Overview
If you want to block access to a directory on your website or to all of your website, you can do this via a simple Apache .htacess file. This file allows you to override some of the default Apache settings, including the Apache Access Control via the Allow / Deny statements.
This can be useful when you immediately want to block access, for example when you have a plugin and/or part of your website compromised.
Block Everyone
To block access, create a .htaccess file in the directory you want to block. If it’s the entire website, this is the “httpdocs” directory. This will apply to all subdirectories as well. Add this to the .htaccess:
Deny from all
Every URL will now return a “403 Forbidden” error message to the browser.
Block Everyone Except your IP
If you want to restrict access to the admin area of your site via IP, this can also be done via the .htaccess file. Examples are the administrator directory for Joomla and the wp-admin directory for WordPress. Create a .htaccess file and add the following:
Order deny,allow
Deny from all
Allow from <YOUR_IP_ADDRESS>
If you don’t have a static IP, you’ll need to update this file every time the IP changes for your Internet connection.
You can read more information on the Apache site here.
Block Specific IPs
If you want to restrict certain IP addresses from accessing your site you can create a .htaccess file and add the below code:
Order deny,allow
Allow from all
Deny from <BAD IP HERE>
The above example is very similar to blocking every IP other than your own, just with the allow and deny rules swapped.
If you wanted to block multiple IPs you can do so by simply adding another deny line to the end of the above code block. Example Below:
Order deny,allow
Allow from all
Deny from <BAD IP 1 HERE>
Deny from <BAD IP 2 HERE>
When making .htaccess changes you should always check your work via an incognito browser window. Otherwise your changes may not be visible.