If someone knows your hidden Hosting IP address, they can bypass our Firewall and try to access your site directly. It is not common or easy to do so, but for additional extra security, we recommend only allowing HTTP access from our Firewall.

The best way to prevent hackers from bypassing our Firewall is limiting their access to your web server. To do this, all you have to do is add restrictions to your .htaccess file so that only our Firewall’s IP will be able to access your web server.

1) However, before you do this, make sure your DNS changes fully propagated, as you may block valid visitors whose DNS has old information. Four hours is usually enough, but you can check propagation here.

2) Click here to go to the Preventing Firewall Bypass settings.

Prevent Bypass

3) Select the proper server for your hosting configuration and you will need to add the code for Apache in your .htaccess file and for Nginx, you will need to add it to your Nginx configuration file.

  • IIS

It will depend on what version of IIS you are using for the exact instructions, but the links below provide various options for different IIS versions: IIS 7 and IIS 8.

You can also try to use web.config file to prevent bypass:

        <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
        <clear/> <!-- removes all upstream restrictions -->
        <add ipAddress="" allowed="true"/>    <!-- allow requests from the local machine -->
        <add ipAddress="" subnetMask="" allowed="true"/>   <!--allow network-->        
        <add ipAddress="" subnetMask="" allowed="true"/>   <!--allow network--> 
        <add ipAddress="" subnetMask="" allowed="true"/>   <!--allow network--> 
        <add ipAddress="2a02:fe80::" subnetMask="ffff:ffff::" allowed="true" />   <!--allow ip6 network-->
      <modules runAllManagedModulesForAllRequests="true"/>
  • Lighttpd

Append following configuration directive on "lighttpd.conf" file:

$HTTP["url"] =~ "^/$" {
    $HTTP["remoteip"] == "" {
    else $HTTP["remoteip"] == "" {
    else $HTTP["remoteip"] == "" {
    else $HTTP["remoteip"] != "" {
        url.access-deny = ( "" )

Known Issues

  • 500 Internal Server Error

After adding the bypass prevention rules your server started to answer with a 500 error code? Your server probably doesn't support IPv6. Please remove the line referring to the IPv6 from the bypass prevention code and check if the error is gone. Keep in mind that the bypass prevention rule will cause this error only after it had just been inserted, not some days later.

  • 403 Forbidden

There are a few possible reasons for this error:

1) The DNS propagation didn't finish. Four to six hours is usually enough, but you can check propagation here.

2) If you followed the "Bypassing Firewall for Testing" article, you may have forgotten to remove the server IP from your "hosts" file. Try to remove that line from the "hosts" file;

3) If you are a WPEngine, Rackspace, Siteground customer or your hosting provider does use a reverse proxy such as NGINX or Varnish in front of the real web server, you won't be able to use the bypass prevention on your .htaccess file. That's because depending on the reverse proxy setup, the reverse proxy will translate the visitor IP address directly to the web server or use "localhost" for all requests. Therefore, the web server can't see the Firewall IP and won't be able to block the bypassing. In this case you must reach your hosting provider so they can block the bypass on a software firewall (such as iptables) level.

If you have any questions don’t hesitate to open a ticket in our system and our team will help you out!