How To Whitelist IP Address in WordPress?

There are a few different ways of whitelisting IP addresses. Depending on your expertise, time constraints, and convenience, you can pick one of these methods to whitelist an IP address on WordPress.

A. Whitelist IP address in WordPress using plugin 

We strongly recommend that you use this method to whitelist IP addresses in WordPress because plugins reduce the chances of human error. The other methods of whitelisting IPs involve tinkering around with WordPress core files or with server configurations. The smallest misstep can crash your website entirely.  

Therefore, the easiest way to whitelist a blocked IP is to use MalCare. In addition, MalCare’s firewall filters out malicious traffic with ease. 

To whitelist an IP address in WordPress using MalCare follow these steps:

  • Go to your MalCare dashboard and go to the Security and Firewall tab

MalCare's security and firewall dashboard

  • Here you will see a tab called Traffic Requests, Click on ‘Show more.’

Traffic requests in MalCare

  • It will show you all the IPs that have accessed your site, and whether they are allowed or not. 

List of IP's allowed or not

  • Find the IP that you want to whitelist.
  • Hover over the edit icon, and it will show you the whitelist option.

  • Select ‘Add to whitelist’, and that’s it!

Whitelist IP address in WordPress

You have successfully whitelisted the IP you wanted to. This process can be refined with MalCare’s filters, as you can select a range of IPs or ones from a specific country.

Note: You can use this method to whitelist IPs that have visited the WordPress website, and that have been logged by MalCare’s firewall. If you want to whitelist IPs or IP ranges that haven’t been logged by the firewall, you can contact MalCare’s support.

B. Whitelist IP address in WordPress using the .htaccess file

Although we have covered this part, we do not recommend allowing IP addresses in WordPress using htaccess. There are two strong reasons for that. 

  • Whitelisting specific IP addresses manually can block ALL traffic except for the specified IP addresses. This can be averted but if you’re not well versed with using the .htaccess file, only a handful of IP addresses will be able to access your WordPress website. Every other IP address will be blocked. If you simply want to allow a few IPs on top of your regular traffic, this is obviously not ideal.
  • This method involves accessing your WordPress core files and inserting snippets of codes. If you are not an expert, chances are that you will make errors. Small mistakes in the .htaccess file can cause your website to break, as it is a critical core file.

If you wish to use the manual method despite these consequences, this is how you can do it. You will need an FTP client to access your WordPress files, or a plugin like File Manager will come in handy. 

  1. Take a complete backup of your site with BlogVault. While whitelisting may seem like a mundane task, accidentally adding or removing important code from your files can break your site. In which case, a complete WordPress backup can help you restore your site.
  2. Go to File Manager on your site dashboard, and select the public_ html folder. You will find the .htaccess file here.

public html htaccess

  1. Download the htaccess file and edit it in a text editor such as Notepad on your computer.
  2. To whitelist a single IP, add the following code snippet to the .htaccess file:

    order deny,allow
    allow from

    Replace the x’s with the IP address you want to whitelist.
  1. If you want to whitelist multiple IP addresses, just add another ‘allow from’ line like this:

    order deny,allow
    allow from
    allow from
  1. If you want to whitelist certain IP addresses only, while excluding all other traffic, add the deny command as shown below:

    order deny,allow
    deny from all
    allow from
    allow from
  2. To restrict access to a specific file, usually a WordPress core file like wp-login.php, add the following code to the .htaccess file:

    <Files wp-login.php>
    order deny,allow
    deny from all
    allow from

    Admins often block access like this to prevent things like brute force attacks, which hammer the login page with repeated requests. This is also the manual way to block access to XML-RPC.
  3. Reupload the edited file to your website’s public_html folder after deleting the original one. 

You’ve done it! You have successfully managed to whitelist an IP address on your WordPress site manually. To be sure, try visiting your site from different IP addresses, and an incognito window to make sure that your website is running as it should. If it does, your job is done.

  • Was this reply helpful?
  • Yes
  • No