You can block IP addresses from accessing the site by adding the following lines in .htaccess file.
deny from 192.168.1.40
The order directive set the order in which the allow and deny directives will be processed and also the default access control state. In the above case, the default access control state is allow, which means everyone can access the site and the deny directives will be processed before the allows. It is possible to specify more than one deny or allow directives, like
deny from 192.168.1.40
deny from 192.168.1.41
It will block access from those IPs to the site. It is also possible to specify partial IP address, like
deny from 192.168.1
In this case, it will block the access from 192.168.1.0 – 192.168.1.255 range.
We can also specify IP range in network/netmask or CIDR notation, like
deny from 192.168.1.0/255.255.255.0 or deny from 192.168.1.0/24
In the above exmaples, all type of http methods will be blocked from those IP addresses. If you only want to restrict certain methods say POST, PUT, DELETE from the IP address, you need to use the limit directive.
order deny,allow
deny from 192.168.1.40
</Limit>