The order of the 2 instructions, in the .htaccess file, is very simple - when it is explained!

Here was my problem. I have a web site (this!) and it is attacked from Microsoft's IPs every day, without any sign of it being stopped. In fact it is increasing day after day. I presume that Microsoft has stopped even trying to decrease the attacks from it's IPs.

One of the IP ranges can be stated as 20.0.0.0/8
So I used to have a line in my .htaccess file:
deny from 20.0.0.0/8

A problem occurred when the search engine DuckDuckBot started to originate from this IP range. It was being banned. There was a simple method to overcome this problem.

The following is the INCORRECT way to deal with this:

<Files *> - - - - THIS IS INCORRECT - IT WILL NOT WORK
order allow, deny
deny from 20.0.0.0/8
allow from 20.191.45.212
</Files>

Firstly, it does not matter what order the (allow/deny) lines are in.

However, it DOES matter whether you use the line order allow, deny or order deny, allow because this is the order in which they are processed by the Apache web server.

In the above example the order is allow, deny. This means that it would allow the DuckDuckBot IP - but then deny it as per the deny line. Thus, DuckDuckBot would be denied.

The following is the correct method to achieve the desired result.

<Files *> - - - - THIS IS CORRECT - IT WILL WORK
order deny, allow
deny from 20.0.0.0/8
allow from 20.191.45.212
</Files>

Now what we have is a very simple way to deny ALL of Microsoft's 20 range IP's - BUT allow DuckDuckBot to access the site without any problems. This says deny all of Microsoft's IPs but allow the 20.191.45.212 IP.

Lou Gogan 2025