If you manage a website with cPanel, keeping unwanted traffic out is just as important as letting legitimate visitors in. Whether you are dealing with a malicious bot scraping your content, a brute-force attack on your login page, or just need to restrict admin access to specific IP addresses, cPanel’s IP Blocker tool gives you direct control over who can and cannot reach your site.
This guide walks through everything you need to know about blocking and allowing IP addresses in cPanel — from the basics of the IP Blocker interface to advanced use cases like blocking entire CIDR ranges and diagnosing false positives.
What Is cPanel’s IP Blocker?
The IP Blocker (also referred to as the IP Deny Manager) is a built-in cPanel security tool that lets you block specific IP addresses, entire IP ranges, or domain names from accessing your website. When a request originates from a blocked address, cPanel returns a 403 Forbidden response before the request ever reaches your application.
This happens at the Apache httpd.conf level, which means it stops traffic early — before PHP, WordPress, or any scripts execute. That makes it more efficient than application-level blocking plugins, especially under heavy load.
What IP Blocker Does
- Rejects connections at the web server level before content is served
- Works across all domains on your cPanel account (not just one site)
- Logs blocked requests so you can audit who is hitting your server
- Supports individual IPs, CIDR ranges, and wildcard patterns
When Should You Use IP Blocking?
IP blocking is a blunt but effective tool. Use it in these specific scenarios:
Brute-Force Login Attacks
If your WordPress login page or SSH port is under a sustained brute-force attack from a known IP range, blocking those addresses at the server level stops the attack dead. The requests never reach WordPress, which saves CPU cycles and prevents lockout plugins from filling up your database with failed login records.
Bad Bots and Scrapers
Not all bots are good bots. Some scrapers ignore robots.txt, eat up your bandwidth, and steal content. If you identify a scraper by its IP or user agent pattern, add it to the IP Blocker. Unlike .htaccess-based blocks, cPanel’s IP Blocker persists across updates and theme changes.
Restricting Admin Access
If your team works from a static IP or a corporate VPN, you can block all /wp-admin traffic except those known addresses. This is one of the most effective security measures you can take for WordPress, but it does require that your IP stays stable.
How to Block IP Addresses in cPanel (Step by Step)
Blocking an IP through cPanel takes about 30 seconds. Here is the exact procedure:
- Log into cPanel — Go to
https://yourdomain.com/cpaneland enter your credentials. - Find IP Blocker — In the Security section, click the IP Blocker icon. If you cannot see it, type “IP Blocker” into the search bar at the top of the page.
- Enter the IP or range — In the text field labeled IP or Domain, enter the address you want to block. You can use several formats:
- A single IP:
192.168.1.100 - A CIDR range:
192.168.1.0/24(blocks 192.168.1.0 through 192.168.1.255) - A wildcard range:
192.168.1.*(equivalent to the CIDR above) - A domain name:
example.com(cPanel resolves this to its IP and blocks that address)
- A single IP:
- Add the rule — Click Add. The rule takes effect immediately — no Apache restart required.
- Verify — Try accessing your site from the blocked IP. You should receive a
403 Forbiddenpage.
Adding Multiple IPs at Once
cPanel adds one rule at a time via the interface. For bulk blocking, enter each IP and click Add. cPanel stores each rule separately in /etc/apache2/conf.d/deny.conf (or your distribution’s equivalent). You can also use the WHM “IP Address Deny Manager” if you have reseller or root access — that tool supports bulk imports.
How to Allow (Whitelist) IP Addresses
Whitelisting is the opposite of blocking. You allow only specific IPs and deny everything else. cPanel does not have a dedicated “Allow” button in the IP Blocker, but you can achieve the same result with .htaccess rules:
- Open the File Manager in cPanel and navigate to your document root (usually
public_html). - Open or create the
.htaccessfile. - Add the following rules at the top of the file:
<RequireAny> Require ip 203.0.113.50 Require ip 198.51.100.0/24 Require ip 10.0.0.0/8 </RequireAny> - Save the file. Only the IPs and ranges listed will be able to access your site.
This approach is ideal for staging sites, internal tools, or membership portals where you control the audience. Be careful — if your own IP changes while whitelist rules are active, you will lock yourself out. Always keep a second access method (like WHM or SSH) available.
How to Remove a Blocked IP
Removing a rule is just as fast as adding one:
- Go to IP Blocker in cPanel.
- Scroll down to the list under Blocked IP Addresses.
- Find the IP you want to unblock and click Delete.
- Confirm the deletion. The rule is removed immediately and traffic from that IP is restored.
If you mistakenly block your own IP, use WHM (if available) or log in via SSH and edit /etc/apache2/conf.d/deny.conf to remove the rule, then run service httpd reload or systemctl reload httpd.
Common Issues and Troubleshooting
Blocking Your Own IP
This is the most common mistake. Before adding a block rule, check your current IP by visiting a service like whatismyip.com. If you block your own address, you will see a 403 error on your next page load. Recover by using WHM, SSH, or ask your hosting provider to remove the rule.
Blocking an IP That Keeps Changing
Attackers often rotate through hundreds of IPs using botnets. Blocking them one at a time is a losing game. For these situations, use a Web Application Firewall (WAF) like ModSecurity or Cloudflare instead of manual IP blocking. cPanel integrates easily with both.
False Positives — Blocking Legitimate Visitors
A shared hosting IP that someone else abused might land on your blocklist. If you see a spike in support tickets about 403 errors, review your IP Blocker list. Use the Raw Access Log in cPanel’s Metrics section to identify which IPs are hitting 403s and whether they look legitimate.
Blocking by Domain Doesn’t Work as Expected
When you block a domain name, cPanel resolves it to its current IP address at the moment you add the rule. If the target domain changes IPs (e.g., a CDN or cloud-hosted service), the block no longer applies. For reliable blocking, use IP addresses or CIDR ranges directly.
IP Blocker vs. .htaccess — Which Should You Use?
| Feature | cPanel IP Blocker | .htaccess |
|---|---|---|
| Persistence | Survives updates, theme changes | Lost if .htaccess is overwritten |
| Ease of Use | GUI, no coding required | Requires editing text files |
| Scope | All domains on account | Per-directory |
| Performance | Applied at Apache config level | Re-parsed on every request |
| Whitelisting | Not supported directly | Full Require directives |
For most users, the IP Blocker is the better choice for blocking specific addresses because of its simple interface and system-wide scope. Use .htaccess when you need whitelist-style rules or directory-specific access control.
Key Takeaways
- cPanel’s IP Blocker blocks traffic at the Apache config level, making it faster and more reliable than plugin-based solutions.
- You can block individual IPs, CIDR ranges (
/24,/16), or wildcard patterns directly in the GUI. - There is no built-in whitelist feature — use
.htaccesswithRequire ipdirectives for allow-only scenarios. - Always check your own IP before adding a block rule to avoid locking yourself out.
- Blocking by domain name is unreliable because IPs can change; prefer static IPs or CIDR ranges.
- For botnet-scale attacks, combine IP blocking with a WAF or CDN rather than adding hundreds of manual rules.