Reputation: 269
How to block IPs for POST requests, but not GET?
I have a website where I'm getting quite a lot of comment spam. Looking at the IP addresses the spam originates from, they're mostly from countries where it's unlikely any real humans would want to interact with my English-language website, so it makes sense for me to simply block them.
This should be quite straightforward, however I'd like it if traffic from these countries could actually view my content, just not access the comment, registration etc. forms. So effectively I want to allow them to make GET method requests, but not POST method ones.
Ideally, I'd like to do this in the .htaccess file for the site rather than actually coding it into the PHP scripts that power the site. After a bit of searching, I found what I thought was exactly what I needed: . It appeared that I could do exactly as described above with:
# Block China, Russia etc. from POSTs and similar methods
<Limit POST PUT DELETE>
order deny,allow
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
allow from all
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
But it's not having the desired effect. I can do GET requests (as desired), but POSTs also still work as normal where I would expect a 403 Forbidden error perhaps.
If I don't use the tag and put my IP in the deny list, it does successfully prevent me from accessing the site (both GET and POST).
Can anyone advise me as to what I need to change?
Upvotes: 3
Views: 8367
Answers (2)
Reputation: 529
Block backend repertory eg: /wp-admin except for allow IP (even if you have the password)
<Limit POST PUT DELETE>
order deny,allow
deny from all
#allow from localhost
#allow from 127.0.0.1
allow from xxx.xxx.xx.xx
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
Upvotes: 0
Reputation: 785631
Change the order of allow deny like this:
<Limit POST PUT DELETE>
order allow,deny
allow from all
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
</Limit>
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
Upvotes: 3
Related Questions
- Block HTTP POST request
- Apache - htaccess how to block a GET request URL?
- Block POST requests from specific IPs
- How to block ips with .htacces
- How to block outgoing post requests to specific ips
- Blocking ip with htaccess
- Blacklist ip that request certain pattern
- htaccess deny all IP refers
- Restrict POST Request The Server
- .htaccess Allow POST method for ONLY cetain IP ranges