements? Our Magento experts can help you here.]

4) Using firewall

Alternatively, we use software firewalls like iptables, CSF, etc. as an effective method to block IPs in Magento.

In cPanel servers, we use CSF firewall to enable country wide blocks, limit the number of connections, etc. at server level.

For example, to block a country in CSF, we edit the CSF configuration file and add the country code as below.

CC_DENY = CN, CR

5) Using Blacklist feature

Sometimes, Magento store owners contact us to blacklist sucpicious IPs trying to access Magento admin page.

In such cases, our Support Engineers blacklist the IPs in the Magento admin panel using the Blacklist option.

Here, we can block a single IP, multiple IPs or various IP ranges.

Magento: block IP address – Common failure points

Blocking IP address in Magento looks easy right? But, things can go wrong if it’s not done properly.

Based on our experience in managing Magento websites, we’ve seen cases where things don’t work as expected.

1) Messed up .htaccess rules

Recently, we were contacted by a Magento website owner. He manually blocks IPs in his .htaccess file.

After that, this website started showing 500 Internal Server Error.

In this case, our Support Engineers, analyzed the website error logs and identified a syntax error in the .htaccess rules.

We corrected it immediately, and the website started loading fine.

.Htaccess rules are critical for your website. A small typo error in this file can take your website down. So, we always recommend to take a backup of this file before making changes.

2) Shop admin locked out themselves

Similarly, we’ve seen cases where Magento shop admins mistype their IP address into the Blacklist field.

As a result, they get locked out of the Magento admin panel.

Here, our Support Engineers use command line option and reset the blacklist rules with the below command.

bin/magento security:reset blacklist

After that, we clear the Magento cache for the changes to take effect.

Then, shop admin can access their admin panel, because there are no IP restrictions.

Conclusion

In short, there are different methods to block IP addresses in Magento. Today, we’ve discussed 5 different ways to block IP addresses in Magento. We’ve also discussed about 2 common mistakes, that can happen while blocking IP addresses and how our Server Support Engineers fix them.