 |
Sometimes you do not want to block certain IPs or domain names. For example, you don't want to block Google Bot, MSN (Bing) Bot and so on. You can easily add Exceptions from blocking. You can set the following options to prevent Admin Tools from blocking certain IPs and domain names:
- Never block these IPs
Enter the IP addresses or address blocks which should never be automatically blocked.
Malicious URLs from these domain names WILL be blocked but a. this will not be logged and b. their IP address will not be automatically blocked by the "Auto-ban Repeat Offenders" feature below.
The purpose of this feature is similar to the Allowed Domains feature below, when you don't have a common domain name, just IP addresses. It makes sense to use this feature for the IP addresses of search engine bots, known external servers accessing your site (e.g. payment service providers sending callbacks to your site, site scanners, CloudFlare, Sucuri, etc).
Important
Do NOT add the IP of a blocked user to the Never Block These IPs list when you unblock a user.
The vast majority of IP addresses are dynamically assigned by the user's Internet Service Provider and will change in a matter of minutes to weeks (typically: in a few hours). This has two knock-on effects for you:
Your user will still get blocked once their IP address changes. Therefore, you have not solved the problem you set out to solve.
You have an IP address which is allowed access to your site without getting automatically blocked. However this IP address is no longer under the control of a person you trust, creating a small hole in your site's defences.
Always try to address the reason a user was blocked instead of putting their IP address in the Never Block These IPs list.
You can enter IPv4 and IPv6 addresses in the following formats:
Single IPv4 or IPv6 address e.g.
127.0.0.1or::1IPv4 address range e.g.
127.0.0.1-127.0.255.255IPv4 implied range e.g.
127.0.0.for the entire 127.0.0.1 to 127.0.0.255 blockIPv4 or IPv6 CIDR block notation e.g.
127.0.0.0/8
You may enter a dynamic IP domain name prefixed by the at-sign (for IPv4) or hash-sign (for IPv6). This only applies if you are using a dynamic IP address domain provider (e.g. DynDNS). For example, if you are using DynDNS and your dynamic IP address domain name is example.dyndns.info and resolves to an IPv4 address you can enter
@example.dyndns.infoto always allow your dynamic IPv4 address. Conversely, if your dynamic hostname resolves to an IPv6 address you can enter#example.dyndns.infoto always allow your dynamic IPv4 address. Be careful to enter the correct domain name or you may have a delay of up to 30" processing blocked requests.Tip
If you are using the Exclusive Allow IP List feature to allow access to the administrator section of your site only to specific IPs, these IPs are automatically added to the safe list of IPs which should never be automatically blocked. You do not have to enter them here.
The default list of IP addresses lists the known good IP addresses of the search bot of the DuckDuckGo search engine: 20.191.45.212, 23.21.227.69, 40.88.21.235, 50.16.241.113, 50.16.241.114, 50.16.241.117, 50.16.247.234, 52.5.190.19, 52.204.97.54, 54.197.234.188, 54.208.100.253, 54.208.102.37, 107.21.1.8 The source of that list of IP addresses is the official DuckDuckBot documentation at https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/
- Never blocked domains
If the IP address of the visitor whose request would be blocked resolves to a domain name ending in what you enter here they will not be blocked. Effectively, these domain names have a free pass on your site.
Warning
Malicious URLs from these domain names WILL be blocked but a. this will not be logged and b. their IP address will not be automatically blocked by the "Auto-ban Repeat Offenders" feature below. This is done to protect your site against reflected search engine attacks. Let us explain this.
Some hackers try to exploit search engines' eagerness to scan URLs, crafting malicious URLs to your site and putting them on their own sites. Search engines will see them and try to visit them on your site. You are explicitly allowing these search engines as you don't want to lock them out of your site. If the malicious URL wasn't blocked just because the request comes from a seemingly innocent source your site would be instantly hacked. That's why the malicious URLs are still blocked, just not logged or cause IP addresses to be automatically banned.
The default list of domain names is
.crawl.baidu.com, .crawl.baidu.jp, .google.com, .googlebot.com, .search.msn.com, .crawl.yahoo.net, .yandex.ru, .yandex.net, .yandex.comwhich allows the search engine indexers for Baidu, Google, Bing, Yahoo and Yandex.The source of this information is the following official documentation URLs of various search engines (in alphabetic order):