Blocking entire countries from your website sounds drastic, but for some businesses it makes real sense. A local bookstore, carwash, babysitter service or lawn care company has no good reason to serve traffic from the other side of the world. And if that traffic is almost entirely bots, brute-force login attempts and vulnerability scanners, the case for blocking it becomes even stronger.
Key Takeaways
- Geo-blocking makes sense for locally focused businesses, but can backfire for businesses that attract international visitors (hotels, restaurants, tourist attractions).
- Raw
.htaccessIP blocking is impractical for country-level blocking, it can take over 150,000 lines just to block the US. - CDNs like Amazon CloudFront and Akamai offer built-in geo-restriction tools that are far more manageable.
- Apache modules such as MaxMind's GeoIP integration give server-level control without ballooning config files.
- Proxy services like Cloudflare let you block countries through a simple dashboard, with the added bonus of improved performance and security.
Should You Actually Block a Country?
Before you do anything, check your own analytics. The decision isn't always obvious.
One web forum, for example, showed China as the second-largest source of traffic in January 2015, generating 1.9 million page views and 1.86 GB of bandwidth, despite having no Chinese audience, no Chinese content and running no advertising aimed at Chinese residents. On top of that, 99% of all brute-force password guessing attempts on that forum came from Chinese IP addresses, with approximately 50 to 100 attempts per day.
In that situation, blocking makes complete sense. But consider a hotel: even though it serves local guests, travellers from abroad will search for it before they arrive. The same logic applies to restaurants, resorts, car rentals and commuter services. Block the wrong country and you could cut off genuine customers.
The rule is simple: check your stats, weigh the real traffic against the noise, then decide.
Why .htaccess Country Blocking Is a Bad Idea
This is the first thing people reach for, and it's the wrong tool for the job.
To block an entire country at the .htaccess or Apache config level, you'd need to list every IP range associated with that country. To block the US alone, you'd need over 150,000 lines of text. These files are read on every single request and are not cached, so a file that large will hurt your site's performance over time.
There's also the effectiveness problem. Determined attackers use proxies and bot farms, so a Chinese IP block won't stop someone routing through a server elsewhere. Legitimate users sometimes use VPNs too, which means you could end up blocking people you actually want.
For blocking a handful of specific IPs (a single bad actor, for instance), .htaccess is fine. The basic syntax looks like this:
Order Deny,Allow
Deny from 1.1.1.1
Deny from 2.2.2.2
Deny from 3.3.3.3
But for country-level blocking? Don't go down this road. It'll get unwieldy fast and won't even do the job reliably.
Can Your Hosting Company Help?
Probably not, at least not out of the box.
If you're on a bare metal or VPS (think DigitalOcean, InMotion Hosting, Rackspace), you have full control over the server software. But most providers don't include country-level blocking as a default feature. At best, you'll get a basic firewall for adding individual IPs to a blacklist or whitelist.
If you're on shared hosting with a control panel like cPanel or Plesk, you have even less control. Those panels handle databases, email and backups well, but they can't manage network-level rules that would affect every site sharing your server's IP. The IP blocker in cPanel, for instance, lets you add individual addresses, not block an entire country with one click.
In short, don't expect your host to solve this for you.
Content Delivery Networks (CDNs)
If your site serves static content, images, media files, downloads, a CDN with built-in geo-restriction is one of the tidiest solutions available.
Amazon CloudFront is a major option here. Its geo-restriction feature (sometimes called geoblocking) lets you configure either a whitelist or a blacklist of countries, controlling exactly where your content gets delivered.
Akamai goes further, letting you block by country code and offering additional granularity beyond a simple on/off per country.
The limitation is that CDN geo-blocking typically only covers the content delivered through the CDN itself, not necessarily your entire site. So it's a partial solution rather than a complete one, though for media-heavy sites it can cover the bulk of the problem.
Apache Modules and GeoIP (MaxMind)
For server-level control that doesn't require maintaining a monstrous list of IP ranges yourself, Apache modules that integrate GeoIP data, such as those from MaxMind, are a much more scalable approach.
Instead of listing thousands of IP ranges manually, you let the GeoIP database do the heavy lifting. The module looks up the visitor's country from their IP and applies your rules accordingly. It's more maintainable, more accurate and far less likely to bloat your server config into something unmanageable.
This approach does require server access (so it suits VPS or dedicated hosting) and some technical setup. If you're not comfortable at the command line, this is something to hand to a developer.
ModSecurity
ModSecurity is a web application firewall that sits on your server and can inspect and block requests before they reach your site. It supports GeoIP-based blocking, meaning you can integrate country-level rules directly into your server's security layer.
It's a solid option if you're already running ModSecurity for other security purposes, since it keeps your geo-blocking rules in the same place as the rest of your firewall configuration.
Proxy Services: Cloudflare and Similar
For most small and medium-sized businesses, this is the most practical route. Services like Cloudflare sit in front of your website and handle requests before they even reach your server. Blocking a country is usually a matter of a few clicks in a dashboard, no server access, no config files, no code.
The benefits go beyond blocking: Cloudflare also improves site performance through its CDN and adds a meaningful layer of security against common attacks. The trade-off is that your traffic routes through a third-party service, but for most sites that's a worthwhile exchange.
If you want country blocking without the technical complexity, a proxy service is where to start. Our website maintenance service can help you get this set up and configured correctly from the start.
Blocking at the Application Layer
You can also handle geo-blocking inside your website's own code or CMS. This means your application checks where a visitor is coming from and serves a different response based on that, a block page, a redirect, or tailored content.
The upside is flexibility: you can do more nuanced things, like showing a different message to visitors from certain countries rather than just refusing access entirely. The downside is that every request still hits your server before the decision is made, which introduces a small amount of extra processing. For high-traffic sites where a lot of that traffic is unwanted, this can add up.
For WordPress sites specifically, there are plugins that handle this through the dashboard. It's worth talking to a developer about the right approach for your setup, our WordPress development team can point you in the right direction.
Which Method Should You Use?
| Method | Best For | Technical Level | Covers Whole Site? |
|---|---|---|---|
| .htaccess IP blocks | Blocking a handful of specific IPs | Low | Yes |
| Hosting control panel | Individual IP blocks only | Low | Partial |
| CDN geo-restriction | Static content (images, media, files) | Medium | Partial |
| Apache + MaxMind GeoIP | Server-level country blocking | High | Yes |
| ModSecurity | Server firewall integration | High | Yes |
| Cloudflare / proxy service | Quick, dashboard-based blocking | Low | Yes |
| Application-layer blocking | Dynamic, tailored responses | Medium | Yes |
The Bottom Line
If your business is genuinely local and your stats show that foreign traffic is mostly bots and brute-force attempts, blocking those countries is a reasonable thing to do. Just don't try to do it through .htaccess at scale, that way lies pain.
For most businesses, a proxy service like Cloudflare gives you the easiest path to country blocking without needing server access or technical expertise. For more control, Apache with GeoIP or ModSecurity are the server-side options worth considering.
Always weigh the potential downside: you might accidentally block real customers who happen to be using a VPN, or travellers searching for your business before they arrive. Check your analytics first, then act.
If you'd like help deciding on the right approach or getting it set up properly, take a look at our website maintenance service, we handle this kind of configuration for clients regularly.
Frequently asked questions
Is it legal to block certain countries from accessing my website?
In most cases, yes. Website owners generally have the right to restrict access by geography. However, depending on your industry and location, there may be regulations to consider. It's worth checking with a legal adviser if you're unsure, particularly if you operate in regulated sectors.
Will blocking a country stop hackers from that country?
Not completely. Determined attackers use proxies and bot farms routed through other countries, so a geo-block won't catch everyone. That said, it can significantly reduce the volume of automated brute-force attempts and bot traffic, which is still a meaningful improvement in your site's security posture.
Can I block countries on a WordPress site without server access?
Yes. The easiest option is to route your site through a service like Cloudflare, which lets you block countries from a dashboard with no server access needed. There are also WordPress plugins that handle geo-blocking at the application level.
Why shouldn't I just use .htaccess to block an entire country?
Because the file would become enormous. To block the US alone, you'd need over 150,000 lines of IP ranges. That file is read on every single request and isn't cached, so it would slow your site down considerably. For country-level blocking, use a CDN, a proxy service, or a server-level GeoIP module instead.
Related services
Need a hand with this? Here's how IceBoxDesigns can help.