The Blocked IPs page lets you block specific visitors from accessing your websites. You can block individual IP addresses, IP ranges using CIDR notation, or entire countries. Blocked visitors receive a 403 Forbidden response and never reach your website’s code.
Go to Security > Blocked IPs to get started.
Blocking an IP address or range#
The form at the top of the page has two tabs: IP addresses and Countries.
IP addresses tab
- Select the website you want to protect from the dropdown.
- Enter the IP address or CIDR range you want to block. The field accepts:
- IPv4 addresses (e.g.,
192.168.1.1) - IPv6 addresses (e.g.,
2001:db8::1) - IPv4 CIDR ranges (e.g.,
192.168.0.0/24) - IPv6 CIDR ranges (e.g.,
2001:db8::/32)
- IPv4 addresses (e.g.,
- Click Block IP address.
The block applies to the specific website you selected, not to your entire account. If you want to block the same IP on multiple websites, add it separately for each one.
Countries tab
- Select the website from the dropdown.
- Choose one or more countries from the multi-select dropdown.
- Click Block countries.
Country detection uses GeoIP lookup based on the visitor’s IP address. Keep in mind that visitors using a VPN may bypass country-based restrictions since their traffic appears to come from the VPN server’s location.
Managing blocked entries#
Below the form, two tabs show your active restrictions:
Blocked IPs tab
A table listing every blocked IP or range with:
- Website – Which website the block applies to
- Blocked IP/range – The IP address or CIDR range
Blocked countries tab
A table listing every blocked country with:
- Website – Which website the block applies to
- Country – The country name
- Code – The two-letter country code (e.g., CN, RU)
Both tables are searchable and sortable. The counter in the section header shows how many entries you have.
Removing a block#
Click the dropdown menu on any row and select Delete (for IPs) or Remove block (for countries). You’ll need to type DELETE to confirm.
Removing a block allows that IP or country to access your website again. The change takes 1-2 minutes to apply.
How it works#
IP blocks are enforced at the web server level, before your website’s code runs. On nginx (the default), each blocked IP becomes a
deny
rule. For country blocks, nginx uses GeoIP2 to check the visitor’s country against your blocked list.
Because blocking happens at the server level, blocked visitors consume almost no server resources. They get a 403 response immediately.
All changes take 1-2 minutes to propagate to your server after you add or remove a block.
When to use blocked IPs vs. the firewall#
The Blocked IPs page is for manual, targeted blocking when you know exactly which IPs or countries you want to keep out. Common uses include blocking a specific abusive IP, restricting access from countries you don’t serve, or locking down a staging site.
For automated protection against bots, scanners, and attacks, use the Firewall page instead. The bot detection system scores and blocks threats automatically based on behavior, so you don’t have to track individual IPs yourself.