Skip to content

IP Allow & Block List

IP Allow & Block List (PRO) lets you allow or block visitors by IP address - ideal for office-only dashboards or shutting out known troublemakers. Rules apply site-wide, including wp-admin and login.

  • Blacklist mode: listed IPs are blocked; everyone else is allowed.
  • Whitelist mode: only listed IPs are allowed; everyone else is blocked (inactive until at least one valid IP/CIDR is saved).
  • Enforcement covers public site, wp-admin, login, REST, AJAX, and XML-RPC. No role bypasses IP rules.
  • IP detection: Cloudflare CF-Connecting-IP automatic, optional custom real-IP header, otherwise REMOTE_ADDR.
  • Customizable blocked page (default template or custom HTML from media) with title, headline, message, logo, and colors.
  • Emergency recovery notes in settings (WP-CLI, database option, rename plugin folder, or WPPS_IP_ACCESS_BYPASS).

Enable it if:

  • You need to block known abusive IPs site-wide.
  • Staging or admin access should be limited to office/VPN addresses (whitelist).
  • You want a branded blocked page instead of a blank 403.

IP rules

  • Blacklist or Whitelist
  • IP addresses & ranges (one IPv4/IPv6 or CIDR per line) with Add my IP
  • Real IP header (optional; leave blank for automatic detection)

Blocked page

  • Template: default or custom HTML
  • Page title, headline, message, logo, background/text colors
  1. Go to WP PowerSuite -> Modules -> Security.
  2. Toggle IP Allow & Block List on (PRO license required).
  3. Start in Blacklist mode, add IPs carefully, save.
  4. For whitelist mode, add your current IP first, save, then switch modes.
  • In blacklist mode, add a test IP you control (or temporarily add a lab IP), save, then request the site from that address.
  • ✅ Pass: blocked page / access denied for listed IPs.
  • Confirm detected client IP shown in settings matches your expectation (Cloudflare vs direct).
  • ❌ Fail: fix Real IP header if you are behind a non-Cloudflare proxy; do not use spoofable headers like X-Forwarded-For.
  • Locked out in whitelist mode. Use hosting file manager to rename the plugin folder, set WPPS_IP_ACCESS_BYPASS in wp-config, or patch settings via WP-CLI/database.
  • Wrong IP detected. Configure Real IP header for your trusted proxy, or rely on Cloudflare detection.
  • 403 cached for everyone. Exclude 403/blocked responses from full-page cache/CDN.
What does IP Allow & Block List do?

It allows or blocks visitors by IP/CIDR across the whole site, including admin, login, REST, AJAX, and XML-RPC.

Is IP Allow & Block List free?

No. It is a PRO module and requires an active license.

Can administrators bypass the IP rules?

No. IP rules apply to everyone, including administrators.

What happens if whitelist mode has no IPs?

Enforcement stays inactive until you add at least one valid IP or CIDR range.

How do I turn IP Allow & Block List off?

Go to WP PowerSuite -> Modules and toggle it off, or use the emergency recovery methods described in settings if you are locked out.

Developer notes (hooks & filters)

Source: modules/ip-whitelist-blacklist/module.php. Boot: critical · context: admin, frontend, ajax, rest.

Hooks: admin_init, login_init, init, wp_loaded, rest_api_init, rest_authentication_errors. Client IP override filter: wp_powersuite_ip_whitelist_blacklist_client_ip. Bypass constant: WPPS_IP_ACCESS_BYPASS.