Clickport
Start free trial
Intuitive Dashboard Engagement Tracking Session Tracking Goal Conversions Filtering & Segments Privacy First Real-Time Analytics Ask your analytics Bot Protection
For agencies For SaaS For e-commerce For affiliates For bloggers For publishers Google Search Console Bing Webmaster Tools WordPress Shopify Tracker install SPA tracking Custom Events API reference vs Google Analytics vs Matomo vs Cloudflare All comparisons
How It Works Blog Updates Documentation UTM Builder GDPR Checker GA4 Data Loss Estimator GA Legal Status GA Problems WordPress Analytics Bot Traffic AI Traffic Ecommerce Analytics About Contact Status Security

Block IP addresses

The IP block list rejects events from specific IPv4 addresses or CIDR ranges before they reach your data. Matching events return a normal 200 response but are never written to ClickHouse, never counted against your tier, and never appear in the dashboard. Add rules from /<domain>/settings/tracking-rules.

When to use it

  • Block your office network. Add the static IP of your office or VPN exit. Everyone on the network is excluded regardless of which browser or device they use.
  • Stop a known abuse source. If a scraper or attacker keeps hitting your tracker from a fixed IP or range, blocking it server-side is cheaper than catching the events at the bot-detection layer.
  • Cut out a specific datacenter. If a residential-proxy farm or a cloud provider's IP range floods your analytics, block the whole range with a CIDR rule.
For excluding yourself only, use "Exclude this device" instead. The toggle at the top of the Tracking rules page stores a flag in your browser, so it works even when your IP changes (mobile networks, Wi-Fi switching, VPN). IP-based exclusion only helps when your IP is static. See Exclude your visits.

Adding an IP rule

Open Settings → Tracking rules, find the IP addresses card, and click Add. The modal shows your current public IP at the top with a one-click "Use it to block my own traffic" shortcut, which fills the IP field and your name as the description.

The IP field accepts:

  • A single IPv4 address (stored internally as /32): 91.249.178.98
  • A CIDR range: 10.0.0.0/24, 185.220.100.0/22, 198.51.100.0/16

The CIDR prefix must be /8 or narrower. /8 covers 16 million addresses; anything broader (more than 1 in every 256 IPs on the public internet) is rejected as an obvious mistake. If you genuinely need to block a continent's worth of traffic, use the Countries shield instead.

How CIDR matching works

A CIDR like 10.0.0.0/24 covers all addresses from 10.0.0.0 through 10.0.0.255. The /24 means the first 24 bits (the network portion) must match; the remaining 8 bits (the host portion) can be anything. Some common prefixes:

  • /32: a single IP (1 address). Equivalent to entering the bare IP without a slash.
  • /24: a typical home or small-office subnet (256 addresses).
  • /16: a medium ISP allocation (65,536 addresses).
  • /8: the maximum breadth allowed (16 million addresses).

Clickport normalizes the CIDR to its network address before storing it. If you enter 10.0.0.42/24, it is stored as 10.0.0.0/24. The unique constraint applies to the normalized form, so you can't accidentally add the same range twice with different host bits.

How the rule is enforced

Every event from your tracker carries the visitor's IP in the request headers. The IP block check runs at ingestion time, after the hostname and page checks but before geolocation:

  1. The server reads X-Forwarded-For or the remote address.
  2. The IP is converted to an integer and binary-searched against the sorted list of blocked CIDR ranges.
  3. If it falls inside any range, the event is silently dropped (HTTP 200 with no write).
  4. Otherwise it continues through bot detection and into the regular ingestion path.

Rule changes apply within seconds. The cache refreshes on every add or remove, so blocked IPs stop appearing in your analytics almost immediately. Historical events already in ClickHouse are not affected; blocking only filters future traffic.

Limits

  • 100 rules per site. The Add button disables when you hit the cap.
  • IPv4 only. IPv6 is not supported yet. If a visitor connects over IPv6, the IP block list does not catch them (other layers still do).
  • Breadth cap. /8 is the broadest allowed prefix.

Troubleshooting

I added my home IP and my visits still show up

Home IPs are usually dynamic. ISPs rotate them every few hours or whenever your router restarts. If your visits returned after a few hours, your IP probably changed. Use the "Exclude this device" toggle at the top of the page instead. It survives IP changes because it lives in your browser's localStorage.

I blocked my office IP and people on guest Wi-Fi still show up

Guest networks usually route through a different external IP than the main office network. Find the guest network's public IP (visit api.ipify.org from a device on that network) and add it as a separate rule.

I blocked a CIDR but matching IPs still appear in the bot center

The bot center counts traffic that bot detection rejected. Tracking rules drop events before bot detection runs, so blocked IPs do not appear in either the regular dashboard or the bot center. If you see the IP in your dashboard after adding the rule, you may be looking at events from before the rule was added. Filter the date range to "after now" to confirm.

Wrong rule, can't delete it

Open the IP card and click Remove next to the rule. It is wiped from the cache and the database immediately. If the rule was your only access point and you locked yourself out of your dashboard, that is impossible (IP blocks only apply to the tracker, not to the dashboard).

Previous Tracking rules overview