How to use a CIDR netmask to block an IP address range in .htaccess
This article explains what CIDR netmask notation is, why it is sometimes necessary to use it when banning an IP address
in Apache .htaccess, and how to do it. It is intended to supplement the basic
Apache information about mod_access in the documentation at
An IP address is a 32-bit binary number that uniquely identifies a computer on the internet
32-bit binary is hard to remember :
Decimal notation isn't much easier: 3225419776
So it is usually written like this :
You calculate this "dotted-quad notation" by breaking the 32 bits into 4 groups of 8 and then converting
each group to decimal:
That makes it easier to remember, but it can cause problems when you try to use it for
An IP address contains two pieces of information:
- The leftmost binary digits are the unique numeric ID of the network (usually your Internet Service Provider,
ISP) through which you are connected to the internet.
- The remaining binary digits are your computer's unique numeric ID on that network.
The number of leftmost digits used for the network ID is not the same
for every network. In CIDR notation, the /nn part says how many of the leftmost
bits indicate the network.
If the network uses exactly the leftmost 8, 16, or 24 bits for its ID, then
the dividing line between network and user falls on one of the period boundaries
of the dotted-quad notation, and one of the partial IP notations will work:
|.htaccess partial IP address
|deny from 192
||deny from 192.0.0.0/8
|deny from 192.64
||deny from 220.127.116.11/16
|deny from 192.64.0
||deny from 18.104.22.168/24
Each quad that you don't specify is treated as a wildcard that can take any
value from 0 to 255. The first example above bans any IP address that starts with
When to use CIDR notation
If the network does not use exactly 8, 16, or 24 bits for the network part of
the IP address,
the dividing line between network and user does not fall on a period
boundary of dotted-quad notation, and you need to use a CIDR netmask.
This says the base address of the network is 22.214.171.124 and
the first 10 bits are the network:
192 64 0 0 = 11000000 01000000 00000000 00000000
192 is the first 8 bits, but two more bits are part of the network
ID, too. The 9th bit is 0 and the 10th is 1, and that is where the 64 for the 2nd quad
The full range of this network in quad notation is 126.96.36.199 -
188.8.131.52. Notice that the 64 in the second quad doesn't remain
constant. The first 2 bits are always the same, but the righthand 6 will be
different for different users.
In this case, the simple notations for an .htaccess ban won't work. Why not?
- deny from 192 would ban the range
192.0.0.0 - 184.108.40.206, which will
ban some users that are not coming from this network.
- deny from 192.64 would ban the
range 220.127.116.11 - 18.104.22.168, which is
insufficient to ban all the users that are coming from this network.
So the answer is CIDR notation, and an .htaccess line that says:
deny from 22.214.171.124/10
This says the base address is 126.96.36.199, and the first 10 bits identify the
network (those are always the same for all users who are on that network).
To ban a specific IP range in htaccess
- Figure out, from your website access logs or elsewhere, the IP addresses you want to ban. Look
them up in a WhoIs database such as
- Determine whether you need to use a CIDR netmask. If the IP address range in the report
looks like one of these, with each quad after the leading one(s) showing the maximum possible range of 0-255, then you can use one of the
192.0.0.0 - 188.8.131.52
-- Use deny from 192
184.108.40.206 - 220.127.116.11 -- Use deny from
18.104.22.168 - 22.214.171.124 -- Use deny from 192.64.128
- For anything else, you need CIDR. At Domain Tools, the CIDR netmask is sometimes shown in the report for that
IP address, several lines down. However, also look farther down the page for additional CIDRs.
Sometimes the one shown at the top is a very broad range assigned to a large network, and
entries farther down the page show its successively smaller subdivisions or subnets. In this case, you
probably want the CIDR that is closest to the bottom of the page, to avoid banning more
visitors than you intend to. If you can find the correct CIDR, you're ready to create the line in your .htaccess file.
Go to Step 5.
- If the CIDR wasn't given, you can calculate it yourself with a netmask
calculator such as
a) Enter the base (lowest) address.
b) You can simply determine the netmask (the /nn part) by trial and error,
or you can calculate the minimum size to start with: take the rightmost
nonzero quad of the base address and convert it to binary in your
head or in Windows Calculator. Find the rightmost "1". The netmask will have
to be sufficient to include all of the previous quads (at 8 bits each), plus
all the digits in this quad up to its rightmost "1". That's the minimum. But
it might include some of the trailing zeroes, too.
c) Keep using trial and
error for the netmask until HostMin and HostMax match the IP address range in the Domain Tools report.
Note that final quads of 0 and 255 are reserved, so:
calculated HostMin will actually be nnn.nnn.nnn.1,
The calculated HostMax will actually be nnn.nnn.nnn.254 not
The Hosts/Net line tells you how many users this network might have,
which can help decide whether you really want to ban the entire range.
- Edit your public_html/.htaccess file to add the "deny from" line:
- Go to cPanel > File Manager.
- Navigate to the file
- Click on its file name.
- At the top of the screen (or wherever the menu item is), click Edit File.
- Make a backup copy: Copy all the text in the file, and save it into a
file on your local computer so you can put it back into .htaccess if
something goes wrong.
- Backup made?
Ok, now you can edit the file. On a blank line in a part of the file that is
HTML-style tags like <tag></tag>, type the line:
Replace the nnn's with the IP/netmask you calculated for this range.
Further explanation: some lines of your .htaccess file might be
contained between tags that look like HTML tags where the opening tag looks
like <tag> and the closing tag looks like </tag>. Insert this new
line in a part of the file that is not between any of these pairs of tags.
Depending on what is in your .htaccess, you might need to use your judgment whether to use the order and allow
directives that are also provided by mod_access. See the link to Apache at the top of this
article for more information. That is beyond the scope of this article, and it will
require your judgment. I'd suggest adding only the "deny from" line at first and seeing if
it works as expected.
- Click Save.
If you change your mind and don't want to save, close the web page in
your browser without clicking the Save button.
- Test your site by visiting some pages. Make sure you can access them. If you get a
"500 - Internal Server Error" message, there is an error in .htaccess. Check your work and
try again, or put back your saved copy of the old .htaccess to give yourself some time to
work on it.
- The expected result: you can access your website; most other people can, too; when the
denied party tries, your logs (or cPanel > Latest Visitors) will show a result code of
Forbidden", which indicates that the server rejected their request.
If you are working your way through
By Step Repair After A Website Hack and How to Prevent It",
click the link to return to the article.
Comments and questions are welcome in the