How to Block Entire Countries from Accessing Your Website

Originally published at:

If you run a website, then by default it is accessible to the whole planet.

Many websites are simply not relevant to people in other countries. So, you should not expect significant traffic from them as a matter of course.

If you have a local bookstore and your primary market is local people walking into your store, then there is no need to let any other countries index or waste bandwidth on your server. The same might be true of a carwash, or babysitters, or lawn mowing.

If you run a personal or even private website, such as a family blog, you may want to highly restrict traffic by default.

Here is a screenshot of Awstats telling me that China is responsible for the second-largest volume of traffic to a certain web forum I manage. This is just for January 2015.

Continue reading this article on SitePoint

Any attempt to block access can be bypassed just as easily or easier than applying the block in the first place. All the person needs is VPN access to a location that you don’t have blocked so that all their traffic appears to come from there.

The measures you suggest will prevent you wasting bandwidth on people who have accidentally selected your site when they are really looking for one located elsewhere but it will not stop someone who deliberately wants access to your site…Chances are that a small percentage of the visitors your stats say are located in the US are actually located elsewhere.

You are correct, a VPN in a non-blocked location will work just fine.

For everyday bot farms and web bugs and other automated tools that originate from a blocked country, you’ll be fine.

The hacker(s) in charge are probably not going to care or even know you are blocking them, and they certainly won’t go out of their way to make sure they can get to just one lone site somewhere who is blocking them.

In my case, for the forum I mentioned in the article, China traffic was 2nd largest, now it’s off the scale entirely.

Parking your car in the garage will stop 99% of car thieves, but of course there is still the 1% who will jump through all the hoops to steal it anyway. The methods in the article are for the 99%, not the 1%.

Makes me wonder what blocking countries would do for your SEO.

My guess is nothing at all.
I’ve never seen “worldwide availability” used as a significant SEO metric. SEO is about content after all.

But what if you block the country where the Google, Badu or Bing index robot works from?

That’s a few too many “what ifs”. I doubt Google’s USA web crawler works from China for one thing. But also, if I’m blocking a country, I wouldn’t care how good my SEO is for their visitors, since I’m no longer catering to their users anyway.

The bots themselves will still find me via any other non-blocked sources anyway. It’s not like Google only has one location where bots originate.

If you had a local business and blocked every IP in the world except for those in your own zip code, then yes chances are good the bots won’t find you any longer. But even then, you can submit your sitemaps to Google and others directly, so who knows?

Hi, see what type of your site is. If you use wordpress then you can find a plugin to redirect if the site load in other target country.Or set it in Google Webmaster tool Geotargeting.

That allows you to set your geographic target if your domain name is not country-specific. But all it does is tell Google which area you want to target in SERPs. It will have no effect on visitors, and certainly can’t be used to block visitors from other countries.

1 Like

You probably can certainly find a plugin for geotargeting, but the point is that this method is very high level. By the time a plugin blocks a visitor, they have already used server resources and wasted bandwidth.
This application-level filtering is best used only for websites where you must change your content based on visitor origin, like switching currencies, or applying location-based content or filtering or language changes.

We’re using Apache GeoIP to block access from a whole host of countries we a) don’t do business in and b) noticed were coming up regularly in the server logs (always attempts at hacks). It’s been a real success: by blocking China, then most other 3rd world countries (all of Africa) and Brazil as well we were able to cut down on attempts by over 90%. The biggest issue remaining is the US: we don’t want to block access to the US, but notice many of the remaining hack attempts come from there. My summary is we’ll just have to deal with this by hardening the site. It’s unfortunate that in the www you have to take such a drastic move as blocking a whole country from accessing your site, but it appeared on our site at least, that nothing but dodginess came out of these places. I’d like to throttle the people behind these attacks, but as that’s unrealistic, I’m content to block them from seeing the site. I know they can still get around the blocks with IP spoofers etc. but at least the automated bots are generally shut out - they work on simple, massed attempts at hacking: kind of like spam in general, of which these people are the human equivalents.

And that’s where hooking up with Cloudflare or Incapsula will come in handy. If there is an attack that they see happening across thousands of their sites, they will know it’s bad and can block it for the rest of their customers. But when you are on your own, there is a certain amount of bad traffic that is unavoidable. Anything connected to the public Internet is going to be scanned for attack points at some time.

Having lived in China for 4 years i can honestly tell you they are far more valuable as readers and customers than many other countries like India.

I don’t get any problems with China but i do get enormous problems with Indian’s stealing content and basically raping my website and republishing it on theirs without permission.

Around 20% of my traffic came from India so when i blocked the entire country i thought i would lose 20% of my traffic.

Actually, my traffic has increased by over 30% after blocking India because i am preventing Indians from stealing my work and ideas.

On top of this, your site will not get as many low quality links from low authority spam sites in India.

I wouldn’t disagree. One has to figure it all out for themselves what is best for their own website.

I moved a post to a new topic: Why are news articles served differently to different countries?

I would like to thank you for your most inspired and helpful tips regarding website security.
Thank you and god bless my friend.

Yours sincerely,

I have tried the root with cloudflare as i have a paid plan, however when i try adding a country to block, it comes up with a message saying that this feature is only available for the enterprise plans!

Can you confirm this please?

Yes, they seem to have changed the rules. Everything looks different.

Apparently the country block on non-enterprise plans will only give users a “challenge” page to allow them to enter your site.

This ain’t so bad, since most bots wouldn’t be able to solve the challenge and so it’s still a decent block regardless.

Hi Zack,
The more I read your arcticle the harder it was to resist to reply.
Congratulations for really good high level overview on the topic. It gave me great insights.

There was one point in the article, where maybe I can add my 2 cents.
When you write about restricting access with firewalls in chapter Routing tables, you say that this is very tidious work for a sys admin.
I think it could be done in a smart way in some cases. If you administer Linux iptables, Cisco ASA and PIX, Cisco FWSM, Cisco router access lists, pf, ipfw and ipfilter for BSD, and HP ProCurve ACL firewalls, you can use a tool FWBuilder. You can dowmload a file and create firewall rule with FWBuilder fast as they claim here. You can even block only port 80 or 443 for a whole country.
I didn’t done that yet, but as far as I know FWBuilder it should work.

But as you also say in the article, there is another pitfall in this approach.
If you block access for a whole county on a VPS firewall, you will block access to all web sites on this VPS, which is not desirable sometimes.

Thanks again for investing your time in and sharing this article.

I’m all for adding new tools to the toolbox!
Automation is the SysAdmin’s superpower!