Whitelisting IP Addresses in WordPress Site To Restrict Login Access – GUIDE

Whitelisting IP Addresses in WordPress Site To Restrict Login Access

Whitelist IP Address in WordPress

In WordPress, the whitelist allows authorized visitors to block access to those who are not supposed to enter it. In this article, you will learn about what is whitelisting IP addresses, their benefits, and how to do whitelisting of IP addresses using Nginx web servers, using the .htaccess file, WordPress plugins . For more details you can visit our post on How to block ip address in wordpress

What Does Whitelisting IP Addresses Mean?

We hear a lot about the “blacklist” but less about the whitelist. It is important because it can control your access on WordPress sites, it can be the entire website or a specific area, like the wp-admin dashboard.

Thus, it will tell your server the specified IP addresses and can block access to others. The whitelist tells the server to block all traffic except for the specified IP addresses. Unlike the blacklist which blocks malicious actors, the whitelist is useful for blocking access to login.

While the whitelist and blacklist both control access, they do so in completely opposite ways – hence the color dichotomy:

  • Whitelist – tells your server to block ALL traffic except specific IP addresses.
  • Blacklist – tells your server to allow ALL traffic except the specified IP addresses.

The blacklist is useful for dealing with a few malicious actors, while the whitelist is more useful for locking out access for unauthorized users. A firewall can filter traffic coming to your website. But  firewall can accidentally blocking good traffic. In such cases the website admin or team members may be prevented from visiting their own site. This is where WordPress IP address whitelisting comes in. By Whitelisting IP addresses we can remove the block and allows webmaster/team members to access their website again.

NOTE: Securing your WordPress website is not a single button click. You have to keep yourself updated on various wordpress security vulnerabilities and best wordpress security plugins. There are many other ways to protect your WordPress website from hacking.  To understand in depth, you can check out our WordPress site hacking guide.

Why Whitelist IP addresses?

Whitelist IP addresses in WordPress allow only trusted people to have access to your dashboard. It works at the server level, so anyone who tries to enter without authorization will not even be able to see your WordPress login page. Also, it’s pretty simple to implement, as long as you don’t mind copying and pasting a few lines of code. The whitelist of IP addresses has several advantages:

  • It strengthens the security of your site by analyzing sensitive areas of your WordPress site such as your dashboard.
  • It helps to restrict access  to your site.
  • Authorized IP addresses can access specific areas of your site.

It can be very useful for a development site. For example; if you are planning to launch a new site, you might not want us to be able to check every part of your stuff before you are ready. 

By adding IP addresses to your whitelist, you and other authorized users can see your current WordPress site. However, no one else will be able to visit it until you start it.

Benefits & Drawbacks Of Whitelisting IP Addresses

When you whitelist an IP address to access a specific page, it means that no one except computers with that address will be able to access your dashboard. For example, if you are working alone, you can tell WordPress to block access to any IP address that is not yours, so no one other than you can access the dashboard.

The “blacklist”, on the other hand, consists of preventing certain IP addresses from accessing a page. It’s just as effective, but not as effective as whitelisting. After all, it’s easier to whitelist a handful of addresses than to blacklist hundreds of potential attackers. Let’s talk a bit more about the other benefits of whitelisting:

  • You have full control over who has access to your pages. We have so far only referred to your dashboard, but you can implement this functionality for any part of your website.
  • Attackers cannot access your dashboard, even if they have credentials. If someone can find your username and password, they still won’t be able to access your dashboard without physical access to your computer.
  • You can whitelist as many IP addresses as you want. WordPress allows you to add as many addresses as you want to your master list.

Whitelisted IP addresses can be useful in two main situations:

  • Help restrict access to your site
  • Strengthen security for sensitive areas of your site, such as your dashboard

There are some potential drawbacks to using the IP whitelist to restrict access to your site. If you:

  • Have a home IP address that changes often.
  • Need to always give access to other people.
  • Work from many different places.
  • Then you might be a little annoyed with how often you have to update your whitelist of IP addresses.

By whitelisting IP addresses, you and other authorized users can view the actual site, but no one else will be able to visit it until you are ready to launch it.

Either way, it’s often more difficult to set up whitelisted IP addresses if you’re part of a large team. Sometimes you or your teammates may need to work from a different computer meaning you will need to whitelist other addresses etc. From a security perspective, this is a fantastic option, but you should analyze if it is viable for your site before implementing it.

Also ReadHow To Delete Invisible/Hidden Admin User In WordPress?

Whitelisting IP Address With Apache .htaccess

Before start adding the IP address to the whitelist, make sure you have taken the current backup of your wordpress site. You can use any appropriate WordPress backup plugin.

Most WordPress hosts use the Apache web server, which means you can add the IP addresses to the whitelist using a .htaccess file.

In this section, we will configure your whitelist of IP addresses by adding a few lines of code to your WordPress .htaccess file. To access it, you must use a file transfer protocol (FTP), such as FileZilla.

First, log into your website using your FTP credentials and navigate to your WordPress root folder, which could also be called public_html, www, or your website’s Name:

And here’s what it looks like when you go in via cPanel File Manager:

Once inside, find the .htaccess file and right-click on it. Select now using the View / Edit option, which will open the file using your local default text editor. Your .htaccess file should look like the image below. However, some web hosting providers implement out-of-the-box changes for their users, so don’t worry if there is additional code:

The .htaccess file  provides the basic configuration that you can use to change the functionality of Apache,  folder by folder. For example, in addition to helping you add IP addresses to the whitelist, this file can also set up redirects.

  • To access this file, connect to your WordPress site via FTP and locate it in the root folder.
  • Use  cPanel’s File Manager tool.
  • Identify the .htaccess file via FTP.
  • Make a  copy of your .htaccess file  in case you make a mistake.

Enter the  following code snippets:

order deny, allow

deny from all

allow from

If you want to add multiple IP addresses to the whitelist, just add another “allow” line like this:

order deny, allow

deny from all

allow from

allow from

To block access to your wp-admin and wp-login.php pages  , enter the following code snippet:

RewriteEngine on

RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login \ .php (. *) $ [OR]

RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $

RewriteCond% {REMOTE_ADDR}! ^ 123 \ .123 \ .123 \ .123 $

RewriteRule ^ (. *) $ - [R = 403, L]

Make sure to change the example’s IP address to your own, but leave the forward slashes. Just replace the numbers “123” with the correct ones. As before, you can  add multiple IP addresses  to the whitelist by duplicating the line containing the IP address in this way:

RewriteEngine on

RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login \ .php (. *) $ [OR]

RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $

RewriteCond% {REMOTE_ADDR}! ^ 123 \ .123 \ .123 \ .123 $

RewriteCond% {REMOTE_ADDR}! ^ 234 \ .234 \ .234 \ .234 $

RewriteRule ^ (. *) $ - [R = 403, L]

Make sure to save your changes!

Whitelisting IP Addresses on Nginx Web Server

While most WordPress hosts use the Apache web server, many high-end performance-oriented hosts use, or at least offer, the Nginx web server instead.

Nginx does not recommend using .htaccess, rather than going for a single config file.

If your host is using Nginx, the best approach is probably to check your host’s documentation or speak to your host’s support.

Using WordPress Plugins to Whitelist IP Address

If you prefer not to dive into your .htaccess file, there are also plugins that can help you add IP addresses to your whitelist, like:

Cerber Security

Cerber Security is another five star security plugin that defends itself against attacks from hackers, spammers, Trojans, and malware. The free version of Cerber Security offers sophisticated protection against spam and other malicious activity, but it is not as feature rich as the other free versions of plugins on this list.

They don’t completely block unauthorized IP addresses but help you lock down your login page for any IP addresses that are not on the whitelist.

Anti-Spam by CleanTalk

The plugin is free, but its cloud service, CleanTalk, requires a paid account. After a 7-day free trial, you can choose whether to continue with this service

This plugin is capable of analyzing multiple aspects of your website without slowing down your site due to its use of the cloud instead of servers. Not only does it blacklist email addresses, but also domains and IP addresses linked to spammers. There is an optional firewall feature that prevents spam bots from accessing your web server by sending them to a blank page.

Restricted Site Access plugin.


Install and activate Restricted Site Access plugin.

After activating the plugin, go to Settings » Reading. Scroll down to the bottom and you will see options to configure restricted access.

Using Restricted Site Access plugin, you can restrict access to a WordPress site for logged in users only or for people with specific IP addresses.

You can also choose to redirect users with no access to the site by sending them to the login page, redirect to another web address, show them a custom message, or even redirect them to a specific page (coming soon page) that you have created on the same site.

Restrict by IP feature is very useful if you want multiple employees in the office to have access to the development project without requiring them to register as a user.

Security shield and firewall

Firewall and Security Shield blocks comment spam and provide website security against malicious IP addresses. This plugin hides your login page and claims to block all spam comments, while preventing human spam comments. Malicious login attempts are prevented by two-factor authorization.

Although the firewall can be disabled, this plugin is primarily designed to protect your website. Unwanted IP addresses are automatically blacklisted and brute force attacks are blocked. All functions of the plugin are absolutely accessible for free.

Every WordPress website owner thinks about the security of the website either via blacklisting and whitelisting of IP address or installing the security plugin. Before opting for best ways to improve wordpress security and cleanup your site of malware. You can read the latest WordPress Malware Removal Checklist – 2020 Security Guide. This is vital information for WordPress website owners.

 How to Restrict WordPress Site Access by blocking IP address?

Spammers or hackers may be trying to attack your website. Need to blacklist IP addresses in WordPress to prevent spam or malicious users? By blacklisting their IP addresses, you can keep them out.

You need to locate the IP addresses in question, usually found in the comments section. Once you access the list of all comments, you will see that in the left column is:

  •         The name of the author of the comment
  •         Email-address
  •         IP address

We will take note of the latter. Also, we must pay attention to the content of the comments. While there are plenty of possibilities for suspicious comment content, here are some common examples of spam-type comments in WordPress:

WordPress block users with these IP addresses from leaving a comment

The screenshot above shows us comments that contain letter combinations that don’t mean anything. However, they do have links. We know that something natural to human beings is curiosity. Therefore, it is highly likely that visitors to your site will access these links and fall victim to attacks of all kinds. As we can see, this can be seen as a social engineering use case.

These types of comments also contain links that can be malicious or deceptive and your site can end up showing deceptive site ahead warning message in google. What makes them even more dangerous is that the content they have has a very friendly tone, even too nice to be true. The comment we see above is a big compliment to the content you posted and at the end, it suggests that you visit your website.

Let us also know more about – SEO SPAM & Spam Link Injections

Anyone who was very naive would click on this site and from there they already knew what could happen. If your blog features content in English, it’s much easier to realize that these types of comments are suspicious.

This type of comment comes from other sites that link to your content. Comments are therefore the means of notification. This is called trackback. Always, in these cases, the comments of this class appear with the beginning and the end composed of the following symbols:


In the middle of that pair of square brackets and dots is an excerpt from the paragraph where the link to your post is located. Of course, we are talking about the text found on the website of the person generating spam.

Unfortunately, these comments give the wrong impression that your site is relevant and that it is mentioned repeatedly. More than anything, what is achieved with this is that there is a very high level of spam. It is extremely important to keep track of comments of this type and to block the IP addresses of the authors.

Blocking IP Addresses in WordPress via cPanel

The manual way, i.e. in WordPress, is much more tedious than if we were using a plugin or additional tool. cPanel is the web administrator of your website hosting which has a graphical interface for better management. There you will find a wide variety of tools, including the ability to block IP addresses.

The name you would find the option with may vary depending on the hosting provider you are using. A common name is IP Blocker. When you go to register the IPs you want to block, in many cases, you will just have to copy and paste the list of IPs you plan to block.

Another way is to enter a range of IP addresses. Likewise, this method of ranges is not too feasible unless you have detected a network segment or several segments that could pose a threat to the integrity of your website.

 ip blocking in wordpress.

Blocking IP Addresses in WordPress via plugins               

The main advantage of plugins like, IP2Location Country Blocker is that they do the job for you, there is little or nothing to do. One of the things that take the longest is identifying suspicious comments and IP addresses.

It allows you to block visits to IP addresses that have a particular country as their location. We consider this measure to be somewhat extreme as we would limit our website by geolocation, so we suggest that you use this feature appropriately.

How Can We Can Help You

WP Hacked Help scanner is one of the best wordpress security scanners online . It performs a large number of security checks to determine whether your WP installation is vulnerable or not. Dont miss out our special WordPress Site Cleanup & Security Audit Services For K-12 school, Universities.

Get Your Hacked WordPress Site Fixed Fast!

The main checks carried out are:

  • Detection of WP version;
  • Checking if the readme.html, install.php and upgrade.php files are accessible via HTTP;
  • internal error or misconfiguration
  • Checking the HTTP headers to see if the server is showing sensitive information.
  • Getting the full list of WordPress usernames.

Easy to use, all you have to do is go to the website, enter the URL of the WordPress site to analyze and then interpret the results. You can contact our  team of experts to help you out.

 WP security fixes & malware removals we perform

 WordPress Defacement Removal.  WordPress Errors.
 WordPress Website Maintenance  WordPress Automatic Updates.
 WordPress SQL injection.  WordPress Ransomware.
 WordPress site Account Suspended   Google Ads Disapproved Due To Malware.
 WordPress Malware Removal   Japanese Keyword Hack
Google website Blacklisting     WordPress Pharma Hack


Whitelisting IP addresses is an effective way to control access to all or part of your WordPress site.

However, we recommend that you use your .htaccess file. This will guarantee you optimal security and more knowledge in this area at the same time!

If you just want to whitelist your login page, you can also find plugins to help you out, although they don’t offer as much control as your .htaccess file.

And finally, if your host is using the Nginx web server, you will probably need to contact them to ask for the best way to whitelist specific IP addresses.

When you whitelist an IP address, you are telling WordPress to only give this computer access to your dashboard. This means that addresses that are not on your main list will not be able to load the dashboard at all. In other words, even if someone manages to steal your credentials, it won’t be enough to gain access to your website.

WordPress has always been vulnerable to external attacks such as malware attacks. Thousands of malware attacks have damaged many websites worldwide in 2020 . Check out our updated WordPress Security Checklist 2021 – Step by Step Guide.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)