In this article we’ll discuss how you can block unwanted users or bots from accessing your website via .htaccess rules. The .htaccess file is a hidden file on the server that can be used to control access to your website among other features.
Some malicious users will send requests from different IP addresses, but still using the same User-Agent for sending all of the requests. In these events you can block users by their User-Agent strings.
Related Articles
Block or Allow Specific IP via .htaccess
Block Country from Visiting Website with .htaccess
Force HTTPS in .htaccess
Locate Problematic User Agents
Blocking the User Agent
- Log into cPanel
- Navigate to File Manager, located in the Files section
- Locate the site's document root
TIP: If the document root is unknown, it can be found by following this guide. - Locate the site's .htaccess
TIP: If .htaccess is not present, show hidden files in File Manager. - Edit the .htaccess file and add the following to the top of the .htaccess
NOTE: The user agent is expressed in a regular expression and all spaces and must be escaped with \. The full user agent is not required unless you match with ^$, so "Google" would work.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} EXAMPLE_USER_AGENT RewriteRule (.*) - [F,L] </IfModule>
REPLACE: Replace EXAMPLE_USER_AGENT with the bad user agent.
EXAMPLE: A common user agent is Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0)
Gecko/20100101 Firefox/62.0
which frequently brute forces wp-login.php
Blocking that looks like:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0\ \(X11;\ Ubuntu;\ Linux\ x86_64;\ rv:62\.0\)\ Gecko/20100101\ Firefox/62\.0 RewriteRule (.*) - [F,L] </IfModule>