How to whitelist a website
02 March 2021

How to Whitelist a Website (EASY solution)

Whitelisting is a proactive method of allowing specific IP addresses to avoid blockage by your firewall security rules and access your website. It is an essential security control to mitigate risk from malicious actors. So, it’s a good idea to learn how to whitelist a website, as you may find yourself doing so numerous times in the future.

Blacklisting also exists to block access to your website by specific IP addresses. 

To find out if your website or email is blacklisted, check out WatchTowerHQ, our favorite website tool for blacklist monitoring.

Learning how to whitelist a website is necessary to authorize access by those who require it while maintaining the protection of your firewall. You allow preferential access from a restricted set of IP addresses like those of your employees, vendors, or customers. Otherwise, any visitor from a non-whitelisted IP address remains blocked until given permission.

If you get high volumes of traffic from certain websites or traffic sources that consistently deliver positive ROI, then you want to continue getting traffic from them.

Another reason to whitelist is if you want your ads to be displayed only on particular sites, especially niche sites that completely match your offers.

A few caveats to whitelisting:

  • If your visitors have dynamic IP addresses rather than static, the whitelisting must be performed each time the IP address changes. 
  • If you block an IP address used by a large company, nobody from that company can access your site.
  • It’s helpful to clear your cache after allowing or blocking an IP address for some services such as GoDaddy.

Below, you’ll learn how to whitelist a website on some common web services — including web hosting, security, and content delivery networks (CDNs).

How to Whitelist on Cloudflare

whitelist a website cloudflare

Cloudflare, a popular CDN, provides whitelisting via its IP Access Rules. 

Note: Cloudflare only supports subnets with a minimum of 254 IP addresses, subnet mask /24 and lower. Enter IP address ranges using the /27 and /28 subnet masks with a /24 subnet mask. 

Here’s How to Do It Step-by-Step

  1. Log in to your Cloudflare account.
  2. Click the Firewall icon.
  3. Click on the Tools tab.
  4. List the crawl IP addresses under the IP Access Rules.
    1. Enter the IP address
    2. Choose Whitelist as the action.
    3. Choose the website the whitelisting rules apply to.
  5. Click “add.”

Repeat these steps for all crawl IP addresses.

Example

List IP address 89.149.192.96/27 as 89.149.192.96/24 in your Cloudflare account. 

How to Whitelist a Website on Sucuri

Sucuri is a cybersecurity service. The Sucuri firewall restricts access to administrative pages — such as /wp-admin, /administrator, or /admin — by default. Only authorized IP addresses are allowed to log in. By doing so, Sucuri keeps your site safe even when user accounts become compromised. 

If you receive the following message when you try to access your website, you must whitelist your IP address, too: “Block ID: IPB17. Block Reason: Your request was not allowed due to IP blocking (not whitelisted).”

Sucuri allows whitelisting IP ranges, although the service does not recommend it. Doing so increases the number of IP addresses allowed access and creates a greater risk of a security event.

Whitelist subnets by adding IP addresses using the Classless Inter-Domain Routing (CIDR) format. 

Note: Sucuri only allows whitelisting of the /24, /16, and /8 ranges.

Here’s How to Do It Step-by-Step

Sucuri gives you two methods of whitelisting IP addresses: using the dashboard and through the API.

Whitelisting Using the Dashboard

  1. Log in to your account and locate the section labeled Whitelist IP Addresses.
  2. Click on Whitelist to allow access to your IP address after entering it into the box provided.

Whitelisting Using the API

  1. Go to your API settings.
  2. Click on the green Whitelist IP button in Quick Links.
  3. Your IP address is automatically whitelisted once you click the green button.

To allow other admins access to your site, bookmark the link and share it with them.

How to Disable Admin Security Panel Restriction

If you wish to allow anyone access to the administrator login pages, do this:

  1. Locate Advanced Security Options
  2. Uncheck Admin Panel Restricted Only to Whitelisted IP Addresses
  3. Click Proceed.

Example

Whitelist 150.5.1.0/24 range to allow access to all IP addresses from 150.5.1.0 to 150.5.1.255.

Whitelist 150.5.0.0/16 range to allow access to all IP addresses from 150.5.0.0 to 150.5.255.255.

How to Whitelist a Website on GoDaddy

GoDaddy is a web hosting service used by numerous small to medium businesses

Here’s How to Do It Step-by-Step

To whitelist IP addresses on GoDaddy: 

  1. Go to your GoDaddy product page.
  2. Locate Website Security and Backups next to the Website Security Account you’re managing.
  3. Select Manage.
  4. In the menu bar, select Firewall.
  5. Open Access Control
  6. Select Whitelist IP Addresses to allow access or Blacklist IP Addresses to block the address.
  7. In Address New IP… text box, type the IP address and select how long you want to allow or block access.

If you have a single domain, select: Settings > Access Control.

For Multiple Domains

Select the gear icon for the domain you wish to configure, then select Access Control. Remember the following:

  • Select Apply Changes to All Domains to allow or block an IP address to all domains.
  • Quickly allow or block an IP address for a single domain within a group of domains by performing steps one through three above, selecting IP Access Control for the specific domain, and adding the IP address.

How to Whitelist a Website on BlueHost

BlueHost is a web hosting service. The service’s firewall automatically blocks remote MySQL connections from remote locations — those not from localhost, unless you whitelist the IP address

Here’s How to Do It Step-by-Step

  1. Log in to your BlueHost cPanel account.
    1. For ROCK accounts, click the Advanced tab on the left.
    2. For LEGACY accounts, select cPanel from the menu on top.
  2. Add Access Host. 
  3. Locate the Databases category.
  4. Click the Remote MySQL icon.
  5. Enter the IP address under Host (the % wildcard is allowed).
  6. Click the Add Host button.
  7. Manage Access Host – modify the existing IP address. 
  8. Click the Update button to modify.
  9. Click Delete to remove.

To Find Your IP Address

You can visit Bluehost.com/IP.

Note: A Class C address means you whitelist all IP addresses under the first three octets of that address. In other words, you allow access to everything from 192.168.0.* and under.

How to Whitelist a Website on Wordfence

Wordfence is a cybersecurity service that uses the term “allowlist” in place of whitelist. Allowlisting IP addresses requires an understanding of the way the service treats access security. 

You have two ways to view firewall access:

  • Go to Firewall > Basic Firewall Options > All Firewall Options 
  • Go to Basic Firewall Options > All Options

You have three status modes:

  • Enabled and Protecting
  • Learning Mode
  • Disabled

When You First Install Wordfence

The firewall status is Learning Mode by default for one week. During this time, the system is “learning” which requests to allow that would usually be blocked by the firewall rules. It adds those requests — IP addresses — to the Wordfence Web Application Firewall allowlist.

While in Learning mode, the Wordfence firewall does not provide complete protection. Learning mode reduces the chance of false positives, which are addresses that are blocked that you do not wish to block. 

At the end of the week, the Web Application firewall changes to Enabled and Protecting, which actively blocks requests that match a known malicious attack pattern.

After recovering from a security event, such as a data breach or hack, or if you are under attack, you can set the firewall to Enabled and Protecting mode right after installing the service.

If you want, you can set the firewall to Disabled. It will then disregard all incoming IP addresses without running the rules or analyzing the request. Obviously, this means you have no protection, and using this status is not recommended.

Overview of Allowlist

Allowlist shows the location of the item added to the allowlist. It also shows which parameters are allowed that would have been blocked if they were not found in Learning mode. You might recognize most plugins or theme files and parameters by URL or list parameters.

The allowlist also shows you the IP addresses of visitors who triggered the addition of the request to the allowlist. It helps determine whether the request was the result of your action or due to a visitor.

If you view the allowlist and see numerous allowed items — say more than 20 — it could mean one of two things:

  • One of the site plugins displays a corm on multiple pages, for example, a custom comments plugin that is blocked when it should be allowed.
  • A malicious actor attempted an attack on your website during Learning mode. Now you must remove some of the allowed items.

Allowlisting a Static IP Address

Allowlisting an IP address from an office or permanent internet connection allows the request to bypass all the firewall security rules. However, you cannot reliably allowlist broadband or ADSL connections where the IP addresses are dynamically assigned. 

Allowlisting Networks

To allowlist networks such as Bing, you must input them in a specific format: XXX.XXX.XXX.[X.X]

For example:

  • Enter 65.52.104.0/24 as 65.52.104[0-255]
  • Enter IPv6 range 2a03:2880:f001::/48 as 2a03:2880:f001:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]

Allowlist Services

Services such as Facebook are allowlisted by default. If you wish to block or disable the allowlisting for a specific service:

  1. Go to Allowlisted Services.
  2. Disable (uncheck) the checkbox for the specific service.

Manually blocking an IP address from an allowlisted service results in this message: “This IP address is in a range of addresses that Wordfence does not block. The IP range may be internal or belong to a service that is always allowed. Allowlisting of external services can be disabled.”

To block an IP address from an allowlisted service, you must first disable the allowed service using the two-step process above.

Allowlisting a Blocked Page after Learning Mode Is Complete

Once Learning mode changes to Enabled and Protecting, you can still go back to allowlist a page that has been blocked: 

  1. Log in as admin.
  2. Locate the blocked message or request.
  3. Click the button below the message to add it to the allowlist.

Caution: Only perform these steps if you are sure the IP address is safe. If the link was sent to you or someone asks you to copy and paste a link that triggers a message, it is likely to be a security risk. Continue to allow Wordfence to block that address.

You have an option to unblock a regular visitor even if you are not logged in as an admin. You can find the blocked visit on the Live Traffic View in the Wordfence plugin:

  1. Locate the box labeled Filter Traffic.
  2. Select Blocked by Firewall.
  3. Locate the blocked request.
  4. If the action is safe, click the Add Param to Firewall Allowlist button.
  5. If the action appears unsafe, ask the visitor for more details about what they were doing when the blocking message occurred. Then attempt to reproduce the problem.

If you install or update a new plugin or theme and Wordfence blocks multiple actions or some features don’t work, turn on Learning mode again:

  1. Go to the top of the Firewall Options page.
  2. Turn on Learning mode – note that it will not expire unless you choose a date for the system to return to Enabled and Protecting mode.
  3. Try the page or action that was previously blocked. Any necessary parameters are automatically added to the allowlist.
  4. Review the allowlist and set the Web Application Firewall status back to Enabled and Protected.

Conclusion: Why You May Need to Whitelist a Website

If you want to use external web services securely, it’s crucial to learn how to whitelist a website provided by those services. 

If you work with static IP addresses, you have some work to do upfront, but once you have the IP addresses whitelisted, the bulk of it is complete. 

However, if you work with dynamic IP addresses, you will need to modify the whitelist each time an address changes, which could be every few weeks or months, if not more frequently.

Compared to the work you would have to perform after a malicious actor accessed your website administrative pages, whitelisting is a very attractive alternative use of your time. 

Most web services provide instructions on whitelisting or allowlisting when you sign up for service. Many offer the ability to whitelist anything from a single static IP address to entire networks and services. Adding an address to a whitelist is often a simple affair, but if you use a complex system or one that integrates multiple plugins, you will need to create a whitelist for each one. 

Book a Demo

Take a deep dive into WatchTowerHQ with a member of our Customer Success Team.

Sign up here