Due to the way our network handles incoming requests, it is not possible to use .htaccess files to block IP addresses from accessing your site; by the time the .htaccess file is considered, the incoming request has already been accepted.
However, we recognize the common desire to restrict accesses in this way. For this reason, we provide the ability to block accesses on a per-site per-IP basis at the edge of our network.
By default, all accesses are allowed. We maintain two lists for each site, an allow list and a deny list, which are processed in the order: allow, deny. Thus, an IP address that appears on both lists will be allowed. Entries to either list can contain either an IP address or a netblock specified in CIDR format (10.20.30.40/24).
You can see and manipulate your site's IP access controls (if any) in the "Config Information" box on the Site Information page.
To see exactly what blocked visitors see, visit blocked.nfshost.com, which blocks all visitors.
Please note that IP access lists currently do not work in conjunction with TLS; due to the front end TLS wrapper we use, all requests appear to originate from 127.0.0.1.
See also What do I do if someone is trying to waste my site's bandwidth?