Every day, automated bots, brute-force attackers, and malicious scanners probe cPanel servers looking for vulnerabilities. Without proper IP blocking, your site wastes resources handling unwanted traffic and risks unauthorized access. cPanel provides built-in tools to block specific IP addresses or entire ranges at the server level \u2014 stopping threats before they ever reach your applications.<\/p>\n
Whether you’re dealing with a single persistent attacker or a distributed botnet, cPanel’s IP Blocker and firewall integration give you granular control over who can connect to your server. This guide walks through the practical methods for blocking IPs in cPanel, from the easy point-and-click interface to command-line firewall rules for power users.<\/p>\n
<\/p>\n
The simplest way to block an IP address is through the IP Blocker<\/strong> tool in cPanel. This feature adds rules to your server’s firewall (typically CSF or iptables) behind the scenes, so you don’t need to touch the command line.<\/p>\n In the Add an IP or IP Range<\/strong> field, you can enter:<\/p>\n After entering the address, click Add<\/strong>. The block takes effect immediately. You’ll see the new rule appear in the list below with a timestamp. To remove a block later, click the Delete<\/strong> link next to the IP entry.<\/p>\n Note:<\/strong> Be careful with broad ranges. Blocking a large ISP range like cPanel also integrates with ModSecurity<\/strong>, a web application firewall that can block IPs based on attack patterns. When combined with the cPanel ModSecurity Rule Editor<\/strong>, you can create custom rules that block specific IPs from accessing your web applications while still allowing other services like email or FTP.<\/p>\n To create a ModSecurity IP block:<\/p>\n This blocks the specified IP at the web application layer, returning a 403 Forbidden response. The advantage over the IP Blocker is that ModSecurity rules can be more specific \u2014 for example, blocking an IP only for certain URLs or during certain hours.<\/p>\n Most cPanel servers include CSF<\/strong> (ConfigServer Security & Firewall), a powerful firewall management system. CSF gives you more advanced IP blocking capabilities than the basic IP Blocker tool.<\/p>\n If you have root access or WHM reseller permissions, you can manage CSF directly:<\/p>\n CSF also supports time-limited blocks via its temporary deny feature:<\/p>\n The third argument is the duration in seconds. The example above blocks the IP for one hour (3600 seconds). After expiration, the IP is automatically removed from the deny list.<\/p>\n For users who prefer a GUI:<\/p>\n CSF uses Knowing which<\/em> IPs to block is half the battle. cPanel provides several tools to help identify problematic addresses:<\/p>\n In cPanel’s Metrics<\/strong> section, open Awstats<\/strong> or Analog Stats<\/strong> to spot patterns. Look for:<\/p>\n Go to Login Failure Log<\/strong> in the Security section. If you see the same IP address attempting to log into cPanel repeatedly, block it immediately. These are typically brute-force bots trying common passwords.<\/p>\n Check your email logs for repeated SMTP authentication failures from the same IP. Attackers often try to brute-force email accounts to send spam. The Mail Log<\/strong> tool in cPanel’s Email section can help identify these patterns.<\/p>\n cPanel includes cPHulk Brute Force Protection<\/strong>, which automatically blocks IPs after repeated failed login attempts. This is your first line of defense and should always be enabled.<\/p>\n cPHulk maintains its block list in Effective IP blocking goes beyond just adding addresses to a list. Follow these guidelines to keep your server secure without accidentally blocking legitimate traffic:<\/p>\n Why IP Blocking Matters for Your cPanel Server Every day, automated bots, brute-force attackers, and malicious scanners probe cPanel servers looking for vulnerabilities. Without proper IP blocking, your site wastes resources handling unwanted traffic and risks unauthorized access. cPanel provides built-in tools to block specific IP addresses or entire ranges at the server level \u2014 … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[147],"tags":[150,148,152,151,149],"class_list":["post-59","post","type-post","status-publish","format-standard","hentry","category-security","tag-block-ip-address-cpanel","tag-cpanel-ip-blocker","tag-cpanel-security-guide","tag-cphulk-brute-force-protection","tag-csf-firewall-cpanel"],"_links":{"self":[{"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/posts\/59","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/comments?post=59"}],"version-history":[{"count":0,"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/posts\/59\/revisions"}],"wp:attachment":[{"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/media?parent=59"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/categories?post=59"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpanelreview.com\/index.php\/wp-json\/wp\/v2\/tags?post=59"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Accessing IP Blocker<\/h3>\n
\n
Adding an IP or Range<\/h3>\n
\n
192.168.1.100<\/code><\/li>\n192.168.1.0\/24<\/code> (blocks 192.168.1.0 through 192.168.1.255)<\/li>\n192.168.1.*<\/code> (equivalent to the \/24 range above)<\/li>\n192.168.<\/code> (blocks everything starting with 192.168)<\/li>\n<\/ul>\n10.0.0.0\/8<\/code> could lock out legitimate visitors. Always verify the IPs you’re blocking belong to known attackers.<\/p>\n<\/div>\nBlocking IPs Through cPanel’s ModSecurity Integration<\/h2>\n
\n
SecRule REMOTE_ADDR \"^192\\.168\\.1\\.100$\" \\\n \"id:100001,phase:1,deny,status:403,msg:'Blocked malicious IP'\"<\/code><\/pre>\nUsing CSF (ConfigServer Security & Firewall) with cPanel<\/h2>\n
Blocking an IP in CSF<\/h3>\n
\n
csf -d 192.168.1.100<\/code> \u2014 this denies (blocks) the IP<\/li>\ncsf -g 192.168.1.100<\/code><\/li>\ncsf -dr 192.168.1.100<\/code><\/li>\n<\/ol>\nTemporary Blocks with CSF<\/h3>\n
csf -td 192.168.1.100 3600<\/code><\/pre>\nManaging CSF Through WHM<\/h3>\n
\n
\/etc\/csf\/csf.deny<\/code> as its persistent deny list. You can edit this file directly to add multiple IPs at once, which is useful when importing a blocklist of known bad actors.<\/p>\nIdentifying Which IPs to Block<\/h2>\n
Check Apache Access Logs<\/h3>\n
\n
Review the cPanel Login Failure Log<\/h3>\n
Monitor Email Authentication Failures<\/h3>\n
Automated IP Blocking with cPHulk<\/h2>\n
Configuring cPHulk<\/h3>\n
\n
\/var\/cpanel\/cphulk\/blockedips.txt<\/code>. You can review or manually clear entries from this file if needed. The system automatically unblocks IPs after the configured duration expires.<\/p>\nBest Practices for IP Blocking in cPanel<\/h2>\n
\n
\/etc\/csf\/csf.allow<\/code>) to avoid locking yourself out.<\/li>\nKey Takeaways<\/h2>\n
\n