Switchboard DOCS
Docs
Get Started Get Lifetime Deal

IP Whitelist/Blacklist

Sometimes you need blunt-force access control. Maybe bots from a specific IP range are hammering your site, or you want to restrict access to your corporate network only. This module lets you block specific IPs (blacklist mode) or allow only specific IPs (whitelist mode) — your choice.

Use Cases

  • Block IPs that are attacking your login page or sending spam
  • Restrict admin access to your office IP only
  • Block entire IP ranges from countries you don’t serve
  • Create a private site accessible only from specific locations
  • Temporarily block a problematic user by IP

How It Works

The module runs before WordPress loads any content:

  1. Checks the visitor’s IP address
  2. Compares against your configured list
  3. In blacklist mode: blocks if IP is in the list
  4. In whitelist mode: blocks if IP is NOT in the list
  5. Blocked visitors see a “403 Access Denied” message

Important: Administrators (users with manage_options capability) always have access, regardless of IP rules.

Settings

Navigate to Switchboard → Security → IP Whitelist/Blacklist and click the settings icon.

SettingDescription
ModeToggle between Blacklist (block listed IPs) and Whitelist (allow only listed IPs)
IP Addresses & RangesOne IP or CIDR range per line

Current Information Panel

The settings page shows:

  • Your current admin username
  • Your current IP address
  • Whether your IP is already in the list
  • A quick “Add My IP to List” button

Entering IP Addresses

Enter one IP address or range per line:

192.168.1.100
10.0.0.50
203.0.113.0/24
2001:db8::1

Single IP Addresses

192.168.1.100

Matches exactly that IP.

CIDR Ranges

192.168.1.0/24

Matches all IPs from 192.168.1.0 to 192.168.1.255 (256 addresses).

Common CIDR notation:

CIDRAddressesExample Range
/321Single IP
/24256192.168.1.0 - 192.168.1.255
/1665,536192.168.0.0 - 192.168.255.255
/816,777,216192.0.0.0 - 192.255.255.255

Blacklist Mode

Blocks IPs in the list. Everyone else gets in.

Use when you want to block specific troublemakers while keeping your site open to the public.

Example blocklist:

123.45.67.89
98.76.54.0/24

These IPs will see “Access denied. Your IP address has been blocked.”

Whitelist Mode

Allows only IPs in the list. Everyone else is blocked.

Use for private sites, staging environments, or restricting access to known networks.

Be careful with whitelist mode. If you forget to add your IP before enabling, you’ll lock yourself out. The “Add My IP” button helps prevent this.

Example whitelist:

203.0.113.50
10.0.0.0/8

Only these IPs can access the site. All other visitors see “Access denied. Your IP address is not whitelisted.”

What Blocked Visitors See

Blocked users receive a 403 Forbidden response with a simple message:

Blacklist mode:

“Access denied. Your IP address has been blocked.”

Whitelist mode:

“Access denied. Your IP address is not whitelisted.”

Finding Your IP Address

The settings panel shows your current IP address. You can also:

  1. Google “what is my IP”
  2. Visit whatismyip.com
  3. Check your network settings

Note on Dynamic IPs: Most home and mobile connections have dynamic IPs that change periodically. If you’re whitelisting home IPs, they may stop working when your ISP assigns you a new address.

FAQ

What if I lock myself out?

Administrators always bypass IP restrictions while logged in. If you can’t log in:

  1. Access your site via FTP or file manager
  2. Rename or delete the module file: modules/security/ip-whitelist-blacklist.php
  3. Or edit the database directly and clear switchboard_ip-whitelist-blacklist_settings from the options table
Does this work with CloudFlare or other CDNs?It depends on your CDN configuration. By default, the module uses REMOTE_ADDR which may show the CDN’s IP rather than the visitor’s real IP. Many CDNs provide the real IP via headers like X-Forwarded-For, but these can be spoofed. For security-critical IP blocking with a CDN, implement rules at the CDN level instead.
Can I block entire countries?Yes, by adding the IP ranges for that country. You’ll need to look up the CIDR ranges for the country (databases exist online). However, this can be tedious and imperfect. For sophisticated geo-blocking, a firewall or CDN with geo-blocking features works better.
Why can’t I add localhost (127.0.0.1 or ::1)?You can add them, but they’re flagged as “not a real IP” because localhost addresses only apply to requests from the same server. They’re useful in specific development scenarios but don’t block or allow external visitors.
Does this affect REST API, feeds, or other non-page requests?Yes. The IP check runs on every request before WordPress loads content, so it affects all access to your site including API endpoints, RSS feeds, and file downloads.
Can I have both a whitelist and blacklist?Not simultaneously. You choose one mode. If you need complex rules (allow these IPs except these specific ones), consider a firewall or .htaccess rules for more flexibility.

Fighting an active attack? Add malicious IPs to the blacklist for immediate relief. For sustained attacks, consider a service like CloudFlare or Sucuri that can handle high volumes of attack traffic before it reaches your server.

For security reasons, this module only trusts REMOTE_ADDR and ignores other headers like X-Forwarded-For which can be easily spoofed by attackers.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Content Exporter (CSV)
Next
Custom Frontend CSS