How to limit your website to users from a country?

We recently worked on a platform dedicated to Canadian companies. In particular, we noticed that several users pretended to be Canadian companies to create an account. To fix the issue, we have opted to restrict account creation only to users in Canada. In this article, we look at how using PHP can limit your website to users from one country. We will also see how our approach can help you.

Use the function below to convert IP to country

function trouver_IP() {
	if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
		return $_SERVER['HTTP_CLIENT_IP'];
	else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
	else {
		return $_SERVER['REMOTE_ADDR'];

function convertir_ip_en_pays() {
$vis_ip = trouver_IP();
    $ch = curl_init('' . $vis_ip);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$json = curl_exec($ch);
$ipWhoIsResponse = json_decode($json, true);
$country = $ipWhoIsResponse['country'];
return  $country;

Code Comment

We have developed a PHP function that uses the platform to retrieve information relating to an IP address.  Next, we used CURL and the Json_decode function to convert the information to an array.  You can follow updates to this feature via Our GIT account.

How to use this function?

You can use this function on your website by detecting the IP of your users and getting their country in real time. You could then have more control over who has access to certain features of your website.

Some limitations of this function

There are several limitations to this approach:

  1. Using VPN. Hackers sometimes use VPNs to access websites. What does not facilitate the detection of their real IP address
  2. You have a limitation on the number of requests. The ipwhois platform limits the number of requests per day; therefore, if you have a very high number of visitors, you might not have accurate results.
  3. Converting an IP address to a country does not protect you from cyber attacks. Even if you end up detecting your user’s country, that doesn’t mean the user is trustworthy. Indeed, it is possible that a cybercriminal is in your geographical area and manages to access your platform with your filter.

Hare are some thoughts on how to reduce the limitations.

Apart from the three limitations above, there are several other limitations that we did not dwell on. We will show you some approaches to compensate for the limitations.

Your user is using a VPN. What to do?

When a user uses a VPN, their IP address is the VPN; therefore, it is complicated to detect its IP. However, you can use other barrier measures to ensure that you have good protection on your platform. An example can be the use of two-level authentication. More and more companies are combining the use of a password with verification via a phone number. In this case, they send an SMS to the users via their phone number to validate that they are really in a given geographical area. 

This approach can be a different approach to limit abuse or loss of time.

How to limit access to your website to users in a country

The platform has a limited number of queries and is not effective at restricting your website to users from a country

The ipwhois. App platform is one example among many. It offers a paid option if the free version is limited enough for your need. So, to be reassured that you don’t have to reach your limit, you can subscribe to the paid version.

If the options presented by this site do not seem satisfactory to you, there are several other options online that offer more or less the same service.

A little trick to not exhaust the number of daily requests.

If you are using the free version, one approach to avoid exhausting the number of requests while limiting your website to users in a country would be to better plan the use. You can, in particular, use it only on the login page. Alternatively, you can use it to detect the account creation link and delete the account automatically after account creation.

Converting an IP address to a country does not protect you from cyber attacks.

Never lose sight of the fact that having the country of your users is not synonymous with security. However, this is one more step in protecting your solution. In addition to detecting the country or geographic area, you can consider other protective measures.

  • Using a Captcha – Captchas will automatically detect if users are physically present on your website. We invite you to read our article on this subject.
  • Filtration of information before sending it to the database or email – We cannot be 100% sure of the type of information a user enters on our website. Therefore, taking the time to make sure that you filter data before submitting it to either your database or emails can limit problems.
  • Consider email validation or two-level authentication.

Conclusion and final reflection in relation to the limitation of the website to users of a country

You can develop a set of strategies upstream of the concept of user country detection. It can indeed present limitations but can also help in certain circumstances.

Thank you for taking the time to read our article. If you have any comments, it would be a pleasure to read you at the bottom of this article. You can also contact us using the contact form.

Leave a comment

Thank you

Thank you for contacting Prositeweb,
Go back to the home page

Please fill free to contact us at any time for any request regarding our services. Contact us.

Thank you