IP not whitelisted, but the user is still allowed to log in as admin

My customer’s IP address just changed. The whitelist contains only his old IP address. Despite this he can log in as admin even from an incognito browser window, or from another computer from another network, or even when he uses a VPN.

  • I cleared the server cache.
  • Yes, I checked, Cerber detects the IP addresses correctly
  • The website is not behind a proxy
  • No, our site is not under Cloudflare

This is normal. To prevent a user from being able to log in, their IP address must be on the black IP access list.

To limit IP addresses from which users with the WordPress administrator role are allowed to log into your website install this WP Cerber add-on: https://downloads.wpcerber.com/plugin/wp-cerber-admin-access-addon.1.0.zip

1 Like

This add-on allows you to specify IP addresses from which users with the admin role can log into the website. IP addresses on this list take priority over entries in other IP access lists.

1 Like

On all other sites where I use WP Cerber accessing /wp-admin/ is allowed only to users having their IP whitelisted, all others get a 404 page. I have this functionality without using any add-on, but I can’t figure out thanks to which settings I got this behavior. Please help me rediscover those settings.

You initially needed to limit the IP addresses from which administrators can log into the website, but now you’re talking about access to the /wp-admin/ folder. Could you clarify which specific functionality you are seeking?

To be able to log in as admin your IP should be whitelisted. Otherwise, accessing example.com/wp-admin/ should be prohibited.

To achieve that:

  1. Enable “Block access to WordPress Dashboard” for all roles on your website except for the administrator. You can do this on the “User Policies” admin page.
  2. Use the add-on mentioned above to limit access by IP address. Alternatively, which is not recommended, add the IPv4 address of the admin computer to the white IP access list, and add *.*.*.* (a wildcard for all IPv4 addresses) to the black IP access list. If your website is configured with an IPv6 address, use the IPv6 notation accordingly.

Additionally, to prevent bots from accessing your custom login page, you can enable this setting: “Disable automatic redirection to the login page when /wp-admin/ is requested by an unauthorized request”.