How to Whitelist an IP Address in WordPress

Whitelisting IP addresses is a manual way to ensure that certain IPs have access to your WordPress website.

Your WordPress firewall takes care of that hassle for you.

But you might need to intervene in certain situations:

There are a few ways in which you can whitelist an IP address on a WordPress site, but not all of them are equally effective or convenient. Below, we’ll walk you through how to whitelist an IP address in WordPress using the most popular methods, so you can choose the one that works best for your site.

TL;DR: A good WordPress firewall will automatically sift through good and bad IPs, blocking only the latter. However, it is still good to know how to unblock a legitimate IP, just in case. If you are using MalCare’s firewall, you can whitelist an IP address easily.

What does whitelist IP address in WordPress mean

There are two ways to think about whitelisting IP addresses on WordPress: 

If you need to know how to whitelist an IP address for any reason—whether for a WordPress site, a server application, or another platform—this guide will take you through several proven approaches.

Whitelist vs blacklist

Whitelisting is often confused with blacklisting IPs, because both of these methods are used to control access. However, they work in exactly opposite ways.

Blacklisting is usually used as a measure to block malicious IPs. Whitelisting is used to grant access either because parts of your WordPress website are confidential, or because users are getting blocked for some reason.

If a web host suspends your site, they will use whitelisting to control access. While they are quarantine it from visitors, the whitelist allows you access to clean up and fix your site.

What is an allowlist

Allowlists are the basic concept upon which whitelisting is based, and are often used interchangeably with whitelists. An allowlist is a list of IPs that are always allowed to access a website. The difference is that this allowlist is not necessarily in response to a blacklist or for a private, password-protected website. Any website—or indeed device or email inbox—can have an allowlist. 

Allowlists are used widely by mailbox providers who offer their users the ability to allow certain email addresses irrespective of their content. 

Option 1: How to Whitelist an IP address in WordPress with a plugin 

Therefore, the easiest way to whitelist a blocked IP is to use MalCare’s firewall. In addition, the firewall filters out malicious traffic with ease. 

To whitelist an IP address in WordPress using MalCare follow these steps:

• Go to your MalCare dashboard and go to the Security and Firewall tab. This will take you to the security page. Scroll down and click on the View Logs button under the Firewall section.
  
  
• It will show you all the IPs that have accessed your site, and whether they are allowed or not.
  
  
• Find the IP that you want to whitelist. Hover over the edit icon, and it will show you the whitelist option. Select ‘Add to whitelist’, and that’s it!

You have successfully whitelisted the IP you wanted to. You can select a range of IPs or ones from a geoblock a specific country for more control on your site traffic.

Note: You can use this method to whitelist IPs that have visited the WordPress website, and that have been logged by MalCare’s firewall. If you want to whitelist IPs or IP ranges that haven’t been logged by the firewall, you can contact MalCare’s support.

We strongly recommend that you use this method to whitelist IP addresses in WordPress because plugins reduce the chances of human error. The other methods of whitelisting IPs involve tinkering around with WordPress core files or with server configurations. The smallest misstep can crash your website entirely.  

Option 2: Whitelist IPs using the WordPress .htaccess file

Even though we are covering this method, we do not recommend allowing IP addresses in using the WordPress .htaccess file. There are two strong reasons for that. 

If you wish to use the manual method despite these consequences, this is how you can do it. You will need an FTP client to access your WordPress files, or a plugin like File Manager will come in handy. 

1. Take a complete backup of your site. While whitelisting may seem like a mundane task, accidentally adding or removing important code from your files can break your site. In which case, a WordPress backup plugin can help you restore your site.
2. Go to File Manager on your site dashboard, and select the root folder. You will find the .htaccess file here.
3. Download the htaccess file and edit it in a text editor such as Notepad on your computer.
4. To whitelist a single IP, add the following code snippet to the .htaccess file:
   
   order deny,allow
allow from xxx.xxx.xxx.xxx
   
   Replace the x’s with the IP address you want to whitelist.
5. If you want to whitelist multiple IP addresses, just add another ‘allow from’ line like this:
   
   order deny,allow
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
6. If you want to whitelist certain IP addresses only, while excluding all other traffic, add the deny command as shown below:
   
   order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
7. To restrict access to a specific file, usually a WordPress core file like wp-login.php, add the following code to the .htaccess file:
   
   <Files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
   
   Admins often block access like this to prevent things like brute force attacks, which hammer the login page with repeated requests. This is also the manual way to block access to XML-RPC.
8. Reupload the edited file to your website’s root folder after deleting the original one. 

You’ve done it! You have successfully managed to whitelist an IP address on your WordPress site manually. To be sure, try visiting your site from different IP addresses, and an incognito window to make sure that your website is running as it should. If it does, your job is done.

As you can see, there are a few different ways to solve the question of how to whitelist an IP address in WordPress, whether you’re using a security plugin, leveraging the flexibility of the .htaccess file, or a combination of both. The best approach depends on your level of expertise and your site’s specific needs.

Check if IP address is whitelisted correctly

To check if a certain IP address is whitelisted or not, you will need to use a security plugin. If you do not already have MalCare installed, you will need to download and install it first. After that, follow these instructions:

1. Go to the Security and Firewall tab on your MalCare dashboard.
2. Select the ‘Show more’ button in the ‘Traffic Requests’ section. 
3. Now click on the ‘Filter logs’ button on top of the traffic logs.
4. Select ‘allowed’ in the Status bar and click apply.
5. MalCare will now show you all the IPs that are allowed on your site.

This is not the same as whitelisted IPs, because the traffic logs will only show you the IPs that have visited and were allowed. You can also search for specific IP addresses to check their status.

Troubleshooting

Whitelisting IPs is a legitimate way to control access, but make sure to manage it carefully to avoid issues.

If you’re troubleshooting errors after whitelisting, remember that mistakes in the process of learning how to whitelist an IP address can result in getting locked out. Always back up your site and double-check any edits in the .htaccess file or your plugin configuration.

Pros and cons of whitelisting IP addresses

Whitelisting is an access tool. It is primarily used to control who gets to visit your site. But like any other tool, it has its pros and cons. Before you whitelist IP addresses on WordPress, you should know of the drawbacks and benefits of the process so that you can make an informed decision.

Pros of whitelisting IP addresses in WordPress

• Whitelisting can help you maintain a private site. If you want to keep your site exclusive, this is a great way to do it.
• You can close off sensitive areas of your site with whitelisting, such as the login page or XML-RPC. Whitelisting will allow you to control who can access parts of your site.

Cons of whitelisting IP addresses in WordPress

• If your home IP address changes often, or you work from different locations, whitelisting will make it difficult for you to access your own site. You will need to add all the new IPs to the whitelist every time you need to access your site.
• In case your site needs to be accessed by multiple people or teams, you will need to grant them access manually, each time a new collaborator is added. If their IPs change, that’s an added headache too.
• IP addresses are dynamic and change often, which means you can effectively block your own IP from accessing your website if you choose to restrict all traffic to a whitelist. This is especially true if you travel a lot. Rest assured, on another network, you won’t be able to access your site.
• Cumbersome to manage when there are multiple people across different locations. It is definitely not a scalable solution.

Best practices for whitelisting

Whitelisting is a common tool and often used. However, given that it requires some tinkering with your website code, it is always best to conduct the process safely. Here are some practices that you should follow to ensure that your whitelisting is secure:

• Use a security plugin to simplify and secure the process. MalCare allows you to whitelist IP addresses in WordPress with a single click, and does not break your site.
• Understand the requirements of your site control. If you don’t want to accidentally block off all traffic except for the whitelisted IP, maybe you should try blacklisting. Or better yet, use MalCare to automate blocking bad IPs altogether. 
• If you are using the .htaccess file for whitelisting, make sure to backup your site before adding or removing code from your site.
• Ensure that the IP address you are whitelisting is static, or else whitelisting will not work when the IP changes.

These practices will ensure that your site is safe and performing at its best.

Why do you need to whitelist an IP?

We have often seen this when one website has a combination of WP security plugins installed. Each one blocks the server IPs of the other, and they need to be whitelisted manually. All in One Security, Sucuri, and iThemes are particularly notorious for these issues. 

Final thoughts

IP whitelisting is a mixed blessing. It can be very useful for WordPress admin, as it gives you complete control over who can visit your site, and which IPs can access parts of your website. It is sometimes necessary to implement when there are issues with plugin IPs that prevent them from working correctly. 

Conversely, it is important to do it right so that you don’t accidentally meddle with your site’s security. WordPress admin have been known to accidentally lock themselves out of their own site, which can become very complicated to undo. 

We hope that this article will help you understand the concept enough to execute it with ease. If you have more questions about whitelisting or access control, feel free to reach out to us.

FAQs