As web applications continue to advance, so do their threats. With Laravel 12 now being released to developers, they can now utilize an even more advanced and elegant framework, yet security is still a major concern. Figuring out how to prevent abusive IP addresses in Laravel 12 is a basic step in the direction of safeguarding your application against automated bots, spam messages, and brute force attacks.
These malicious behaviors can leech your server resources, steal user information, and ruin your brand’s reputation. Rather than allowing this unwanted traffic to reach your application’s core, you can block it at the door. We will discuss a very powerful and really easy approach to automatically block certain known malicious IPs.
The Laravel Abuse IP Package
One of the best ways to cope with this issue is by using a dedicated package. The Laravel Abuse IP package is a small yet very capable tool that serves only this purpose. It works perfectly with new Laravel versions, such as Laravel 12.
The package performs this by verifying the IP address of each incoming request against the massive, crowd-sourced AbuseIPDB blacklist. The database includes IPs that are notorious for hacking, spamming, and other forms of malicious activities. Open your terminal, navigate to your Laravel 12 project’s root directory, and run the following Composer command:
composer require rahulalam31/laravel-abuse-ipBefore moving further, you need to register middleware with Laravel in the bootstrap/app.php file. For older version this changes needs to be done inside the app/Http/Kernel.php file.
Block IP Address in Laravel For Entire Application
If you want to block span IP address for your entire application, then make changes like below into bootstrap/app.php file.
<?php
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__ . '/../routes/web.php',
commands: __DIR__ . '/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware): void {
$middleware->web(append: [
\Rahulalam31\LaravelAbuseIp\Http\Middleware\AbuseIP::class,
]);
})
->withExceptions(function (Exceptions $exceptions): void {
//
})->create();It will configuration adds the IP check to every route in your web middleware group, providing protection.
Targeted Protection for Specific Routes
For more granular control, you can assign the middleware an alias. In the same bootstrap/app.php file, add it to the alias array within the withMiddleware method.
<?php
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__ . '/../routes/web.php',
commands: __DIR__ . '/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware): void {
$middleware->alias([
'block-abusers' => \Rahulalam31\LaravelAbuseIp\Http\Middleware\AbuseIP::class,
]);
})
->withExceptions(function (Exceptions $exceptions): void {
//
})->create();Once middleware setup is completed, you can apply this block-abusers alias to sensitive routes, such as your login and registration forms, in your routes file.
use App\Http\Controllers\Auth\LoginController;
Route::middleware(['block-abusers'])->group(function () {
Route::get('/login', [LoginController::class, 'showLoginForm']);
Route::post('/login', [LoginController::class, 'login']);
});With this implementation, a visitor with a blacklisted IP tries to access a protected page, the middleware will instantly deny the request with a “403 Forbidden” error.
You might be wondering how often you need to update the IP blacklist to keep it effective. The beauty of the Laravel Abuse IP package is that it handles this for you automatically. There is no manual update process required you can just schedule it’ command as per your requirement like showing into below example code.
routes/console.php
use Illuminate\Support\Facades\Schedule;
//Existing commands
Schedule::command('abuseip:update')->daily();Conclusion
In modern times, proactive protection is not optional. With the Laravel Abuse IP package, you can easily introduce a robust layer of protection to your application. Making a block abusive IP address implementation in Laravel 12 is an easy yet effective upgrade for any application.
While the Laravel Abuse IP package is perfect for automatically blocking known malicious actors from a global list, sometimes you need more direct control. For situations where you want to manually block specific IPs or ranges, you can learn how to Restrict Website Access Based on IP Address In Laravel. To build a more scalable and manageable system, you can even take it a step further and learn how to Block Access Based on IP Address From Database In Laravel, allowing you to keep your own dynamic blocklist.