Securing your WordPress website is one of your most critical management duties. A lot of websites find themselves the targets of random attacks, and if yours makes it onto that list, your site and its data could be at risk. To help avoid this problem, one security tip is to whitelist IP addresses on WordPress. Whitelisting IP addresses is a method to ensure that certain IPs have access to your WordPress website.
IP addresses are usually strings of numbers separated by periods that identify specific internet networks. With IP whitelisting, you can grant network access to specific IP addresses only, and block off all other traffic from your site or parts of it. In some cases, it is because you have a private site for limited users. Other times, it is because plugin IPs are blocked and they cannot function properly.
What does whitelist IP address in WordPress mean
There are two ways to think about whitelisting IP addresses on WordPress:
- The first, and the most common, case is that there is a firewall on a public WordPress website that sometimes blocks good traffic with the bad. To correct this, admins can indicate to the firewall that those IPs are good by whitelisting them.
- The second case is when there is a private WordPress site with limited users. A private site is blocked from all traffic, so a whitelist in this case is a list of people allowed to visit the site at all. An easy way to understand this is to think of an invite-only event. Everyone may know of the event taking place, but only those with invitations can get in.
Whitelist vs blacklist
Whitelisting is often confused with blacklisting, because both of these methods are used to control access. However, they work in exactly opposite ways. Blacklisting is usually used as a measure to block malicious IPs. Whitelisting is used to grant access either because parts of your WordPress website are confidential, or because users are getting blocked for some reason. While whitelisting and blacklisting both control access, they do so in completely opposite ways – hence the stark color dichotomy:
- Whitelisting: This tells your server to block all traffic except for the specified IP addresses.
- Blacklisting: This tells your server to allow all traffic except for the specified IP addresses.
Blacklisting is good for dealing with a few malicious actors while whitelisting is more helpful for locking down access for unauthorized users. Web hosts often use whitelisting in case of suspended sites. If a website is infected with malware, they suspend it in order to quarantine it from visitors and whitelist certain IP addresses to allow you to clean up and fix your site.
What is an allowlist?
Allowlists are the basic concept upon which whitelisting is based and are often used interchangeably with whitelists. An allowlist is a list of IPs that are always allowed to access a website. The difference is that this allowlist is not necessarily in response to a blacklist or for a private website. Any website – or indeed device or email inbox – can have an allowlist. Allowlists are used widely by mailbox providers who offer their users the ability to allow certain email addresses irrespective of their content.
Pros and cons of whitelisting IP addresses on WordPress
Whitelisting is an access tool. It is primarily used to control who gets to visit your site. But like any other tool, it has its pros and cons. Before you whitelist IP addresses on WordPress, you should know of the drawbacks and benefits of the process so that you can make an informed decision.
Pros of whitelisting IP addresses on WordPress
Whitelisting IP addresses can come in handy in two main situations:
- You can close off sensitive areas of your site with whitelisting thus boosting security of your site. Whitelisting will allow you to control who can access parts of your site.
- Whitelisting can help you maintain a private site. If you want to keep your site exclusive, this is a great way to do it.
On the security front, whitelisting lets you only grant access to important areas of your WordPress site (like wp-admin) for authorized IP addresses. Any visitor who isn’t whitelisted can’t get in. Beyond that, whitelisting can also come in handy if you’re working on a development site.
For example, if you’re getting ready to launch a new site, you might not want the Internet-at-large to be able to check things out until you’re ready. By whitelisting IP addresses, you and other authorized users can view the actual site, but anyone else won’t be able to visit until you’re ready to launch.
Cons of whitelisting IP addresses on WordPress
There are some potential drawbacks to using IP whitelisting to restrict access to your site.
- If your home IP address changes often, or you work from different locations, whitelisting will make it difficult for you to access your own site. You will need to add all the new IPs to the whitelist every time you need to access your site.
- In case your site needs to be accessed by multiple people or teams, you will need to grant them access manually, each time a new collaborator is added. If their IPs change, that’s an added headache too.
- IP addresses are dynamic and change often, which means you can effectively block your own IP from accessing your website if you choose to restrict all traffic to a whitelist.
Then you might get a little annoyed at how often you have to update your IP address whitelist. If those situations apply to you, you might want to seek out another method (like using a .htpasswd file).
How to whitelist IP on WordPress
There are a few different ways of whitelisting IP addresses. Depending on your expertise, time constraints, and convenience, you can pick one of these methods to whitelist an IP address on WordPress.
1. Plugins
We strongly recommend that you use this method to whitelist IP addresses in WordPress because plugins reduce the chances of human error. The other methods of whitelisting IPs involve tinkering around with WordPress core files or with server configurations. The smallest misstep can crash your website entirely.
2. .htaccess
We do not recommend allowing IP addresses in WordPress using .htaccess file. There are two strong reasons for that.
- Whitelisting specific IP addresses manually can block all traffic except for the specified IP addresses. This can be averted but if you’re not well versed with using the .htaccess file, only a handful of IP addresses will be able to access your WordPress website. Every other IP address will be blocked. If you simply want to allow a few IPs on top of your regular traffic, this is obviously not ideal.
- This method involves accessing your WordPress core files and inserting snippets of codes. If you are not an expert, chances are that you will make errors. Small mistakes in the .htaccess file can cause your website to break, as it is a critical core file.
Before you start editing your .htaccess file, though, it’s important that you make a copy of your existing .htaccess file. That way, you have a clean copy in case you accidentally break something. Once you have your backup copy safely stored away, you can enter the following code snippets, depending on how strictly you want to limit access.
To control access to your entire WordPress site, enter the following code snippet:
Make sure to replace the example IP address with your actual IP address.
order deny,allow
deny from all
allow from 123.123.123.123If you want to whitelist multiple IP addresses, just add another allow from line.
order deny,allow
deny from all
allow from 123.123.123.123
allow from 234.234.234.234To block access to just your wp-admin and wp-login.php pages, enter the following code snippet:
Make sure to replace the example IP address with your own but leave the slashes. Just replace the actual “123” numbers.
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]As before, you can whitelist multiple IP addresses by duplicating the line containing the IP address.
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^234\.234\.234\.234$
RewriteRule ^(.*)$ - [R=403,L]Best practices to whitelist an IP address on WordPress
Whitelisting is a common tool and often used. However, given that it requires some tinkering with your website code, it is always best to conduct the process safely. Here are some practices that you should follow to ensure that your whitelisting is secure:
- Use a plugin to simplify and secure the process. A plugin allows you to whitelist IP addresses in WordPress with a single click and does not break your site.
- Understand the requirements of your site control. If you don’t want to accidentally block off all traffic except for the whitelisted IP, maybe you should try blacklisting. Or better yet, use a plugin to automate blocking bad IPs altogether.
- If you are using the .htaccess file for whitelisting, make sure to backup your site before adding or removing code from your site.
- Ensure that the IP address you are whitelisting is static, or else whitelisting will not work when the IP changes.
These practices will ensure that your site is safe and performing at its best.
Final thoughts
Whitelisting IP addresses is an effective way to control access to all or parts of your WordPress site. It can be very useful for WordPress admin, as it gives you complete control over who can visit your site, and which IPs can access parts of your website. Conversely, it is important to do it right so that you don’t accidentally meddle with your site’s security. WordPress admin have been known to accidentally lock themselves out of their own site, which can become very complicated to undo.
