ExpressionEngine Docs

Block/Allow List

Control Panel Location: Developer --> Add-Ons --> Block/Allow List

The Block/Allow Module is one of ExpressionEngine’s native spam prevention systems. It helps prevent spam from occurring in comments, referrers, and other posted information. Used in combination with other Spam Prevention Features, the occurrence of spam on your site should be rare.

Block List

The Block list lets you specify content that will trigger ExpressionEngine to deny or delete a comment, referrer, or other posted information. For instance, if you are receiving spam from a particular IP address, then you can place that address into the Block list and EE will no longer accept data originating from that IP address.

Specifying Blocked Content

There are three types of content that you can add to the Block list:

  1. IP Address: You may place IP addresses on separate lines. For example, you could place 127.255.0.123 in the list. You may also place partial IP addresses, which means that ExpressionEngine will match all of the addresses contained within that submask. For instance, if you specify 127.255.0 then EE will match “127.255.0.0” through “127.255.0.255”.
  2. URL: URLs or URL fragments can be placed here, with each entry on a separate line. For instance, you could specify www.spam-king.com and EE would match any incoming URLs from that domain to block. Likewise, you could specify simply the word spam and EE would match any URL that contained that word, whether it was “www.spam-king.com" or “www.i-eat-spam.com".
  3. User-Agent: A “user agent” is the actual program or script that accesses your website. This could be a browser, search engine spider, RSS aggregator, or something else. These all identify themselves in some way with a user agent name. You may specify user agents to block/deny here, with each entry on a separate line. For instance, the user agent “Popdexter” is included in the downloadable ExpressionEngine.com Block list. As with the other settings, you may specify partial strings and EE will match any user agent that contains that string.

Note: ExpressionEngine does not search through existing comments and delete them when new items are added to the Block list. Mass deleting of comments via a simple search of a term is not recommended, since it might have unforeseen results and the deleted comments are not retrievable.

Allow List

The Allow list is effectively the opposite of the Block list. It allows you to specify items that you do want to allow. For instance, let’s say that you specify the word spam in the “URL” section of the Block list. However, you actually really love the food Spam and thus you want to make sure that your friend over at www.i-eat-spam.com can post comments to your site. So, you can add i-eat-spam.com to your Allow list to make sure that she isn’t blocked.

Specifying Allowed Content

There are three types of content that you can add to the Allow list. These are identical to the ones in the Block list:

  1. IP Address: You may place IP addresses on separate lines. For example, you could place 127.255.0.123 in the list. You may also place partial IP addresses, which means that ExpressionEngine will match all of the addresses contained within that submask. For instance, if you specify 127.255.0 then EE will match “127.255.0.0” through “127.255.0.255”.
  2. URL: URLs or URL fragments can be placed here, with each entry on a separate line. For instance, you could specify www.spam-king.com and EE would match any incoming URLs from that domain to allow. Likewise, you could specify simply the word spam and EE would allow any URL that contained that word, whether it was “www.spam-king.com" or “www.i-eat-spam.com".
  3. User-Agent: A “user agent” is the actual program or script that accesses your website. This could be a browser, search engine spider, RSS aggregator, or something else. These all identify themselves in some way with a user agent name. You may specify user agents to allow here, with each entry on a separate line. As with the other settings, you may specify partial strings and EE will match any user agent that contains that string.

Downloading ExpressionEngine.com Lists

Packet Tide, LLC maintains its own Block list and Allow list. These lists are maintained with the help of our users. If you have an IP address, user agent, or URL that you believe should be added to the Block list or Allow list, please email blacklist@ellislab.com.

To download the Lists, go into the Developer --> Add-Ons --> Block/Allow List. In the main menu for the module are links that you can click to automatically download and add the ExpressionEngine.com Lists to your own.

ExpressionEngine will compare the downloaded list to your local list and add any new entries to the end of your lists. EE will not delete or alter any of your existing items in your lists.

Note: Downloading the ExpressionEngine.com Block and Allow List requires that your host have outgoing socket connections enabled on your server and the ‘fsockopen()’ PHP function available. This configuration is quite common on most web hosts and default server configurations.

Writing the Block list to .htaccess File

If you are on an Apache-based webserver, you can have ExpressionEngine copy your Block list URLs and IP addresses to a .htaccess file so that visitors matching those blocked terms are completely blocked from accessing your site. In order to use this feature several things must be done.

  1. You must be on an Apache-based webserver. Further, the server must be set up to allow you to use .htaccess files. If you are unsure whether this applies to you, check with your Host. This method will not work on non-Apache servers such as those using Windows’ IIS server.

  2. You must have a .htaccess file at your site root. If you do not have one already, create a blank text file and name it .htaccess. If you already have a .htaccess file, don’t worry since ExpressionEngine will not overwrite existing content or delete the file; it will only add new content.

  3. Once you have a .htaccess file at the site root on your server, you will need to make it writable. See File Permissions for details.

  4. In your ExpressionEngine Control Panel, go to Developer --> Add-Ons --> Black/White List. At the top of the page you’ll see a “Add to .htaccess file?” setting. In this setting, you will need to place the full server path to the .htaccess file. The full server path might look something like

    /home/example.com/public\_html/.htaccess

    You must include the .htaccess filename, so be sure to include it. If you do not know what to use for your full server path, contact your Host or server admin.

  5. Press the Save Settings button on the form and ExpressionEngine will add the contents of your Block list to the .htaccess file, blocking them from being able to access your site at all.

Also note that an “override” is included for any referrers that include your own server name (i.e. example.com) to make sure that there is no chance that you block your own site by accident. In order to include this “override” you need to ensure that your “Cookie Domain” preference is set under Settings --> Security & Privacy.