Overview
IP-Based Security Controls allow you to restrict or allow access to your WordPress site based on IP addresses, ranges, or geographic locations. Protect against unauthorized access and comply with security policies.
Why Use IP-Based Security?
Stop known attackers, bots, and spam sources from accessing your site.
Restrict admin access to company office IP addresses only.
Meet regulatory requirements by restricting access by country.
Reduce fraudulent transactions by blocking high-risk regions.
Accessing IP Security Settings
Navigate to:
WordPress Admin → Settings → Attributes User Access → Security → IP Management
Whitelist Management
What is a Whitelist?
Definition: A list of approved IP addresses that are always allowed access, bypassing other security restrictions.When to Use Whitelists
Common use cases: Corporate Office Access:Scenario: Only allow admin login from office
Whitelist: Office IP addresses
Result: Admins can only log in from office location
Remote Team Access:Scenario: Team members work from specific locations
Whitelist: Home office IPs + VPN IP range
Result: Team accesses site from approved locations only
API Integration:Scenario: Third-party service needs API access
Whitelist: Service provider’s IP range
Result: API calls accepted only from provider
Adding IPs to Whitelist
Single IP Address: Step 1: Find your IP addressVisit: https://whatismyipaddress.com
Copy your IP: 203.0.113.25
Step 2: Add to whitelist- Go to IP Management → Whitelist
- Click “Add New Entry”
- Enter IP: 203.0.113.25
- Description: “My Office IP”
- Access Level: Admin pages only (or Full access)
- Roles: Administrator
- Click “Add to Whitelist”
IP Range (CIDR Notation)
What is CIDR?CIDR notation allows you to specify a range of IP addresses:
192.168.1.0/24 = 192.168.1.0 to 192.168.1.255 (256 IPs)
192.168.1.0/28 = 192.168.1.0 to 192.168.1.15 (16 IPs)
10.0.0.0/8 = All IPs starting with 10.x.x.x (16.7 million IPs)
Example Configurations
Example 1: Single Office
IP: 203.0.113.10
Description: Corporate Office - Main Building
Access: Admin pages only
Roles: Administrator, Editor
Status: Active
IP Range: 192.168.1.0/24
Description: Office Network (All workstations)
Access: Full (all pages)
Roles: All
Status: Active
<h1>Headquarters</h1>
IP: 203.0.113.10
Description: HQ Office
Access: Full
Roles: All
<h1>Remote Office 1</h1>
IP: 198.51.100.20
Description: Remote Office - East Coast
Access: Admin only
Roles: Administrator, Editor
<h1>CEO Home Office</h1>
IP: 198.51.100.45
Description: CEO Home Office
Access: Full
Roles: Administrator only
<h1>VPN Network</h1>
IP: 192.0.2.0/24
Description: Corporate VPN
Access: Admin only
Roles: All roles
Bulk IP Import
For large lists: CSV format:
ip_address,description,access_level,roles
203.0.113.10,"Office Main",admin,"administrator,editor"
203.0.113.11,"Office Backup",admin,"administrator"
198.51.100.0/24,"Branch Office",full,"all"
- Prepare CSV file
- Go to IP Management → Import
- Upload CSV file
- Review entries
- Click “Import All”
- Verify entries added
Blacklist Management
What is a Blacklist?
Definition: A list of IP addresses that are always blocked from accessing your site.When to Use Blacklists
Brute Force Attacks:Detected: 50+ failed login attempts from 192.0.2.75
Action: Add to blacklist
Duration: Permanent
Spam Sources:Detected: Comment spam from 198.51.100.0/24
Action: Block IP range
Duration: 30 days
Known Malicious IPs:Source: Threat intelligence feed
IPs: Multiple known attacker IPs
Action: Import to blacklist
Duration: Permanent
Adding IPs to Blacklist
Method 1: Manual Entry- Go to IP Management → Blacklist
- Click “Add Entry”
- Enter IP: 192.0.2.50
- Reason: “Brute force attempts detected”
- Duration: Permanent (or set expiry)
- Click “Block IP”
- Go to Audit Log
- Find suspicious activity
- Click IP address: 203.0.113.99
- Click “Block this IP”
- Confirm block
- Entry automatically added to blacklist
IP: 203.0.113.50
Reason: Unusual activity pattern
Duration: 48 hours
Auto-expire: 2025-11-08 10:00
Status: Active
Blacklist Examples
Example 1: Brute Force Attacker
IP: 192.0.2.75
Reason: 50+ failed login attempts in 10 minutes
Duration: Permanent
Added: 2025-11-06 14:30
Status: Blocked
IP Range: 198.51.100.0/24
Reason: Automated comment spam
Duration: 30 days
Added: 2025-11-01 09:15
Expires: 2025-12-01 09:15
IP: 203.0.113.100
Reason: Rapid page scanning detected
Duration: 72 hours
Auto-expire: Yes
Added: 2025-11-05 15:20
Geographic Restrictions
Country-Level Blocking
Control access based on visitor’s country (requires GeoIP database).
Use Cases
Fraud Prevention (E-commerce):
Scenario: High fraud rates from specific countries
Action: Block checkout pages from those countries
Allow: All other countries
Result: Reduced fraudulent transactions
Scenario: Service only licensed in USA
Action: Block all non-USA IPs
Allow: USA only
Result: Compliance maintained
Scenario: Content only licensed for North America
Action: Allow USA, Canada, Mexico
Block: All other countries
Result: License terms satisfied
Configuring Geographic Rules
Step 1: Enable GeoIP Detection- Go to Security → Geographic Restrictions
- Enable “Country-Based Access Control”
- Download GeoIP database (if prompted)
- Wait for database installation
Mode: Allow List
Allowed Countries:
- United States
- Canada
- United Kingdom
Result: Only these countries can access
Mode: Block List
Blocked Countries:
- Country A
- Country B
- Country C
Result: All countries except these can access
Rule 1:
Pages: Admin area (/wp-admin/*)
Action: Block all except USA, Canada
Rule 2:
Pages: Checkout pages
Action: Block high-risk countries
Rule 3:
Pages: Public content
Action: Allow all countries
- Use VPN to simulate blocked country
- Attempt to access site
- Verify block message displays
- Switch VPN to allowed country
- Verify access granted
- Test all page rules
VPN Detection
Why Detect VPNs?
Legitimate reasons to block:- Fraud prevention (e-commerce)
- Content licensing compliance
- Geographic restrictions enforcement
- Reduce anonymized attacks
- Privacy-conscious users
- Corporate VPN users
- Remote workers
- Traveling employees
VPN Detection Settings
Configuration:
Enable VPN Detection: Yes
Action for VPNs: Log (or Block)
Corporate VPN Exception: Enabled
Known VPN Whitelist: Yes
Corporate VPN Whitelist
Add trusted VPN providers:
VPN 1:
Provider: Company VPN
IP Range: 10.0.0.0/8
Action: Always Allow
VPN 2:
Provider: Backup VPN Service
IP Range: 172.16.0.0/12
Action: Always Allow
Testing IP Rules
Pre-Deployment Checklist
Before Enforcing IP Rules:
- ☐ Document all office/home IPs that need access
- ☐ Add your current IP to whitelist first
- ☐ Create test account with limited privileges
- ☐ Test from each location users will access from
- ☐ Verify mobile network access (if needed)
- ☐ Test VPN access (if used)
- ☐ Document emergency access procedures
- ☐ Notify team before implementing
- ☐ Have backup admin access method ready
Safe Testing Procedure
Phase 1: Create Test Environment- Create test user account
Username: ip-test-user
Role: Subscriber (low risk)
- Start with logging mode
Enable IP rules
Set action to “Log Only”
Monitor for 48 hours
Phase 2: Test Whitelist- Add your IP to whitelist
- Log in from your location
- Verify access granted
- Check audit log entry
- Add different IP to blacklist
- Attempt access from that IP (or use proxy)
- Verify access denied
- Check block message displays
- Use VPN to simulate different country
- Test from blocked country
- Verify block works
- Test from allowed country
- Verify access granted
- Review all test results
- Confirm rules work as expected
- Change from “Log Only” to “Enforce”
- Monitor closely for 24 hours
- Address any issues immediately
Emergency Access Procedures
Locked Out? Recovery Methods
Method 1: wp-config.php OverrideAdd to wp-config.php (before "That's all, stop editing!"):
// Emergency: Bypass IP restrictions
define('ATTRUA_BYPASS_IP_CHECK', true);
Access via FTP/cPanel → Edit file → Add line → Save → Login → Fix IP settings → Remove line
Method 2: Database EditVia phpMyAdmin:
-- Temporarily disable IP blocking
UPDATE wp_options
SET option_value = '0'
WHERE option_name = 'attrua_pro_enable_ip_blocking';
Via FTP/File Manager:
- Navigate to: /wp-content/plugins/
- Rename: attributes-user-access-pro → attributes-user-access-pro-disabled
- Log in to WordPress
- Fix IP settings via other security plugin or manual config
- Rename folder back
- Reactivate plugin
Best Practices
Before enabling any blocking rules, add your own IP to the whitelist. This prevents accidental lockout.
Enable IP rules in “Log Only” mode first. Review logs for 48 hours before enforcing blocks.
Save FTP credentials, database access, and recovery steps in secure location before implementing.
Home users often have dynamic IPs that change. Use IP ranges or alternative methods for remote workers.
Review blocked IPs weekly. Remove temporary blocks that are no longer needed.
Troubleshooting
Legitimate Users Blocked
Solutions:
- Ask user for their current IP address (whatismyipaddress.com)
- Check if IP is on blacklist or not on whitelist
- Add IP to whitelist temporarily
- Check if geographic rule is blocking
- Verify VPN detection isn’t blocking corporate VPN
Admin Accidentally Locked Out
- Use wp-config.php bypass method (see Emergency Access above)
- Access database and disable IP blocking
- Contact hosting support for emergency access
- Use FTP to temporarily disable plugin
Dynamic IP Users
- Use IP range instead of single IP (CIDR notation)
- Implement VPN with static IP
- Use 2FA instead of IP whitelist
- Whitelist user’s ISP IP range (less secure)
- Consider alternative authentication methods
