Not every Drupal website needs or wants traction in each country within the world. Websites like a flower shop, bakery, car wash, laundry, babysitting, lawn mowing, etc. may be relevant only to locals of an area. Overseas attention might be irrelevant & absurd for these Drupal sites. Now, this is where country blocking comes as a relief.

Unless you consciously block access to countries, all countries have access to your website by default. This may result in excess burdening on your server’s bandwidth. Moreover, it also attracts severe security risks for your website.  Country blocking is a great & smart way to put your website off the radar for countries which do not cater to your needs.

Most importantly, there are some countries which are notorious for sending attack vectors. Hence, blocking them would only be a prudent decision for your website. The following stats on attacks origins as discussed in this informative guide on hacking stats backs our point here –

Clearly, China tops the list of cyber attack origins. Besides China, The USA, Russia, Brazil are some other countries infamous for being home to hackers. But, as I said, this can easily be taken care of with country blocking.

Commonly, country blocking is done by the following methods:

  • Country blocking through .htaccess – Apache
  • Country blocking by NGINX + GeoIP Module

Let’s figure out how each of these processes works:

Country blocking in Drupal through .htaccess – Apache

Step 1 – Get the IPs of a country

There are several tools on the net available for free which avails you the complete list of IP ranges of a country. And, one such tool is the IP2LOCATION. So, follow these steps to generate the IP ranges of different countries.

  1. Go to –
  2. Scroll down, and insert the country name, IP versions, and output format.
  3. Hit ‘Download’ to export the .txt file with the IPs.
  4. Repeat the process for different countries.

Step 2 – Open your .htaccess file

  1. Login into your website through FTP or cPanel
  2. Navigate to your public_html directory
  3. Open .htaccess file there.

Step 3 – Copy  the IP list into .htaccess file

  1. Copy & paste the generated IP in the .htaccess file
  2. Save and upload it back to the server.

By following this simple process you can block countries easily. Still, country blocking through .htaccess has some limitations. First, the IP list keeps on changing & growing. So, you would need to update the list every 2-3 months.

Country blocking in Drupal by NGINX + GeoIP Module

Step 1 – Install the GeoIP module

The first step is to install Nginx with HttpGeoIpModule. You can check if your Nginx is compiled with HttpGeoipModule using-

nginx -V

if you see –with-http_geoip_module as a result of the above command you can proceed.

Step 2 – Download the GeoIP Database

The next step is to install maxmind’s GeoIP database. The following line of command could be used here –

sudo apt-get install geoip-database libgeoip1

This downloads the GeoIP database and places it at – /usr/share/GeoIP/GeoIP.dat

Step 3 – Configure Nginx for blocking

You have the database with all the IP ranges of all the countries is ready to use. Just open the Nginx configuration file & add the following command at the start of HTTP block. Nginx will fetch the details from the database and do the needful.

  geoip_country /usr/share/GeoIP/GeoIP.dat;
   map $geoip_country_code $allowed_country {
       default yes;
       PK no;
       AU no;

The above code translates to allow all countries except Pakistan (PK) & Australia (AU).

You can also do it as allowing a few countries and blocking others, see below-

   geoip_country /usr/share/GeoIP/GeoIP.dat;
   map $geoip_country_code $allowed_country {
       default no;
       IN yes;
       US yes;

this will block all the countries except India and the USA.

Step 3 – Set a Block Page

Next, you would need to set a block page for all these blocked countries. You can do this as:

  1. Open the server block file in your website
  2. And, add the following lines in that file and save
    if ($allowed_country == no) {        
    return 404;

This will program the browser to return a 404 not found error for a blocked country. You can also set other HTTP status codes such as the 444-HTTP error code or 403- access denied error code.

Step 4 – Reload/Restart Nginx

At last, reload the Nginx server for the changes to reflect.

sudo service nginx restart

How Astra helps in blocking countries & IP ranges in a click for your Drupal website

These were some of the methods to do country blocking in Drupal. However, there is one more even simpler method left. This is the one-click country blocking by Astra. Country blocking is an ingrained feature in the Astra firewall. You need not fuss about updating the IP list. This method does not require any coding skills. And, this also has an easy IP whitelisting functionality, in case you change your mind.

Here is how you can benefit from it:

  1. Install the Astra Firewall, and log into your Astra dashboard
  2. Navigate to the ‘Threats’ page.
  3. Scroll down to find ‘Add a custom rule’ section
  4. Insert the country you would like to block and click on the ‘Block’ button, and you are good to go.

In case, you’d like to unblock it you can do that by scrolling down to ‘Trusted & Blocked List’ and simply delete the country from the list.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Naman Rastogi

Naman is a Digital Marketer & Growth Hacker at Astra. A technology enthusiast with focused interest in website security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner