Table of Contents [TOC]
In WordPress, the whitelist allows authorized visitors to block access to those who are not supposed to enter it. In this article, you will learn about what is whitelisting IP addresses, their benefits, and how to do whitelisting of IP addresses using Nginx web servers, using the .htaccess file, WordPress plugins . For more details you can visit our post on How to block ip address in wordpress
We hear a lot about the “blacklist” but less about the whitelist. It is important because it can control your access on WordPress sites, it can be the entire website or a specific area, like the wp-admin dashboard.
Thus, it will tell your server the specified IP addresses and can block access to others. The whitelist tells the server to block all traffic except for the specified IP addresses. Unlike the blacklist which blocks malicious actors, the whitelist is useful for blocking access to login.
While the whitelist and blacklist both control access, they do so in completely opposite ways – hence the color dichotomy:
The blacklist is useful for dealing with a few malicious actors, while the whitelist is more useful for locking out access for unauthorized users. A firewall can filter traffic coming to your website. But firewall can accidentally blocking good traffic. In such cases the website admin or team members may be prevented from visiting their own site. This is where WordPress IP address whitelisting comes in. By Whitelisting IP addresses we can remove the block and allows webmaster/team members to access their website again.
NOTE: Securing your WordPress website is not a single button click. You have to keep yourself updated on various wordpress security vulnerabilities and best wordpress security plugins. There are many other ways to protect your WordPress website from hacking. To understand in depth, you can check out our WordPress site hacking guide.
Whitelist IP addresses in WordPress allow only trusted people to have access to your dashboard. It works at the server level, so anyone who tries to enter without authorization will not even be able to see your WordPress login page. Also, it’s pretty simple to implement, as long as you don’t mind copying and pasting a few lines of code. The whitelist of IP addresses has several advantages:
It can be very useful for a development site. For example; if you are planning to launch a new site, you might not want us to be able to check every part of your stuff before you are ready.
By adding IP addresses to your whitelist, you and other authorized users can see your current WordPress site. However, no one else will be able to visit it until you start it.
When you whitelist an IP address to access a specific page, it means that no one except computers with that address will be able to access your dashboard. For example, if you are working alone, you can tell WordPress to block access to any IP address that is not yours, so no one other than you can access the dashboard.
The “blacklist”, on the other hand, consists of preventing certain IP addresses from accessing a page. It’s just as effective, but not as effective as whitelisting. After all, it’s easier to whitelist a handful of addresses than to blacklist hundreds of potential attackers. Let’s talk a bit more about the other benefits of whitelisting:
Whitelisted IP addresses can be useful in two main situations:
There are some potential drawbacks to using the IP whitelist to restrict access to your site. If you:
By whitelisting IP addresses, you and other authorized users can view the actual site, but no one else will be able to visit it until you are ready to launch it.
Either way, it’s often more difficult to set up whitelisted IP addresses if you’re part of a large team. Sometimes you or your teammates may need to work from a different computer meaning you will need to whitelist other addresses etc. From a security perspective, this is a fantastic option, but you should analyze if it is viable for your site before implementing it.
Also Read – How To Delete Invisible/Hidden Admin User In WordPress?
Before start adding the IP address to the whitelist, make sure you have taken the current backup of your wordpress site. You can use any appropriate WordPress backup plugin.
Most WordPress hosts use the Apache web server, which means you can add the IP addresses to the whitelist using a .htaccess file.
In this section, we will configure your whitelist of IP addresses by adding a few lines of code to your WordPress .htaccess file. To access it, you must use a file transfer protocol (FTP), such as FileZilla.
First, log into your website using your FTP credentials and navigate to your WordPress root folder, which could also be called public_html, www, or your website’s Name:
And here’s what it looks like when you go in via cPanel File Manager:
Once inside, find the .htaccess file and right-click on it. Select now using the View / Edit option, which will open the file using your local default text editor. Your .htaccess file should look like the image below. However, some web hosting providers implement out-of-the-box changes for their users, so don’t worry if there is additional code:
The .htaccess file provides the basic configuration that you can use to change the functionality of Apache, folder by folder. For example, in addition to helping you add IP addresses to the whitelist, this file can also set up redirects.
Enter the following code snippets:
order deny, allow deny from all allow from 123.123.123.123
If you want to add multiple IP addresses to the whitelist, just add another “allow” line like this:
order deny, allow deny from all allow from 123.123.123.123 allow from 234.234.234.234
To block access to your wp-admin and wp-login.php pages , enter the following code snippet:
RewriteEngine on RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login \ .php (. *) $ [OR] RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $ RewriteCond% {REMOTE_ADDR}! ^ 123 \ .123 \ .123 \ .123 $ RewriteRule ^ (. *) $ - [R = 403, L]
Make sure to change the example’s IP address to your own, but leave the forward slashes. Just replace the numbers “123” with the correct ones. As before, you can add multiple IP addresses to the whitelist by duplicating the line containing the IP address in this way:
RewriteEngine on RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login \ .php (. *) $ [OR] RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $ RewriteCond% {REMOTE_ADDR}! ^ 123 \ .123 \ .123 \ .123 $ RewriteCond% {REMOTE_ADDR}! ^ 234 \ .234 \ .234 \ .234 $ RewriteRule ^ (. *) $ - [R = 403, L]
Make sure to save your changes!
While most WordPress hosts use the Apache web server, many high-end performance-oriented hosts use, or at least offer, the Nginx web server instead.
Nginx does not recommend using .htaccess, rather than going for a single config file.
If your host is using Nginx, the best approach is probably to check your host’s documentation or speak to your host’s support.
If you prefer not to dive into your .htaccess file, there are also plugins that can help you add IP addresses to your whitelist, like:
Cerber Security is another five star security plugin that defends itself against attacks from hackers, spammers, Trojans, and malware. The free version of Cerber Security offers sophisticated protection against spam and other malicious activity, but it is not as feature rich as the other free versions of plugins on this list.
They don’t completely block unauthorized IP addresses but help you lock down your login page for any IP addresses that are not on the whitelist.
The plugin is free, but its cloud service, CleanTalk, requires a paid account. After a 7-day free trial, you can choose whether to continue with this service
This plugin is capable of analyzing multiple aspects of your website without slowing down your site due to its use of the cloud instead of servers. Not only does it blacklist email addresses, but also domains and IP addresses linked to spammers. There is an optional firewall feature that prevents spam bots from accessing your web server by sending them to a blank page.
Install and activate Restricted Site Access plugin.
After activating the plugin, go to Settings » Reading. Scroll down to the bottom and you will see options to configure restricted access.
Using Restricted Site Access plugin, you can restrict access to a WordPress site for logged in users only or for people with specific IP addresses.
You can also choose to redirect users with no access to the site by sending them to the login page, redirect to another web address, show them a custom message, or even redirect them to a specific page (coming soon page) that you have created on the same site.
Restrict by IP feature is very useful if you want multiple employees in the office to have access to the development project without requiring them to register as a user.
Firewall and Security Shield blocks comment spam and provide website security against malicious IP addresses. This plugin hides your login page and claims to block all spam comments, while preventing human spam comments. Malicious login attempts are prevented by two-factor authorization.
Although the firewall can be disabled, this plugin is primarily designed to protect your website. Unwanted IP addresses are automatically blacklisted and brute force attacks are blocked. All functions of the plugin are absolutely accessible for free.
Every WordPress website owner thinks about the security of the website either via blacklisting and whitelisting of IP address or installing the security plugin. Before opting for best ways to improve wordpress security and cleanup your site of malware. You can read the latest WordPress Malware Removal Checklist – 2020 Security Guide. This is vital information for WordPress website owners.
Spammers or hackers may be trying to attack your website. Need to blacklist IP addresses in WordPress to prevent spam or malicious users? By blacklisting their IP addresses, you can keep them out.
You need to locate the IP addresses in question, usually found in the comments section. Once you access the list of all comments, you will see that in the left column is:
We will take note of the latter. Also, we must pay attention to the content of the comments. While there are plenty of possibilities for suspicious comment content, here are some common examples of spam-type comments in WordPress:
The screenshot above shows us comments that contain letter combinations that don’t mean anything. However, they do have links. We know that something natural to human beings is curiosity. Therefore, it is highly likely that visitors to your site will access these links and fall victim to attacks of all kinds. As we can see, this can be seen as a social engineering use case.
These types of comments also contain links that can be malicious or deceptive and your site can end up showing deceptive site ahead warning message in google. What makes them even more dangerous is that the content they have has a very friendly tone, even too nice to be true. The comment we see above is a big compliment to the content you posted and at the end, it suggests that you visit your website.
Let us also know more about – SEO SPAM & Spam Link Injections
Anyone who was very naive would click on this site and from there they already knew what could happen. If your blog features content in English, it’s much easier to realize that these types of comments are suspicious.
This type of comment comes from other sites that link to your content. Comments are therefore the means of notification. This is called trackback. Always, in these cases, the comments of this class appear with the beginning and the end composed of the following symbols:
[…]
In the middle of that pair of square brackets and dots is an excerpt from the paragraph where the link to your post is located. Of course, we are talking about the text found on the website of the person generating spam.
Unfortunately, these comments give the wrong impression that your site is relevant and that it is mentioned repeatedly. More than anything, what is achieved with this is that there is a very high level of spam. It is extremely important to keep track of comments of this type and to block the IP addresses of the authors.
The manual way, i.e. in WordPress, is much more tedious than if we were using a plugin or additional tool. cPanel is the web administrator of your website hosting which has a graphical interface for better management. There you will find a wide variety of tools, including the ability to block IP addresses.
The name you would find the option with may vary depending on the hosting provider you are using. A common name is IP Blocker. When you go to register the IPs you want to block, in many cases, you will just have to copy and paste the list of IPs you plan to block.
Another way is to enter a range of IP addresses. Likewise, this method of ranges is not too feasible unless you have detected a network segment or several segments that could pose a threat to the integrity of your website.
The main advantage of plugins like, IP2Location Country Blocker is that they do the job for you, there is little or nothing to do. One of the things that take the longest is identifying suspicious comments and IP addresses.
It allows you to block visits to IP addresses that have a particular country as their location. We consider this measure to be somewhat extreme as we would limit our website by geolocation, so we suggest that you use this feature appropriately.
WP Hacked Help scanner is one of the best wordpress security scanners online . It performs a large number of security checks to determine whether your WP installation is vulnerable or not. Dont miss out our special WordPress Site Cleanup & Security Audit Services For K-12 school, Universities.
Get Your Hacked WordPress Site Fixed Fast!
The main checks carried out are:
Easy to use, all you have to do is go to the website, enter the URL of the WordPress site to analyze and then interpret the results. You can contact our team of experts to help you out.
WP security fixes & malware removals we perform
Whitelisting IP addresses is an effective way to control access to all or part of your WordPress site.
However, we recommend that you use your .htaccess file. This will guarantee you optimal security and more knowledge in this area at the same time!
If you just want to whitelist your login page, you can also find plugins to help you out, although they don’t offer as much control as your .htaccess file.
And finally, if your host is using the Nginx web server, you will probably need to contact them to ask for the best way to whitelist specific IP addresses.
When you whitelist an IP address, you are telling WordPress to only give this computer access to your dashboard. This means that addresses that are not on your main list will not be able to load the dashboard at all. In other words, even if someone manages to steal your credentials, it won’t be enough to gain access to your website.
WordPress has always been vulnerable to external attacks such as malware attacks. Thousands of malware attacks have damaged many websites worldwide in 2020 . Check out our updated WordPress Security Checklist 2021 – Step by Step Guide.