Sucuri Docs > Website Firewall > Configuration > Prevent Sucuri Firewall Bypass

Prevent Sucuri Firewall Bypass

If someone knows your hidden Hosting IP address, they can bypass our Firewall and try to access your site directly. It is not common or easy to do so, but for additional security, we recommend only allowing HTTP access from our Firewall.

The best way to prevent hackers from bypassing our Firewall is limiting their access to your web server. To do this, all you have to do is add restrictions to your .htaccess file so that only our Firewall’s IP will be able to access your web server.

1) However, before you do this, make sure your DNS changes fully propagated, as you may block valid visitors whose DNS has old information. Four hours is usually enough, but you can check propagation here.

2) Click here to go to the Preventing Firewall Bypass settings.


3) Select the proper server for your hosting configuration and you will need to add the code for Apache in your .htaccess file and for Nginx, you will need to add it to your Nginx configuration file.

  • IIS

It will depend on what version of IIS you are using for the exact instructions, but the links below provide various options for different IIS versions: IIS 7 and IIS 8.

You can also try to use web.config file to prevent bypass:

  • Lighttpd

Append following configuration directive on "lighttpd.conf" file:

$HTTP[url] =~ ^/$ {
    $HTTP[remoteip] == {
    else $HTTP[remoteip] == {
    else $HTTP[remoteip] == {
    else $HTTP[remoteip] == {
    else $HTTP[remoteip] !=  {
    url.access-deny = (  )

Known Issues

500 Internal Server Error

After adding the bypass prevention rules, your server started to answer with a 500 error code? Your server probably doesn’t support IPv6. Please remove the line referring to IPv6 from the bypass prevention code and check if the error is gone. This error may persist for a short time after you remove the setting.

403 Forbidden

There are a few possible reasons for this error:

1) The DNS propagation didn’t finish. Four to six hours is usually enough, but you can check propagation here.

2) If you followed the "Bypassing Firewall for Testing" article, you may have forgotten to remove the server IP from your "hosts" file. Try to remove that line from the "hosts" file;

3) If you are a WPEngine, Rackspace or Siteground customer or your hosting provider does use a reverse proxy such as NGINX or Varnish in front of the real web server, you won’t be able to use the bypass prevention on your .htaccess file. That’s because depending on the reverse proxy setup, the reverse proxy will translate the visitor IP address directly to the web server or use "localhost" for all requests. Therefore, the web server can’t see the Firewall IP and won’t be able to block the bypass. In this case, you must reach your hosting provider so they can block the bypass on a software firewall (such as iptables) level.

If you have any questions don’t hesitate to open a ticket in our system and our team will help you out!

Was this article helpful?