Allow or deny requests based upon the requesting IP address. Useful when a site is under development or maintenance (whitelisting) or to deal with repeat offenders (blacklisting).

Whitelist IP Addresses

To restrict allowed requests to a specific set of whitelisted IPs, add the following to .htaccess or your virtual host config:

<Limit GET POST PUT>
	Order deny,allow
	Deny from all
	Allow from 172.16.1.2
	Allow from 215.200.33.1
</Limit>

The directive above would prevent access from any IP address except 172.16.1.2 and 215.200.33.1 when the HTTP request method is GET, POST, or PUT.

You may omit the <Limit> </Limit> nodes and leave just the inner directives if you want the restriction applied to all request methods.

Blacklist IP Addresses

To prevent requests from a set of blacklisted IPs, add the following to .htaccess or your virtual host config:

<Limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from 123.55.16.2
	Deny from 235.88.112.10
</Limit>

The rule above would allow access from any IP address except 123.55.16.2 and 235.88.112.10 when the HTTP request method is GET, POST, or PUT.

You may omit the <Limit> </Limit> nodes and leave just the inner directives if you need the restriction applied to all request methods.

In More Detail

Preventing access by IP is probably the oldest way to blacklist, and works very well for denying access to site scrapers, trolls, and other malicious visitors.

Note that while blacklisting by IP can be circumvented by using a different computer with a different IP address, a tunneling VPN service, or a proxy server or network, it is still a very effective way to deal with a large volume of malicious requests made by ‘script kiddies’ or unsophisticated ‘hackers’ that use off-the-shelf exploits, since these relatively uninformed individuals often use the same machine and have little sophistication in how they operate.