Whitelisting is a proactive method of allowing specific IP addresses to avoid blockage by your firewall security rules and access your website. It is an essential security control to mitigate risk from malicious actors. So, it’s a good idea to learn how to whitelist a website, as you may find yourself doing so numerous times in the future.
Blacklisting also exists to block access to your website by specific IP addresses.
Learning how to whitelist a website is necessary to authorize access by those who require it while maintaining the protection of your firewall. You allow preferential access from a restricted set of IP addresses like those of your employees, vendors, or customers. Otherwise, any visitor from a non-whitelisted IP address remains blocked until given permission.
If you get high volumes of traffic from certain websites or traffic sources that consistently deliver positive ROI, then you want to continue getting traffic from them.
Another reason to whitelist is if you want your ads to be displayed only on particular sites, especially niche sites that completely match your offers.
A few caveats to whitelisting:
Below, you’ll learn how to whitelist a website on some common web services — including web hosting, security, and content delivery networks (CDNs).
Cloudflare, a popular CDN, provides whitelisting via its IP Access Rules.
Note: Cloudflare only supports subnets with a minimum of 254 IP addresses, subnet mask /24 and lower. Enter IP address ranges using the /27 and /28 subnet masks with a /24 subnet mask.
Repeat these steps for all crawl IP addresses.
List IP address 184.108.40.206/27 as 220.127.116.11/24 in your Cloudflare account.
Sucuri is a cybersecurity service. The Sucuri firewall restricts access to administrative pages — such as /wp-admin, /administrator, or /admin — by default. Only authorized IP addresses are allowed to log in. By doing so, Sucuri keeps your site safe even when user accounts become compromised.
If you receive the following message when you try to access your website, you must whitelist your IP address, too: “Block ID: IPB17. Block Reason: Your request was not allowed due to IP blocking (not whitelisted).”
Sucuri allows whitelisting IP ranges, although the service does not recommend it. Doing so increases the number of IP addresses allowed access and creates a greater risk of a security event.
Whitelist subnets by adding IP addresses using the Classless Inter-Domain Routing (CIDR) format.
Note: Sucuri only allows whitelisting of the /24, /16, and /8 ranges.
Sucuri gives you two methods of whitelisting IP addresses: using the dashboard and through the API.
To allow other admins access to your site, bookmark the link and share it with them.
If you wish to allow anyone access to the administrator login pages, do this:
Whitelist 18.104.22.168/24 range to allow access to all IP addresses from 22.214.171.124 to 126.96.36.199.
Whitelist 188.8.131.52/16 range to allow access to all IP addresses from 184.108.40.206 to 220.127.116.11.
GoDaddy is a web hosting service used by numerous small to medium businesses.
To whitelist IP addresses on GoDaddy:
If you have a single domain, select: Settings > Access Control.
Select the gear icon for the domain you wish to configure, then select Access Control. Remember the following:
BlueHost is a web hosting service. The service’s firewall automatically blocks remote MySQL connections from remote locations — those not from localhost, unless you whitelist the IP address.
You can visit Bluehost.com/IP.
Note: A Class C address means you whitelist all IP addresses under the first three octets of that address. In other words, you allow access to everything from 192.168.0.* and under.
Wordfence is a cybersecurity service that uses the term “allowlist” in place of whitelist. Allowlisting IP addresses requires an understanding of the way the service treats access security.
You have two ways to view firewall access:
You have three status modes:
The firewall status is Learning Mode by default for one week. During this time, the system is “learning” which requests to allow that would usually be blocked by the firewall rules. It adds those requests — IP addresses — to the Wordfence Web Application Firewall allowlist.
While in Learning mode, the Wordfence firewall does not provide complete protection. Learning mode reduces the chance of false positives, which are addresses that are blocked that you do not wish to block.
At the end of the week, the Web Application firewall changes to Enabled and Protecting, which actively blocks requests that match a known malicious attack pattern.
After recovering from a security event, such as a data breach or hack, or if you are under attack, you can set the firewall to Enabled and Protecting mode right after installing the service.
If you want, you can set the firewall to Disabled. It will then disregard all incoming IP addresses without running the rules or analyzing the request. Obviously, this means you have no protection, and using this status is not recommended.
Allowlist shows the location of the item added to the allowlist. It also shows which parameters are allowed that would have been blocked if they were not found in Learning mode. You might recognize most plugins or theme files and parameters by URL or list parameters.
The allowlist also shows you the IP addresses of visitors who triggered the addition of the request to the allowlist. It helps determine whether the request was the result of your action or due to a visitor.
If you view the allowlist and see numerous allowed items — say more than 20 — it could mean one of two things:
Allowlisting an IP address from an office or permanent internet connection allows the request to bypass all the firewall security rules. However, you cannot reliably allowlist broadband or ADSL connections where the IP addresses are dynamically assigned.
To allowlist networks such as Bing, you must input them in a specific format: XXX.XXX.XXX.[X.X]
Services such as Facebook are allowlisted by default. If you wish to block or disable the allowlisting for a specific service:
Manually blocking an IP address from an allowlisted service results in this message: “This IP address is in a range of addresses that Wordfence does not block. The IP range may be internal or belong to a service that is always allowed. Allowlisting of external services can be disabled.”
To block an IP address from an allowlisted service, you must first disable the allowed service using the two-step process above.
Once Learning mode changes to Enabled and Protecting, you can still go back to allowlist a page that has been blocked:
Caution: Only perform these steps if you are sure the IP address is safe. If the link was sent to you or someone asks you to copy and paste a link that triggers a message, it is likely to be a security risk. Continue to allow Wordfence to block that address.
You have an option to unblock a regular visitor even if you are not logged in as an admin. You can find the blocked visit on the Live Traffic View in the Wordfence plugin:
If you install or update a new plugin or theme and Wordfence blocks multiple actions or some features don’t work, turn on Learning mode again:
If you want to use external web services securely, it’s crucial to learn how to whitelist a website provided by those services.
If you work with static IP addresses, you have some work to do upfront, but once you have the IP addresses whitelisted, the bulk of it is complete.
However, if you work with dynamic IP addresses, you will need to modify the whitelist each time an address changes, which could be every few weeks or months, if not more frequently.
Compared to the work you would have to perform after a malicious actor accessed your website administrative pages, whitelisting is a very attractive alternative use of your time.
Most web services provide instructions on whitelisting or allowlisting when you sign up for service. Many offer the ability to whitelist anything from a single static IP address to entire networks and services. Adding an address to a whitelist is often a simple affair, but if you use a complex system or one that integrates multiple plugins, you will need to create a whitelist for each one.