IP Allow & Block List
IP Allow & Block List (PRO) lets you allow or block visitors by IP address - ideal for office-only dashboards or shutting out known troublemakers. Rules apply site-wide, including wp-admin and login.
What it does
Section titled “What it does”- Blacklist mode: listed IPs are blocked; everyone else is allowed.
- Whitelist mode: only listed IPs are allowed; everyone else is blocked (inactive until at least one valid IP/CIDR is saved).
- Enforcement covers public site, wp-admin, login, REST, AJAX, and XML-RPC. No role bypasses IP rules.
- IP detection: Cloudflare
CF-Connecting-IPautomatic, optional custom real-IP header, otherwiseREMOTE_ADDR. - Customizable blocked page (default template or custom HTML from media) with title, headline, message, logo, and colors.
- Emergency recovery notes in settings (WP-CLI, database option, rename plugin folder, or
WPPS_IP_ACCESS_BYPASS).
When to use it
Section titled “When to use it”Enable it if:
- You need to block known abusive IPs site-wide.
- Staging or admin access should be limited to office/VPN addresses (whitelist).
- You want a branded blocked page instead of a blank 403.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”IP rules
- Blacklist or Whitelist
- IP addresses & ranges (one IPv4/IPv6 or CIDR per line) with Add my IP
- Real IP header (optional; leave blank for automatic detection)
Blocked page
- Template: default or custom HTML
- Page title, headline, message, logo, background/text colors
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules -> Security.
- Toggle IP Allow & Block List on (PRO license required).
- Start in Blacklist mode, add IPs carefully, save.
- For whitelist mode, add your current IP first, save, then switch modes.
How to test it
Section titled “How to test it”- In blacklist mode, add a test IP you control (or temporarily add a lab IP), save, then request the site from that address.
- ✅ Pass: blocked page / access denied for listed IPs.
- Confirm detected client IP shown in settings matches your expectation (Cloudflare vs direct).
- ❌ Fail: fix Real IP header if you are behind a non-Cloudflare proxy; do not use spoofable headers like X-Forwarded-For.
Troubleshooting
Section titled “Troubleshooting”- Locked out in whitelist mode. Use hosting file manager to rename the plugin folder, set
WPPS_IP_ACCESS_BYPASSin wp-config, or patch settings via WP-CLI/database. - Wrong IP detected. Configure Real IP header for your trusted proxy, or rely on Cloudflare detection.
- 403 cached for everyone. Exclude 403/blocked responses from full-page cache/CDN.
What does IP Allow & Block List do?
It allows or blocks visitors by IP/CIDR across the whole site, including admin, login, REST, AJAX, and XML-RPC.
Is IP Allow & Block List free?
No. It is a PRO module and requires an active license.
Can administrators bypass the IP rules?
No. IP rules apply to everyone, including administrators.
What happens if whitelist mode has no IPs?
Enforcement stays inactive until you add at least one valid IP or CIDR range.
How do I turn IP Allow & Block List off?
Go to WP PowerSuite -> Modules and toggle it off, or use the emergency recovery methods described in settings if you are locked out.
Developer notes (hooks & filters)
Source: modules/ip-whitelist-blacklist/module.php.
Boot: critical · context: admin, frontend, ajax, rest.
Hooks: admin_init, login_init, init, wp_loaded, rest_api_init, rest_authentication_errors.
Client IP override filter: wp_powersuite_ip_whitelist_blacklist_client_ip.
Bypass constant: WPPS_IP_ACCESS_BYPASS.