Allow or deny requests based upon the requesting IP address. Useful when a site is under development or maintenance (whitelisting) or to deal with repeat offenders (blacklisting).
Whitelist IP Addresses
To restrict allowed requests to a specific set of whitelisted IPs, add the following to .htaccess or your virtual host config:
<Limit GET POST PUT> Order deny,allow Deny from all Allow from 172.16.1.2 Allow from 22.214.171.124 </Limit>
The directive above would prevent access from any IP address except 172.16.1.2 and 126.96.36.199 when the HTTP request method is GET, POST, or PUT.
You may omit the <Limit> </Limit> nodes and leave just the inner directives if you want the restriction applied to all request methods.
Blacklist IP Addresses
To prevent requests from a set of blacklisted IPs, add the following to .htaccess or your virtual host config:
<Limit GET POST PUT> Order Allow,Deny Allow from all Deny from 188.8.131.52 Deny from 184.108.40.206 </Limit>
The rule above would allow access from any IP address except 220.127.116.11 and 18.104.22.168 when the HTTP request method is GET, POST, or PUT.
You may omit the <Limit> </Limit> nodes and leave just the inner directives if you need the restriction applied to all request methods.
In More Detail
Preventing access by IP is probably the oldest way to blacklist, and works very well for denying access to site scrapers, trolls, and other malicious visitors.
Note that while blacklisting by IP can be circumvented by using a different computer with a different IP address, a tunneling VPN service, or a proxy server or network, it is still a very effective way to deal with a large volume of malicious requests made by ‘script kiddies’ or unsophisticated ‘hackers’ that use off-the-shelf exploits, since these relatively uninformed individuals often use the same machine and have little sophistication in how they operate.