Using IP Access Lists to protect WordPress
High performance IP access list engine allows you to protect WordPress virtually with unlimited IP addresses, networks and IP ranges in the access lists.
The IP Access Lists (commonly referred to as ACLs) aimed to restrict access to critical WordPress functions, WordPress login and registration forms from unwanted computers and bots in the network. The WP Cerber plugin has two types of access lists: White IP Access List and Black IP Access List. Both access lists are manually managed by website admin on the Access List settings page. Optionally an IP can bee added to the White IP Access List from the Activity page.
Note: before you can start using access lists, you have to make sure that you see correct IP addresses on Activity tab. If you see only one IP address in all rows, you have to check My site is behind a reverse proxy in the settings of the plugin. Additional note if your WordPress under CloudFlare.
By adding IP addresses to the Black IP Access List you block ability to log in to the site and make other requests to some WordPress functions that protected by WP Cerber:
- Deny IP to use WordPress Login form to log in to the site
- Deny IP to use WordPress Registration form to register on the site
- Deny IP to use WP REST API completely
- Deny IP to use XML RPC completely
- Deny IP to access WordPress PHP scripts that usually is being used by bots and hackers: wp-login.php, wp-signup.php, wp-register.php
When you put a particular IP address, subnet or IP range on the White IP Access List you allow specified IP addresses to ignore limit login attempts rules, the plugin setting and use WordPress functions, that protected by WP Cerber, without limitation:
- Allow IP to use WordPress Login form to log in to the site with no limit to login attempts
- Allow IP to use WordPress Registration form to register if registration is enabled in the WordPress settings
- Allow IP to use WP REST API without limitation
- Allow IP to use XML RPC without limitation
What’s the order of operations in the Access Lists?
The White IP Access list has the highest priority and will be checked for an IP first, then the IP will be checked against the Black IP Access List and, then the IP will be checked against the list of locked out IPs, finally WP Cerber checks particular plugin setting you have checked. That means that if a particular IP is found, for instance, in the White IP Access list, it will be allowed and no further checks any kind will be performed.
Order of operations in short list as they will be performed
- The White IP Access list, allows IP unconditionally
- The Black IP Access list, denies IP unconditionally
- The list of locked out (blocked) IP addresses, denies IP if in the list
- Check for a particular WP Cerber setting
Note: When you activate WP Cerber, it automatically adds your computer network, including your IP address, to the White Access list to protect you from get locked out by chance.
Can some IP address from an access list be locked out?
Never. It doesn’t make sense.
Possible values for entries in the WordPress Access Lists (since v 3.1)
- Single IPv6 address like: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Single IPv4 address like: 192.168.5.22
- IPv4 addresses range with dash like: 192.168.1.45 – 192.168.22.165
- IPv4 CIDR like: 192.168.128.0/24
- IPv4 subnet Class C like: 192.168.77.*
- IPv4 subnet Class B like: 192.168.*.*
- IPv4 subnet Class A like: 192.*.*.*
- You cannot add the same IP address or IPv4 range to the both lists.
- When you install and activate WP Cerber, it automatically adds your computer network to the White IP Access List.
- The Access List can be easily exported to a file and then be imported on any other website with WP Cerber plugin installed.
Last posts from WordPress security blog
- Brute-force, DoS, and DDoS attacks – what’s the difference? 04/10/2017
- WP Cerber 4.5 03/22/2017
- Instant mobile and browser notifications with Pushbullet 03/20/2017
- Best WordPress Plugins for Two-Factor Authentication 03/15/2017
- WordPress 4.7.3 – six security issues has been fixed 03/06/2017
Let's make things clear with these intruder activities that happens every day with any website. How are they dangerous? What tools or plugin can mitigate them? What are chances that we can do that successfully?
WP Cerber allows you to easily enable desktop and mobile notifications and get all those notifications from your WordPress instantly and for free. In a desktop browser, you will get popup messages even if you logged out of your WordPress. Last posts from WordPress security blog Brute-force, DoS, and DDoS attacks – [...]