Securing your WordPress website is one of your most critical management duties. A lot of websites find themselves the targets of random attacks, and if yours makes it onto that list, your site and its data could be at risk. To help avoid this problem, one security tip is to learn how to whitelist IP addresses in WordPress.
This feature makes it so that only the people you trust will have access to your dashboard. It works at the server level, so anyone who tries to log in without authorization won’t even be able to see your WordPress login page. Plus, it’s simple enough to implement, as long as you don’t mind copying and pasting a few lines of code.
📚 In this article, we’ll first quickly explain what IP addresses are and then we’ll talk about what whitelisting is and how it works. After that we’ll teach you how to whitelist IP addresses in WordPress with two simple steps.
Let’s get to work! 💪
What are IP addresses? 🤔
IP addresses are crucial for enabling communication between devices on the internet. They serve as unique identifiers that facilitate the routing of data. Every device you use, whether it’s your mobile phone or computer, has an IP address. When you open a web browser or run an app, it communicates using the IP address of that device.
Moreover, IP addresses help identify specific internet networks. Each device within your network might have its unique IP address locally. But to the outside world, all traffic from your network often appears to come from a single IP address, provided by your Internet Service Provider (ISP).
💡 If you’re curious, you can even check what the IP address of your internet network is right now by using our free IP checker tool.
In the context of websites, especially platforms like WordPress, grasping the importance of IP addresses is essential. Not only do they route data, but they also play a pivotal role in bolstering security. By choosing which IP addresses can access certain parts of your website, you can significantly cut down on the risk of unauthorized access and potential cyber threats.
Which brings us to…
What whitelisting is (and why it’s effective) 🟢
The terms ‘blacklisting’ and ‘whitelisting’ refer to access controls based on IP addresses. Blacklisting prevents access from specific IP addresses, whereas whitelisting allows access solely to designated IP addresses.
That is – when you whitelist an IP address on a website, you grant access only to a specific network. A user can switch devices on that network, but they’ll need to be connected to a network with whitelisted access to reach the backend of your site.
👉 As you can imagine, this security feature offers a lot of advantages, because it:
- Enables you to control who accesses your website. Limiting access only to specific IP addresses can help you prevent attacks on your site.
- Is more effective than implementing login security measures. Think of your login screen as a door to which many people have keys. When you implement an IP whitelisting feature, you essentially designate a full-time security guard that makes sure only the people you’ve approved can enter that door.
- Is easy to implement. If you’re a WordPress user, you can enable this feature by adding a few lines of code to one of your core files. It’s very simple, even if you’re not a developer.
It’s important to note that in most cases, you won’t want to limit access to your entire website unless it’s purely a staging site. Rather, you’ll just want to secure your back end and its login page.
Potential disadvantages of using this method
Of course, whitelisting IP addresses in WordPress can get tricky if you’re part of a large team. You’ll need to convince everyone to share their IPs with you, and figure out what to do for users with dynamic addresses (IPs that change regularly).
Additionally, if you use this method, you won’t be able to access your site’s backend dashboard if you’re at a cafe or on vacation without updating the list of whitelisted IP addresses (because you’ll have a different IP address).
In our experience, the best way to approach these problems is to use a VPN service that offers your team members dedicated IP addresses. Then, as long as they remember to log into the service before trying to access your back end, they shouldn’t encounter any problems.
How to whitelist IP addresses in WordPress (in two steps) ✌️
Now that you understand the reasons to whitelist IP addresses in WordPress, it’s time to learn how to make it happen. As we mentioned earlier, you’ll need to tweak one of your WordPress files manually to implement this feature. Don’t worry – the process is simple, and we’ll guide you through every step.
Before we jump in, it’s a smart idea to back up your site just in case. Then, make sure you have a list of all your team members’ IP addresses ready. To find out what their (and your) IPs are, they can use a simple tool such as IP Location Finder. All they need to do is visit the site, note down their IP addresses, and share them with you.
Step 1: Locate your .htaccess file 🔍
The file we need to modify for this feature to work properly is called .htaccess. It’s a WordPress core file that communicates directly with your server and enables you to set up ‘rules’. In this case, we’re going to tell it to block access to your dashboard login page for IPs not on an approved list.
To do that, you’ll first need to access your site’s back end using an FTP client, such as FileZilla. You’ll need your FTP login information. You can find this information in your web host’s control panel or in the email your web host sent when you signed up for your plan:
Once you have your credentials, access your website via FTP and head to WordPress’ root folder. This directory is often called either public_html or www, or is named after your site. Open it, and look for the .htaccess file within:
Now, right click on the file and choose the option that reads View/Edit. This will open the file locally, using your default text editor. Keep the file open for now, and let’s move on to the next step.
Step 2: Whitelist an IP address by editing your .htaccess file ✍️
To whitelist a set of IP addresses, you’ll need to copy and paste the following code into your .htaccess file (with a few changes):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_ONE$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_TWO$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>This code snippet restricts access to both your dashboard and its login page. Whenever someone attempts to access either one, WordPress will check their IP against the addresses in your list. If one of them is a match, they’ll be let through.
In the example above, you can see there are two placeholders for individual IP addresses (IP_ADDRESS_ONE and IP_ADDRESS_TWO). You can add as many lines as you want following the same format, one right below the other, replacing the placeholder text with the actual IPs. Make sure to leave the “^” and “$” symbols before and after the IP address, though.
Here’s what the code should look like for a site with three whitelisted addresses:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^190.36.268.21$
RewriteCond %{REMOTE_ADDR} !^190.43.281.27$
RewriteCond %{REMOTE_ADDR} !^190.67.302.44$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>To avoid confusion, you should add this snippet to the bottom of your .htaccess file, below its default rules. When you’re ready, save your changes and test that your new security feature is working by having each whitelisted user try and log in. Whenever you gain or lose team members, you can simply return to the file and add or delete IP addresses as necessary.
Now, anyone who isn’t connected to one of the whitelisted IP addresses will see something like this if they try to access your dashboard:
Conclusion 🧐
Learning how to whitelist IP addresses in WordPress is simple, and it’s a highly effective way to protect your website from intruders.
Do keep in mind that if you want to implement this security measure, you’ll have to ask all your co-authors for their IPs, and figure out a way for those with dynamic addresses to be able to do their jobs.
Additionally, you should remember that this method isn’t always ideal if you find yourself constantly working from different locations. That is unless you pay for a dedicated IP address from a VPN.
👉 Once you’ve taken care of those tasks, here’s how to whitelist IP addresses in WordPress in two short steps:
- 🔍 Locate your
.htaccessfile. - ✍️ Whitelist all the IP addresses you need by adding the provided code snippet to the file.
Do you have any questions about how to whitelist IP addresses in WordPress? Let’s clear them up in the comments section below!
I did not intend to ‘whitelist’ any IPs but i did anyway because i never thought it would restrict access of any sort. I did it via jetpack. Now i want undo it but i have disconnected jetpack. How do i do that
Hey, it’s not uncommon for your IP to get whitelisted. Here’s how you can unblock it from Jetpack: https://jetpack.com/support/security-features/#unblock
Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!