Overview
IP blocking features protect your site but can inadvertently block legitimate users. This guide helps troubleshoot whitelist/blacklist issues, CIDR notation problems, geographic restrictions, and VPN detection.
Issue 1: Admin Locked Out by IP Rules
Symptoms
<ul>
<li>Configured IP whitelist</li></ul>
<ul>
<li>Can't access admin panel anymore</li></ul>
<ul>
<li>"Access denied" or redirect to homepage</li></ul>
Solution 1: Emergency Access
Via wp-config.php:
// Add to wp-config.php TEMPORARILY
define('ATTRUA_DISABLE_IP_BLOCKING', true);
// After regaining access:
// 1. Fix IP whitelist
// 2. Remove this line
Solution 2: Database Fix
Disable IP blocking via database:
-- Connect via phpMyAdmin
-- Disable IP blocking temporarily
UPDATE wp_options
SET option_value = '0'
WHERE option_name = 'attrua_ip_blocking_enabled';
-- After login, re-enable and fix configuration
Solution 3: Add Current IP to Whitelist
Via phpMyAdmin:
-- First, find your current IP by visiting: https://whatismyipaddress.com
-- Then add to whitelist (replace with your IP)
INSERT INTO wp_attrua_ip_whitelist (ip_address, description)
VALUES ('203.0.113.50', 'My current IP - added via emergency recovery');
Issue 2: CIDR Notation Not Working
Symptoms
- Added IP range in CIDR format: 192.168.1.0/24
- Still blocked or not working as expected
- Individual IPs work, ranges don’t
Common CIDR Mistakes
Wrong format:❌ 192.168.1.1-192.168.1.255 (Range format not supported)
❌ 192.168.1.* (Wildcard not supported)
❌ 192.168.1.0/24/ (Extra slash)
❌ 192.168.1.0 /24 (Space before slash)
✅ 192.168.1.0/24 (Correct CIDR format)
✅ 10.0.0.0/8 (Class A network)
✅ 172.16.0.0/12 (Class B network)
CIDR Quick Reference
Common network sizes:/32 = Single IP (192.168.1.50/32)
/24 = 256 IPs (192.168.1.0/24 = .0 through .255)
/16 = 65,536 IPs (192.168.0.0/16)
/8 = 16,777,216 IPs (10.0.0.0/8)
Office network examples:
Small office: 203.0.113.0/28 (16 IPs)
Medium office: 203.0.113.0/24 (256 IPs)
Large office: 203.0.113.0/22 (1,024 IPs)
Testing CIDR Ranges
Verify IP falls within range:Use online calculator:
https://www.ipaddressguide.com/cidr
Example:
Range: 192.168.1.0/24
Test IP: 192.168.1.50
Result: ✅ Within range
Test IP: 192.168.2.50
Result: ❌ Outside range
Issue 3: Geographic Blocking Not Working
Symptoms
- Configured country restrictions
- Users from blocked countries still access site
- Or legitimate users from allowed countries blocked
Solution 1: Check GeoIP Database
Verify GeoIP installed:Users → IP Security → Settings
GeoIP Database:
Status: ● Installed ○ Not Installed
Last Updated: 2025-12-01
[Update Database]
If not installed or outdated:
- Click “Download GeoIP Database”
- Wait for download to complete
- Test geographic blocking again
Solution 2: Understand IP Detection Limitations
GeoIP accuracy:Typical accuracy: 95-99% country level
Not always accurate for:
- VPN users (shows VPN country, not real location)
- Proxy servers
- Mobile users roaming internationally
- Cloud services (AWS, Azure, Google Cloud)
- Corporate VPNs
Consider: Whitelist known corporate IPs
Don’t rely solely on geographic blocking
Solution 3: Test Geolocation
Check detected location:- Visit test page while logged out
- Error message should show detected country
- Verify it matches your actual location
Example error:
“Access denied. Your location: United States
Allowed locations: Canada, United Kingdom”
Issue 4: VPN/Proxy Detection Issues
Symptoms
- VPN users can’t access site
- Legitimate users blocked because IP flagged as VPN
- Or: Want to block VPNs but they still access site
Solution 1: Configure VPN Policy
Choose appropriate setting:Users → IP Security → VPN Detection
VPN/Proxy Policy:
○ Allow all VPNs
● Block known VPNs (recommended)
○ Block all detected VPNs (strict)
○ Ignore VPN detection
For most sites: “Block known VPNs”
This blocks commercial VPNs but allows corporate VPNs
Solution 2: Whitelist Corporate VPNs
If employees use VPNs:Add VPN exit IPs to whitelist:
Example:
IP: 198.51.100.0/24
Description: Company VPN – NordLayer
Type: Whitelist
This overrides VPN blocking for your corporate VPN
Issue 5: Dynamic IP Addresses
Symptoms
- Employee whitelisted yesterday
- Can’t access today
- IP address changed overnight
Solution 1: Whitelist IP Range
Instead of single IP, whitelist range:Contact ISP to determine IP allocation range
Example:
ISP assigns IPs from: 203.0.113.0 to 203.0.113.127
Whitelist: 203.0.113.0/25 (covers .0 through .127)
This works even when specific IP changes
Solution 2: Use DDNS (Dynamic DNS)
For remote employees with dynamic IPs:- Employee sets up DDNS service:
– DynDNS
– No-IP
– DuckDNS (free)
- Gets hostname like: johndoe.ddns.net
- Admin adds hostname to whitelist
(Requires plugin that supports hostname whitelisting)
Solution 3: Use VPN Access
Better long-term solution:Set up corporate VPN:
- All employees connect to VPN
- VPN provides static exit IP
- Whitelist VPN IP only
- Employees’ home IPs irrelevant
Recommended VPN services:
- NordLayer (business VPN)
- Perimeter 81
- Twingate
Issue 6: Cloud Services Blocked
Symptoms
- Scheduled tasks failing
- API integrations blocked
- Webhooks not working
- Cloud services can’t access site
Solution: Whitelist Cloud Provider IPs
Common cloud service ranges: Amazon AWS:Download AWS IP ranges:
https://ip-ranges.amazonaws.com/ip-ranges.json
Add relevant regions to whitelist
Example: us-east-1 region IPs
Google Cloud:https://www.gstatic.com/ipranges/cloud.json
Microsoft Azure:https://www.microsoft.com/en-us/download/details.aspx?id=56519
Cloudflare:https://www.cloudflare.com/ips/
Issue 7: Blacklist Not Blocking
Symptoms
- Added IP to blacklist
- That IP still accesses site
- Blacklist seems ineffective
Solution 1: Check Blacklist Priority
Verify whitelist isn’t overriding:Rule Priority:
- Whitelist (highest priority – always allow)
- Blacklist (blocks unless whitelisted)
If IP in both whitelist AND blacklist:
→ Whitelist wins, IP allowed
Solution: Remove from whitelist if want to block
Solution 2: Check for Cached Pages
Blacklist applies to authenticated pages:If user accessing cached public pages:
- CDN may serve cached content
- Bypass IP checking entirely
Solution:
- Exclude cached pages from CDN
- Or use firewall-level blocking (CloudFlare, Sucuri)
Solution 3: Block at Server Level
For serious threats, use .htaccess:
<h1>Add to .htaccess</h1>
<requireall>
Require all granted
Require not ip 198.51.100.50
Require not ip 203.0.113.0/24
</requireall>
<h1>Add to nginx config</h1>
deny 198.51.100.50;
deny 203.0.113.0/24;
Issue 8: Mobile Users Blocked
Symptoms
- Desktop access works
- Mobile/cellular network blocked
- Users on 4G/5G can’t login
Solution: Understand Carrier NAT
Mobile carrier IP sharing:Mobile carriers use CGNAT (Carrier-Grade NAT)
Thousands of users share same public IP
If you block one mobile user’s IP:
→ You block thousands of users on same carrier
Solution:
- Don’t block mobile carrier IPs
- Use device fingerprinting instead
- Or require additional authentication for mobile
Testing IP Blocking
Comprehensive Test Procedure
- Note your current IP (whatismyipaddress.com)
- Add your IP to whitelist
- Test admin access works
- Remove your IP from whitelist
- Add your IP to blacklist
- Test access blocked (use incognito)
- Remove from blacklist
- Test access restored
- Test CIDR range includes your IP
- Clear all caches between tests
Best Practices
Before enabling IP blocking, whitelist your own IP to avoid lockout.
Add descriptions to every IP: “John’s office”, “AWS webhook”, “VPN exit IP”
Remove old IPs. Add new ones. Keep list current.
IP blocking + 2FA + password policies = comprehensive security.
