Using IP Access Lists to protect WordPress
High performance IP access list engine allows you to protect WordPress virtually with unlimited IP addresses, networks and IP ranges in the access lists.
IP Access Lists (commonly referred to as ACLs) are intended to restrict access to vital WordPress functions, WordPress login and registration forms from unwanted computers and bots. The WP Cerber plugin supports two types of access lists: White IP Access List and Black IP Access List. Both access lists are manually managed by website admin on the Access List settings page. Optionally an IP can bee added to the White IP Access List from the Activity page.
Note: before you can start using access lists, you have to make sure that the plugin detects IP addresses correctly. How to do that – Getting Started.
Additional note if your WordPress is under CloudFlare.
By adding IP addresses to the Black IP Access List you block the ability to log into the site, submit forms and make unsafe/harmful requests to vital WordPress functionality that are protected by WP Cerber:
- Deny IP to log in to the web site
- Deny IP to register on the web site
- Deny IP to use WP REST API completely
- Deny IP to use XML-RPC completely
- Deny IP to access WordPress PHP scripts that usually is being used by bots and hackers: wp-login.php, wp-signup.php, wp-register.php
When you put a particular IP address, subnet or IP range on the White IP Access List you allow these IP addresses to ignore limit login attempts rules, the plugin settings and use WordPress functionality, that are protected by WP Cerber, without limitations:
- Allow IP to log in to the site with no limit to login attempts (if you uncheck Apply limit login rules to IP addresses in the White IP Access List in the limit login settings)
- Allow IP to log in if the Citadel mode is active
- Allow IP to use registration form to register if registration is enabled in the WordPress settings
- Allow IP to use WP REST API without limitation
- Allow IP to use XML-RPC interface without limitation
What’s the order of operations in IP Access Lists?
The White IP Access list has the highest priority and will be checked for an IP address first, then the IP will be checked against the Black IP Access List and, then the IP will be checked against the list of locked out IPs, finally WP Cerber checks particular plugin settings you have configured. That means that if a particular IP address is in the White IP Access list, it will be permitted to proceed and no further checks any kind will be performed.
Order of operations in a short list as they will be performed. If an IP is matched any of the following steps, no further checks will be performed.
- The White IP Access List allows IP unconditionally
- The Black IP Access List denies IP unconditionally
- The list of locked out (blocked) IP addresses, denies IP if in the list
- Check for a particular WP Cerber setting
Note: When you activate WP Cerber, it automatically adds your computer network, including your IP address, to the White Access list to protect you from getting locked out by chance.
Possible values for entries in IP Access Lists
- Single IPv6 address like: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Single IPv4 address like: 192.168.5.22
- IPv4 addresses range with dash like: 192.168.1.45 – 192.168.22.165
- IPv4 CIDR like: 192.168.128.0/24
- IPv4 subnet Class C like: 192.168.77.*
- IPv4 subnet Class B like: 192.168.*.*
- IPv4 subnet Class A like: 192.*.*.*
FAQ about IP Access Lists
How to grant access to a certain set of several IP address and block to the rest of the world?
- Add your IP address or a set of IPs you want to permit to log into your website to the White IP Access List.
- Add the string
*.*.*.*to the Black IP Access List.
Can an IP address from any access list be locked out and shown on the Lockouts tab?
Never. It doesn’t make sense.
Other notes about IP Access Lists for WordPress
- You cannot add the same IP address or IPv4 range to the both lists.
- When you install and activate WP Cerber, it automatically adds your computer network to the White IP Access List.
- The Access List can be easily exported to a file and then be imported on other website with the WP Cerber plugin installed.
Last posts from WordPress security blog
- Contact Form 7 are not working August 14, 2018
- WP Cerber Security 7.2 July 9, 2018
- What Cerber Security Scanner scans and detects July 5, 2018
- Automated recurring scans and email reporting for WordPress July 3, 2018
- Some legitimate HTTP requests are being blocked June 18, 2018