How to limit access to your website to users from one country.

We recently worked on a platform dedicated to Canadian companies. We particularly noticed that several users were impersonating Canadian companies to create an account. To remedy the problem, we opted to restrict account creation only to users in Canada. In this article, we look at how using PHP you can limit your website to users in one country. We will also see how our approach can help you.

Use below function to convert IP to country

Code Comment

We simply developed a PHP function that uses the ipwhois.app platform to retrieve information about an IP address. Then we used CURL and the Json_decode function to convert the information into an array. You can follow updates to this feature via our GIT account .

How to use this function?

You can use this function on your website by detecting in real time the IP of your users and obtaining their country. Later, you could better control who has access to certain features of your website.

Some limitations of this function

There are several limitations to this approach:

1. Use of VPN. Hackers sometimes use VPNs to access websites. This does not facilitate the detection of their real IP address.
2. A limitation on the number of requests. The ipwhois platform has a limit in terms of the number of requests per day; therefore, if you have a very high number of visitors, you might not see real results.
3. Converting an IP address to a country does not protect you from cyberattacks. Even if you end up not detecting your user's country, it doesn't mean that the user is trustworthy. Indeed, it is possible that a cybercriminal is in your geographical area and manages to access your platform with your filter.

Some thoughts on how to reduce limitations.

Apart from the three limitations above, there are obviously several other limitations that we haven't dwelt on. We'll show you some approaches to compensate for the limitations.

Your user uses a VPN, what should you do?

When a user uses a VPN, their IP address is that of the VPN; therefore, it is complicated to detect its IP. However, you can use other barrier measures to reassure yourself that you have good protection on your platform. An example may be the use of two-tier authentication. Companies are increasingly combining the user of a password with verification via a telephone number. In this case, they send an SMS to users via their phone number to validate that they are really in a given geographical area. This approach can be an additional approach to limit abuse or loss of time.

The platform has a limited number of requests and is not effective in restricting your website to users from one country

The ipwhois.app platform is one example among many others. It offers a paid option if the free version is quite limited for your need. So, to be reassured of not having to reach your limit, you can subscribe to the paid version. If the options presented by this site do not seem satisfactory to you, you can several other options online offering more or less the same service.

A little trick not to exhaust the number of daily requests.

In case you are using the free version, one approach to avoid exhausting the number of requests while limiting your website to users in one country would be to better plan the usage. You can, in particular, use it only on the login page. Alternatively, after account creation, you can use it to automatically detect the account creation link and delete the account.

Converting an IP address to a country does not protect you from cyberattacks.

Never lose sight that having the country of your users is not synonymous with security. However, it is one more step to protect your solution. In addition to country or region detection, you can consider other protective measures.

• Using a Captcha — Captchas will automatically detect if users are physically present on your website. We suggest you read our article on this subject .
• Filtering information before sending it to the database or email — We cannot be 100% sure of the type of information a user enters on our website. Therefore, taking the time to ensure that data is filtered before submitting it to either your database or your emails can limit problems.
• Consider email validation or two-tier authentication.

Conclusion and final thoughts regarding the limitation of the website to users of one country

A set of strategies can be developed upstream of the concept of user country detection. It is true that this may have limitations; but can also help in certain circumstances. Thank you for taking the time to read our article. If you have any comments, it would be a pleasure to read you at the bottom of this article. You can also contact us using the contact form .