How to Allowlist IP Addresses in WordPress (Step-by-Step Guide)

Allowlisting IP addresses is a precise way to control who can access specific areas of your site. Whether you’re restricting access to the login page, admin dashboard, or other sensitive content, IP allowlisting adds a strict access control layer that blocks unauthorized users outright.

This guide explains how to allowlist IP addresses in WordPress manually or via a plugin, outlines the different use cases for allowlisting, and covers potential missteps to avoid. 

Note: This assumes that you’re already comfortable with basic WordPress operations and file-level changes.

When to allowlist IPs in WordPress

By default, WordPress does not limit access to the login screen or admin area. Anyone with the URL can attempt to access it, which makes it a common attack vector. Brute force login attempts, DDoS traffic, and bot scans often target /wp-login.php and /wp-admin.

But allowlisting restricts access to known IPs only. This makes it nearly impossible for unauthorized users to interact with protected areas, even if they have valid credentials or botnets. 

Here are some key use cases for IP allowlisting in WordPress:

• Locking down the login page to office or home IPs only
• Restricting admin dashboard access during site development
• Controlling who can reach REST API endpoints or custom admin tools
• Securing staging environments or hidden test pages

Where to allowlist IPs in WordPress

You can apply IP-based restrictions across multiple layers:

• Web server configuration files: .htaccess (Apache) or nginx.conf (Nginx)
• Security plugins: Tools that offer built-in firewall or access rules
• Firewall-level solutions: Server-based or third-party firewalls
• Functions.php or a custom plugin: Conditional logic in PHP (not recommended for critical restrictions)

Each method has trade-offs. File-level rules are fast and server-enforced, but harder to manage. Plugin-based methods are more user-friendly, but may be bypassed under some conditions.

Method one: Allowlist IPs using a security plugin

If you don’t have access to server configs or prefer a UI, there are plugins that offer IP allowlisting. Jetpack, for example, includes a built-in feature for managing IP allowlists, designed to work with its security and brute force protection tools.

Steps to allowlist IPs in Jetpack:

1. Install Jetpack on your site.
2. Navigate to Jetpack → Settings → Security.
3. Scroll down to the section labeled “Always allowed IP addresses”.
4. Toggle the feature On to activate IP allowlisting.

How to format IP entries:

• Enter each IP address in the text field.
• Separate entries using commas, spaces, or line breaks.
• To specify ranges, use CIDR notation (like 192.168.1.0/24) or dash-separated ranges, (like 192.168.1.10–192.168.1.100). 

Jetpack will always allow requests from these IPs, even if brute force protection or firewalls are active. This ensures that trusted users or systems won’t be blocked, even if their request patterns trigger other defenses.

Method two: Allowlist IPs via .htaccess (Apache)

If your server runs Apache, the .htaccess file lets you control access to specific files or directories.

Allowlist an IP for wp-login.php

This restricts access to the login page to specified IPs.

Steps:

1. Open your .htaccess file, located in the root of your WordPress installation.
2. Add the following code above the WordPress rules:

<Files wp-login.php>

    Order Deny,Allow

    Deny from all

    Allow from 123.456.789.000

    Allow from 234.567.890.123

</Files>

• Replace the IPs with your own.
• You can list multiple “Allow from” lines as needed.

Allowlist an IP for /wp-admin

To restrict the entire admin folder, use this code instead:

<Directory /path/to/your/site/wp-admin>

    Order Deny,Allow

    Deny from all

    Allow from 123.456.789.000

</Directory>

Important notes:

• This can break AJAX calls and admin-ajax.php if not configured correctly.
• To prevent this, also allow access to admin-ajax.php, using the code below. And, as always, test on a staging site prior to editing website code and make sure you have backups in place.

<Files admin-ajax.php>

    Order Allow,Deny

    Allow from all

    Satisfy any

</Files>

Method three: Allowlist IPs via Nginx configuration

If your site is hosted on Nginx, the configuration approach is similar, but with different syntax.

Restrict access to wp-login.php:

location = /wp-login.php {

    allow 123.456.789.000;

    allow 234.567.890.123;

    deny all;

}

Restrict access to wp-admin:

location /wp-admin {
    allow 123.456.789.000;
    deny all;
}

To reload Nginx after making changes, use the following:
sudo systemctl reload nginx

Avoid blocking access to admin-ajax.php under /wp-admin. You can add an exception like this:

location ~* /wp-admin/admin-ajax\.php$ {
    allow all;
}

Method four: Allowlist IPs via a server firewall

If you’re managing your own server, tools like UFW or CSF can enforce IP allowlisting at the OS level.

Example with UFW (Ubuntu):

sudo ufw allow from 123.456.789.000 to any port 80
sudo ufw allow from 123.456.789.000 to any port 443
sudo ufw deny from any to any port 80
sudo ufw deny from any to any port 443

This applies sitewide. Use with caution on shared hosting environments.

IP allowlisting best practices 

Keep an emergency access method

Always have an alternate way to regain access in case your IP changes. This could be:

• SSH access to the server
• SFTP access to remove .htaccess rules
• A secondary admin IP allowlisted in advance

Don’t rely solely on IP allowlisting

IP addresses can be dynamic, shared, or spoofed. Allowlisting is effective, but not foolproof. 

Jetpack Security offers a powerful, all-in-one solution for protecting WordPress sites. It brings together real-time backups, malware scanning, a web application firewall, brute force protection, downtime monitoring, an activity log, and more — all designed to protect your site from threats and help you recover if something does go wrong. 

Because Jetpack includes so many key security tools, it’s an excellent complement to other protective measures you may already have in place. Together with strong passwords, regular updates, and IP allowlisting, Jetpack helps you create a layered security strategy that’s both comprehensive and easy to manage. 

Document every change

Track which IPs were added, when, and why. This prevents confusion when multiple admins or teams manage access controls.

When to allowlist, and when not to

Allowlisting IP addresses makes sense when your team works from fixed locations or when you’re securing a staging environment. It’s less ideal for teams that work remotely on dynamic networks or rotate VPNs often.

If you rely on mobile devices, travel, or flexible IP environments, allowlisting can cause more friction than benefit. In those cases, look to token-based access, time-based controls, or password-protected directories instead.

Final checkpoint before you proceed

Before deploying IP allowlisting, confirm that:

• You have your current IP address on hand.
• You’ve tested rules on a staging site.
• You have a backup access method in case of misconfiguration.
• You’ve logged which team members have static or dynamic IPs.

Access control is only effective when it doesn’t interfere with legitimate work. Implement with caution, audit frequently, and keep access paths predictable and minimal.