Overview
The cPanel IP Blocker is a built-in security tool that lets you deny access to your website from specific IP addresses or IP ranges. It works by writing rules into your site’s .htaccess file, which Apache reads before serving any content. No firewall configuration, no root access — just a form in your cPanel dashboard.
You’ll typically reach for this tool when you spot suspicious activity in your access logs: a single IP hammering your login page, a known spammer, or a bot that’s burning through your bandwidth. It’s also useful for quickly cutting off an abusive user while you work on a longer-term fix.
This guide covers the full process — from finding the tool to blocking ranges and verifying the block is actually working. If you’re on one of our Shared Hosting plans, this is likely the primary IP-blocking method available to you since you won’t have direct server firewall access.
Prerequisites
- Active cPanel account (cPanel version 98 or later — the UI referenced here matches the Paper Lantern and Jupiter themes)
- The IP address or range you want to block — check your Raw Access Logs or Awstats inside cPanel if you’re not sure what to block
- Basic understanding that blocking an IP affects all websites under your cPanel account unless you target a specific directory
Step-by-Step: Block an IP Address in cPanel
Step 1 — Log in to cPanel
Navigate to your cPanel login URL. This is usually one of the following:
https://yourdomain.com:2083
https://yourserverip:2083Enter your cPanel username and password. If you’re not sure of the URL, check the welcome email from Host & Tech or contact support.
Step 2 — Open the IP Blocker
In the cPanel dashboard, scroll to the Security section and click IP Blocker. In the Jupiter theme, you can also just type “IP Blocker” into the search bar at the top — it’s faster.
Step 3 — Enter the IP Address or Range to Block
You’ll see a text field labelled Add an IP or Range. cPanel accepts several formats here. Use whichever matches what you’re trying to block:
| Format | Example | What it blocks |
|---|---|---|
| Single IP | 203.0.113.45 |
That one address only |
| CIDR range | 203.0.113.0/24 |
All 256 IPs in that subnet |
| Implied range | 203.0.113. |
All IPs starting with 203.0.113 |
| IP range with dash | 203.0.113.1-203.0.113.50 |
That specific range |
📝 Note: cPanel’s IP Blocker doesn’t support IPv6 blocking through the UI as of cPanel version 110. If you need to block an IPv6 address, you’ll have to edit .htaccess manually (covered below).
Step 4 — Click Add
Click the Add button. cPanel writes the block directly to your .htaccess file at the root of your public directory. The change takes effect immediately — there’s no propagation delay.
You’ll see a confirmation screen listing the IP and the domain it’s been blocked from.
Step 5 — Verify the Block is Working
Don’t just trust the confirmation screen. Open your .htaccess file via File Manager and confirm the rules were written correctly. Navigate to public_html/.htaccess and look for something like this:
# BEGIN cPanel-generated handler, do not edit
# End of cPanel-generated handler
Order Deny,Allow
Deny from 203.0.113.45
Deny from 203.0.113.0/24If you want to test the block externally, use a proxy or a tool like ReqBin to make a request from the blocked IP range and confirm you get a 403 Forbidden response.
Step 6 (Optional) — Block an IPv6 Address via .htaccess
If you’re seeing attacks from an IPv6 address and the cPanel UI won’t accept it, add the rule manually. Open public_html/.htaccess in File Manager, click Edit, and add:
Require all granted
Require not ip 2001:db8::/32⚠ Warning: If your server is running Apache 2.4 (which is standard on cPanel servers running AlmaLinux 8/9), use the Require directive syntax above. The older Order/Deny syntax still works in compatibility mode, but mixing the two in the same .htaccess file can cause a 500 error. Check your Apache version if you’re unsure:
httpd -vStep 7 — Removing a Block
Go back to IP Blocker in cPanel. At the bottom of the page, you’ll see a table of currently blocked IPs. Click Delete next to the entry you want to remove. cPanel removes the corresponding Deny from line from .htaccess automatically.
Common Issues & Troubleshooting
The blocked IP can still access the site
Cause: The attacker is using a CDN, proxy, or VPN, so the IP hitting your server is different from what you see in your logs. Alternatively, if your site sits behind Cloudflare, the IP in your logs is Cloudflare’s edge IP, not the real visitor’s IP.
Fix: Check whether Cloudflare or another proxy is in front of your site. If so, use Cloudflare’s firewall rules to block the IP at the edge. For Cloudflare-proxied sites, blocking in cPanel is largely ineffective for this reason — cPanel only sees Cloudflare’s IP.
500 Internal Server Error after adding the block
Cause: A syntax error was introduced in .htaccess, or you mixed Apache 2.2-style Order/Deny directives with Apache 2.4-style Require directives.
Fix: Open public_html/.htaccess in File Manager and look for the lines cPanel added. Remove any duplicate or conflicting directives. You can also check Apache’s error log for the exact line causing the problem:
tail -n 50 /usr/local/apache/logs/error_logIP Blocker shows “You cannot block your own IP”
Cause: You’re trying to block the IP address you’re currently using to access cPanel. cPanel prevents this to stop you from locking yourself out.
Fix: This is a valid safety check. If you genuinely need to block that IP range, edit .htaccess directly via File Manager or SSH. I’d recommend double-checking whether you actually need to block it — if it’s your own office IP, you probably got the wrong address from your logs.
The block disappeared after a cPanel update or rebuild
Cause: Some cPanel operations (particularly restoring a backup or running a cPanel account rebuild) can overwrite .htaccess and remove manually added entries. Entries added through the IP Blocker UI are usually preserved, but manual edits to .htaccess are not always.
Fix: Re-add the blocks through the IP Blocker UI rather than directly editing .htaccess. cPanel tracks UI-added blocks separately and can restore them more reliably.
You need to block an entire country, not just a single IP
Cause: The built-in IP Blocker isn’t designed for country-level geo-blocking — you’d need to add thousands of IP ranges manually.
Fix: Use a geo-blocking solution instead. Cloudflare’s free plan includes country-level firewall rules. If you’re on a VPS or dedicated server, mod_geoip or GeoIP2 with Apache, or fail2ban with a GeoIP plugin, are the right tools. The cPanel IP Blocker alone won’t scale to this.
Frequently Asked Questions
Frequently Asked Questions
Does blocking an IP in cPanel affect all websites on my account?
Yes — by default, the block is written to the .htaccess file in your main public_html directory, which covers all domains and subdomains rooted there. If you only want to block an IP from one addon domain or subdirectory, manually add the Deny from rule to the .htaccess file inside that specific folder instead of using the IP Blocker UI.
How many IP addresses can I block in cPanel?
cPanel doesn’t publish a hard limit, but practically speaking, adding hundreds of individual IP entries to .htaccess will slow down Apache because it checks those rules on every single request. If you’re blocking more than 50-100 individual IPs, I’d recommend switching to CIDR ranges where possible, or moving to a server-level firewall solution like CSF (ConfigServer Security & Firewall) if you have VPS or dedicated server access.
Will blocking an IP in cPanel block them from email too?
No. The cPanel IP Blocker only affects HTTP/HTTPS traffic to your website through Apache. It has no effect on mail traffic (SMTP, IMAP, POP3). If you’re getting spam or brute-force attacks on your mail server, that needs to be handled at the mail server level — typically through cPanel’s Email Deliverability tools or a server-level firewall.
Can I block an IP temporarily and have it automatically removed?
Not through the cPanel UI — blocks added with the IP Blocker are permanent until you manually delete them. If you need time-based blocking, you’d have to set up a cron job to remove the .htaccess entry after a set period, or use a tool like fail2ban on a VPS or dedicated server that supports timed bans natively.
My site is on Cloudflare — should I still use the cPanel IP Blocker?
Probably not for blocking external attackers. When Cloudflare is proxying your traffic, your server only sees Cloudflare’s IP addresses, not the original visitor’s IP. Blocking at the cPanel level won’t stop the attacker — block them in the Cloudflare dashboard under Security > WAF instead. The cPanel IP Blocker is still useful for blocking direct-to-origin requests if your origin IP has been exposed.