Deny from <address> rules into your .htaccess for you. The block applies to HTTP and HTTPS traffic for every domain on the account.
Open it from cPanel home → Security → IP Blocker.
What you can put in the box
The form accepts a few notations. Mix and match as needed.| Format | Example | Meaning |
|---|---|---|
| Single IPv4 | 203.0.113.5 | One address |
| Single IPv6 | 2001:db8::1 | One IPv6 address |
| Range (dash) | 203.0.113.5-203.0.113.50 | All addresses in that range |
| Range (implied) | 203.0.113.5-50 | Same range, shorthand |
| CIDR | 203.0.113.0/24 | A whole /24 (256 addresses) |
| Implied IP | 203.0.113. | Every address starting with 203.0.113. |
| Hostname | bot.example.com | Resolved to an IP at block time, blocked once. If the hostname’s IP changes, the block does not follow. |
Block an IP
Type the IP, range, or CIDR
Use any of the formats above. cPanel validates the format before accepting it.
Remove a block
The list at the bottom of the page shows every active block with a Delete action. Click it. The matchingDeny line is stripped from .htaccess and the block lifts within seconds.
Block a country
The IP Blocker doesn’t have a country picker. Two ways to do it anyway:- Cloudflare WAF. If your domain runs through Cloudflare proxy (orange cloud), use Security → WAF → Custom rules with
ip.src.country eq "RU"(replace as needed). Far less invasive than blocking thousands of IPs at the origin. - Pre-computed CIDR list. Fetch the country’s IP ranges from a list like ipdeny.com or ipinfo.io. Paste them one CIDR at a time, or open a ticket and we’ll script the bulk add for you.
What the IP Blocker does not do
- It doesn’t stop SSH or FTP. Those run on their own ports and the
.htaccessdeny rules don’t apply. Block at the firewall via Imunify360 or open a ticket for an iptables rule. - It doesn’t stop a determined attacker rotating IPs. A single attacker on a botnet can use thousands of addresses. Layered defense (ModSecurity, Imunify360, Cloudflare) catches the pattern instead.
- It doesn’t auto-unblock. There’s no time limit. If you blocked your office’s IP by mistake, log in to cPanel from elsewhere and remove it.
Common issues
I blocked my own IP
I blocked my own IP
Log in to cPanel from a different network (4G hotspot, public Wi-Fi, a VPN to a different country). Remove the block. Or open a support ticket; we can lift it server-side.
The block is in the list but the visitor still gets through
The block is in the list but the visitor still gets through
Cloudflare proxy hides the visitor’s real IP, your origin sees Cloudflare’s edge IP instead. Either disable proxy on the domain, or block the visitor at Cloudflare’s WAF where the real IP is visible.
I need to block a moving target (botnet, scraper)
I need to block a moving target (botnet, scraper)
The IP Blocker is the wrong tool. Imunify360 catches and bans patterns automatically; ModSecurity rules can match on User-Agent or path. For an active attack, open a ticket.
A range I added doesn't seem to work
A range I added doesn't seem to work
cPanel writes the rule with
Deny from <range> syntax that Apache understands. If the range is huge (a /8 or larger), Apache can be slow or refuse to parse it. Stick to /16 or smaller; for bigger blocks, use Cloudflare or a firewall rule.