My customer’s IP address just changed. The whitelist contains only his old IP address. Despite this he can log in as admin even from an incognito browser window, or from another computer from another network, or even when he uses a VPN.
This is normal. To prevent a user from being able to log in, their IP address must be on the black IP access list.
To limit IP addresses from which users with the WordPress administrator role are allowed to log into your website install this WP Cerber add-on: https://downloads.wpcerber.com/plugin/wp-cerber-admin-access-addon.1.0.zip
This add-on allows you to specify IP addresses from which users with the admin role can log into the website. IP addresses on this list take priority over entries in other IP access lists.
On all other sites where I use WP Cerber accessing /wp-admin/ is allowed only to users having their IP whitelisted, all others get a 404 page. I have this functionality without using any add-on, but I can’t figure out thanks to which settings I got this behavior. Please help me rediscover those settings.
You initially needed to limit the IP addresses from which administrators can log into the website, but now you’re talking about access to the /wp-admin/ folder. Could you clarify which specific functionality you are seeking?
To be able to log in as admin your IP should be whitelisted. Otherwise, accessing example.com/wp-admin/ should be prohibited.
To achieve that:
*.*.*.* (a wildcard for all IPv4 addresses) to the black IP access list. If your website is configured with an IPv6 address, use the IPv6 notation accordingly.Additionally, to prevent bots from accessing your custom login page, you can enable this setting: “Disable automatic redirection to the login page when /wp-admin/ is requested by an unauthorized request”.