Using IP Access Lists to limit access and protect WordPress
A high-performance access list engine enables you to protect WordPress with a virtually unlimited number of IP addresses, networks, IP ranges, and their combinations
An IP Access List (commonly referred to as ACL) enables you to restricts access to the WordPress admin dashboard, vital WordPress features, protect login and registration forms from accessing by unwanted computers and bots.
WP Cerber supports two types of access lists: White IP Access List and Black IP Access List. Both access lists are manually managed by the website admin on the Access List settings page. Additionally, an IP address can be added to the access lists from the Activity page. The access lists can be easily exported to or imported from a file on the Tools admin page.
Note: Before you can start using access lists, you have to make sure that Cerber detects IP addresses correctly. How to do that – Getting Started.
Additional note if your WordPress is under Cloudflare.
By adding IP addresses to the Black IP Access List, you block the ability to log into the site, submit forms and make unsafe/harmful requests to vital WordPress functionality that are protected by WP Cerber:
- Deny IP to log in to the website
- Deny IP to register on the website
- Deny IP to post comments and submit forms
- Deny IP to use WP REST API completely
- Deny IP to use XML-RPC completely
- Deny IP to access WordPress PHP scripts that usually is being used by bots and hackers: wp-login.php, wp-signup.php, wp-register.php
When you put a particular IP address, subnet or IP range on the White IP Access List you permit these IP addresses to ignore the plugin security policies and settings and use WordPress features, that are protected by WP Cerber, without limitations:
- Allow IP to log in to the site with no limit on login attempts (if you uncheck Apply limit login rules to IP addresses in the White IP Access List in the limit login settings)
- Allow IP to bypass spam check
- Allow IP to bypass country-based GEO access rules
- Allow IP to bypass two-factor authentication
- Allow IP to log in if the Citadel mode is active
- Allow IP to use the registration form to register if registration is enabled in the WordPress settings
- Allow IP to use WP REST API without limitation
- Allow IP to use the XML-RPC interface without limitation
What’s the order of operations in IP Access Lists?
The White IP Access list has the highest priority and will be checked for an IP address first, then the IP will be checked against the Black IP Access List, and then the IP will be checked against the list of locked out IPs. Finally, WP Cerber checks particular plugin settings you have configured. That means that if a specific IP address is in the White IP Access list, it is permitted to proceed, and no further checks any kind are performed.
The order of operations in a shortlist as they are performed. If an IP matches any of the following steps, no further checks are performed.
- The White IP Access List allows IP unconditionally
- The Black IP Access List denies IP unconditionally
- The list of locked out (blocked) IP addresses, denies IP if in the list
- Check for a particular WP Cerber setting
Note: When you activate WP Cerber, it automatically adds your computer network, including your IP address, to the White Access list to protect you from getting locked out by chance.
Possible formats of entries in Access Lists
WordPress Access Lists entry formats
Important notes about IP Access Lists for WordPress
- You cannot add the same IP address or a network to the black and white access lists simultaneously.
- IP addresses in the access lists are never locked out by WP Cerber.
- The IP Access Lists do not restrict access to static files like photos and images you’ve uploaded to the WordPress media library, JavaScript and CSS files. It’s because they are processed by a front-end server without invoking WordPress and so Cerber’s code. If you need to block access to all static files, consider using an external cloud-based firewall along with a Cloudflare add-on.
- When you install and activate the WP Cerber plugin, it automatically adds your computer network to the White IP Access List.
- The Access Lists can be easily exported to a file and then be imported on another website with the WP Cerber plugin installed.
Integration with external firewalls
You can use a Cloudflare add-on to synchronize access-lists entries with the Cloudflare cloud-based firewall. Keep in mind, though, that unlike WP Cerber, Cloudflare’s firewall doesn’t support arbitrary IP ranges or CIDR networks. It supports single IP addresses and classful networks only such as A, B, C.
Bulk import of ACL entries
You can import ACL entries on the Tools admin page. Enter new access list entries, one item per line. To add an optional entry comment, use the CSV format with a comma after the IP address.
Import ACL to WordPress in the CSV format
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WP Cerber Security 8.7
Managing WordPress application passwords a hassle-free way
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
I want to avoid dynamic IP adresses, but how to avoid accesing from IP’s that include in their name “dyna”? (for example like dynamic.jazztel.es)
Thank you
As of now, the plugin doesn’t support filtering/blocking IP addresses based on their domain names. Whether they are dynamic or static. Resolving IP addresses to domain names is way too time-consuming to perform it for each request to a website. We have to detect and block offensive and malicious IP addresses regardless of their domain names.
Hello 🙂
Realy cool plugin, realy amazing work !
It is possible to add multiple adresse IP at once ?
Not juste ip ranges like 0.0.0.0-0.0.0.3
but something like 203.208.60.249, 66.249.79.94, …
Thanks !
Hi! There is no such feature, but it will be implemented soon. Here is a tip for now: manually create an access IP list on a website, export the list into a file and then import the file on any other website you need.
Hi There, my ip adress is dynamically generated by my cable company, it changes from time to time, but not often. Cerber puts it on the whitelist. How do I prevent getting locked out if my dynamic ip adress changes periodically? Thank you, Marc
You don’t need to do anything. By design, WP Cerber adds the IP address of a website administrator (in this case you) to the white list during the plugin activation. It’s a safety measure for beginners. It reduces the risk of getting locked out by mistake due to a lack of experience or a plugin conflict. You can remove that entry.
Hi! How to use a white list as my provider assigns me a random IP each time I connect? :/
The access lists are intended to be used along with static IP addresses or at least when IP address are assigned from a small list of a trusted IP range. You can specify the IP network that your provider uses to assign IP addresses for your location if your trust that network.
Hi. I want to allow new registrations by IP address(s). After successful registration, I do not want any IP filtering as access is limited by subsequent successful login. Can WP Cerber accomplish this?
Please elaborate. Do you want to permit new user registrations by a particular list of IP addresses while other IPs do not allowed to register on the website?
It has been implemented in WP Cerber Security 8.6.7
Yes. Thank you.
This feature will be implemented soon.