Trolls Getting Past .htaccess, 'IP Blocker', & Cloudflare

epiz_25072880 /

I’ve had issues with trolls on my site and forum, and have implemented blocks of specific IPs and IP ranges. They are in place in .htaccess (in the site’s & forum’s root folders), the CP’s ‘IP Block’ feature, and via Cloudflare’s own Security > WAF blocking tool. However, they are still accessing the site via thes blocked IPs.

From my limited knowledge of the issues behind this, they evidently have unmasked the direct IP of the server my site is on, and are bypassing all the measures I’ve put in place. I’ve read about being allocated a different server IP and using methods to hide/mask it, but that’s obviously not going to happen on a free acct., so…

Does anyone have any other recommendations on how I can successfully block IPs and IP ranges with measures more definitive/secure/bulletproof than the ones I’m utilizing (and failing)?

I do have another website on another server, and could go to the trouble of swapping sites onto the opposing servers… IF I have all the bulletproof anonymizing in place beforehand to make it worthwhile… I wouldn’t want to, but it is a last-ditch option.

Considering there are over two hundred website on the server IP, accessing it directly is highly unlikely. Plus, there is no getting around the control panels “Block IP” feature (I mean technically yes, but don’t get me started there).

One of the two things are most likely happening:

  1. You are blocking the wrong IP (You may be detecting the Cloudflare IP instead of the real IP. Can you PM me the IP(s) that you are trying to block? I can check them).
  2. You are blocking them incorrectly (Not likely, but still possible. Screenshot your WAF rules in that PM to me as well.)

Does your forum have an IP detector and blocker on it? It should, and that should offer you a one-click-block type thing. Also, note that relying on IP blocks is not the best, since a DNS change, or the use of a VPN can easily change an IP (I can change the IP of my computer 2 different ways in under a minute).


visitor - CF - hosting

CF is here in the middle and all the traffic is going through it
no direct connection visitor <> hosting

and if your forum is unable to retrieve the actual visitor IP
instead, it sees Cloudflare IP (because Cloudflare actually talks to origin / host) then you need to add an extension.

you judge which one:

1 - phpBB • CloudFlare IP - Contribution Details

2 -

And then when you have a real IP then you follow the normal path through the forum and block the user by email, by IP, by country, etc.

Cloudflare I think only supports the 0/24 block range

as far as protection regarding possible DDoS is concerned - you need to do it all on CF.
There is no point in doing a block on .htaccess here on hosting
because when someone has an origin IP then it is too late
and every visit to your site (blocked or not) counts and consumes resources,
means in the sense if someone wants to DDoS your site and you blocked his IP via .htaccess
the server must pop up again with 403 and also process every request …

that is why CF is used - which is between the visitor and the origin


Just curious, how does cloudflare not crash from these DDoS attacks?


Because the service is modelled to prevent DDOS attacks, don’t be :hatching_chick:


Yeah, but I was wondering how they mitigate the attack without taking the “blow” themselves. I usually ask these questions on the side because the poster (OxyDac, in this case) can respond to it while it being not too off-topic (it might help the OP better understand how to implement and use cloudflare), but if it is going to be a full-blown discussion then I might as well create a separate topic.


That’s the thing: they don’t. If a website using Cloudflare gets attacked, it’s Cloudflare’s servers taking the hit.

But this isn’t really a problem, because Cloudflare has a huge network, and an army of engineers whose sole purpose it is to keep websites online and fast at all times. So their platform can take a ton of abuse.

So it is theoretically possible to bring down Cloudflare with a DDoS attack that’s big enough, but it would probably have to be the biggest DDoS attack ever to get their systems on their knees.

A question: what do those trolls actually do on your site? Is it automated spam, or just people being mean?

If they use predictable IP addresses, then blocking them both in .htaccess and in Cloudflare should do the trick. So why doesn’t it?


I’ll answer in regards to two specific visitors I’ve been blocking for months, as any answer that succeeds in answering how they continue to access my site makes all other issues superfluous. I’ve been blocking two specific IPs via .htaccess, the CP’s “IP Block” feature, and CF. I’ve only implemented CF in recent months, but these blocked IPs have been getting through before and after my implementation of CF.

I’ve successfully blocked other IPs and ranges using each method- and each method I’ve tested by blocking known IPs , including my own IP. I’ve also used .htaccess validators, and am reasonably confident the .htaccess files are written and implemented properly.

I’ve also blocked one of the two IPs on the backend of phpBB.

I’ve used many tools to trace/ID the two offending IPs; one always comes up as a Comcast customer, the other Verizon. I’ve blocked them by specific IP, and by differing methods of blocking ranges. None have, thus far, succeeded.

The image shows today’s visits from the blocked IPs, as well as the blocking used in CF and IP Block.

The .htaccess is straightforward enough:

order allow,deny
allow from all
deny from
deny from

Again, all IP tracing I’ve done never varies from those locations and providers.

Your code would work with Apache versions below 2.4, however, that is not what our servers run.
Our servers run Apache 2.4+, so you must use the correct code:

    Require all granted
    Require not ip
    Require not ip

@keddie, if you use that code yourself, I would recommend changing it to what @wackyblackie sugested.


Ah. So that’s why my IP blocking methods didn’t work. Good to know!

I guess Order is deprecated now.

1 Like

I’ll implement that now.

Any idea why the CF block and CP ‘IP Block’ tools aren’t blocking them? I mean, I’m wearing a belt, suspenders, and another set of suspenders… I don’t see how CF is missing it, because that’s the first line of defense, and I doubt the ‘IP Block’ is conflicting with .htaccess, as the obsolete wording I used should render .htaccess useless, ignored by the server altogether…

Also, a couple Qs about blocking ranges:

is still correct for blocking the entire range of the last two subsets?

is still correct for blocking the entire range of the last subset?

Does blocking both a range (ie AND an IP within that range (ie cause any conflicts, or is it just considered superfluous / redundant?

1 Like



but comcast has a lot of ASN
in addition also ipv6



I’ve updated my .htaccess to include the ranges OxyDac pointed out, and subscribed to

I’m a graphic designer, the polar opposite of a coding wiz. I’ve spent a couple weeks perusing google results from the last year on the latest coding tips & tricks for writing .htaccess, and not a damned one of them mentioned the new lexicon (< RequireAll >, etc). Is there a site / link anyone can recommend that has a tutorial that’s not completely obsolete to what’s running on this server?

Likewise, I’ve tried boning up on what to ban when trying to exclude bad apples from my sites. I’ve found range calculators, and many tutorials, and so far gives the most comprehensive details on tracing. But, beyond the known IP and IP range of the scum I want to block, I’ve not found one tutorial that explains a thing about what else I should be blocking.

ASN? IPV6? I’ve seen them mentioned dozens of times when researching what to block, but not one explanation of how/where to find that info, why and when I should block it, much less HOW to successfully block it. Does anyone know of a tutorial on IP/Range blocking that’s as comprehensive and point-blank as OxyDac’s write-up on protecting a site from EP overload? (How to protect your website that is on Cloudflare plus Logs)


Well, because it’s new. And lots of people don’t follow the docs, so they don’t know it’s changed…. It’s confusing and often frustrating, welcome to the world of web development!

There are a bunch of .htaccess examples here, and 90% of them have been tested on InfinityFree servers.

As for HTML/CSS, the Apps “Sololearn” and “Mimo” are two good options.

You block what you want to block. Do you want to block specific URLs? IP addresses? Every website is different, so there really is not a “one size fits all” blocking list.

Again, it’s different for every website. First, you have to locate the person you want to block, then obtain their IP (Using PHP, analytical software, etc).

Why - Because you don’t want that person/bot on your website
When - Whenever you want to

That’s easy :slight_smile:
See example #2


may they just using your site not DDOS it, however I worry more about weak hosting for users than DDOS, a normal wind for ants is tornado so I don’t want weak like ants and ban my users just because of more refreshing pages, also new users is very important and I don’t want to lose it, in the free plan I can spend more money on ads and after earn enough money I can provide better host plan for my users and make grow my business, so I hope this problem/limit fixed


AS Autonomous system (Internet) - Wikipedia

You can also find ASN on
when you give an IP, it shows you which organization it belongs to
and it tells you if it’s ISP or VPN or HOSTING etc. or all together.

when to block ASN?
Mostly when it belongs to some hosting

Please read

and when you simply have no choice because a simple IP ban doesn’t help because they keep coming back with a new IP
or there are a large number of IPs and blocking ranges that make it easier for you to put a block on the entire ASN.

What should not normally do is to block the ASN from some ISP
because there are 99% of your real visitors (people) as opposed to bots, VPN and Tor.

there are also several paid VPNs that use residential IPs to bypass the block
but fortunately there are still few of them

why CF does not block ?
probably something is wrong in your settings or is the wrong priority
but it’s a question more for a Cloudflare community forum

Just for the sake of comparison
The biggest ever DDoS attack in world history = 3.47 terabytes per second (UDP reflection attack - 15 minutes)

Cloudflare’s network capacity = 121 Tbps


You misunderstood my Qs. I wasn’t asking specific to IF, as I well know the answers you provided. I’m asking if anyone knows a tutorial that explains IP/Range/domain blocking and when/why one should implement the next level of blocking. An “ITTT” approach to explaining the steps, if you will. I loathe tutorials that lack proper explanations, as they leave the reader no better informed than before. Most tutorials on the subject are of the “Shut up and do what I say” variety, which is about as useful as a tree surgeon explaining to John Hopkins grads how to use a band-aid.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.