Skip to content

Adam Greenwell

Access Control

Access Control lets you restrict who can access your site using IP-based and username-based whitelists and blacklists. This powerful feature provides fine-grained control over site access for both login attempts and entire site access.

Access Control Types

Guard Dog provides two levels of access control:

1. Login Access Control

Controls who can attempt to log in to your site.

2. Site-Wide Blocking

Controls who can access your entire site (frontend and backend).

Login Access Control

How It Works

You can create rules that allow or block login attempts based on:

  • IP Address – Where the user is connecting from
  • Username – Which account they’re trying to access

Blacklist vs Whitelist

Blacklist Mode (Default):

  • Everyone can log in except those on the blacklist
  • Block specific known bad actors
  • More permissive, easier to manage
  • Best for most sites

Whitelist Mode:

  • Only those on the whitelist can log in
  • Everyone else is blocked
  • More restrictive, maximum security
  • Best for private sites or known user bases

IP Address Blocking

IP Blacklist

Block specific IP addresses or ranges from logging in.

Use cases:

  • Block IPs that are attacking your site
  • Block geographic regions (by blocking IP ranges)
  • Block VPN/proxy servers
  • Block known malicious IPs

Configuration:

  1. Go to Guard Dog → Access Control
  2. Find IP Blacklist
  3. Enter IP addresses, one per line:
   192.168.1.100
   10.0.0.50
   203.0.113.0/24
  1. Click Save Changes

Supported formats:

  • Single IP: 192.168.1.100
  • CIDR notation: 192.168.1.0/24 (entire subnet)
  • IPv6: 2001:0db8:85a3::8a2e:0370:7334

IP Whitelist

Allow only specific IP addresses to log in.

Use cases:

  • Restrict admin access to office IP only
  • Allow access only from home and office
  • Lock down site during maintenance
  • Limit access to known safe locations

Configuration:

  1. Go to Guard Dog → Access Control
  2. Find IP Whitelist
  3. Enter IP addresses, one per line:
   203.0.113.10
   203.0.113.20
   198.51.100.0/24
  1. Click Save Changes

⚠️ Warning: If you enable whitelist mode and add IPs to the whitelist, only those IPs can log in. Make sure your current IP is on the list before saving!

Finding Your IP Address

To find your current IP address:

Option 1: Google

  • Search “what is my ip” in Google
  • Your IP will be displayed prominently

Option 2: Third-party service

  • Visit https://whatismyipaddress.com/
  • Your IP is shown at the top

Option 3: Guard Dog admin

  • The Access Control page shows your current IP
  • Look for “Your current IP address is: X.X.X.X”

Important:

  • Your IP may change if you’re on a dynamic ISP
  • Office IPs are usually static
  • Home IPs may change periodically
  • VPN IPs change when you reconnect

Username Blocking

Username Blacklist

Block specific usernames from logging in.

Use cases:

  • Block generic usernames like “admin” permanently
  • Block former employees/contractors
  • Block compromised accounts temporarily
  • Prevent specific usernames from being targeted

Configuration:

  1. Go to Guard Dog → Access Control
  2. Find Username Blacklist
  3. Enter usernames, separated by commas:
   admin, administrator, test, demo, guest
  1. Click Save Changes

Recommended blacklist:

admin, administrator, root, test, demo, guest, user, wp-admin

These common usernames are frequently targeted by bots.

Username Whitelist

Allow only specific usernames to log in.

Use cases:

  • Restrict login to specific admin accounts
  • Temporary: during incident response
  • High-security: only known users can log in

Configuration:

  1. Go to Guard Dog → Access Control
  2. Find Username Whitelist
  3. Enter usernames, separated by commas:
   john, mary, siteadmin
  1. Click Save Changes

⚠️ Warning: Users not on the whitelist cannot log in, even with correct password.

Priority & Precedence

When multiple rules apply, they’re evaluated in this order:

  1. IP Whitelist (highest priority)
  • If IP is whitelisted → Allow immediately
  1. Username Blacklist
  • If username is blacklisted → Block
  1. IP Blacklist
  • If IP is blacklisted → Block
  1. Username Whitelist
  • If username is whitelisted → Allow
  1. Default behavior
  • If no rules matched → Allow (in blacklist mode) or Block (in whitelist mode)

Example Scenarios

Scenario 1: IP Whitelist bypasses everything

  • User from IP 203.0.113.10 (whitelisted)
  • Username is “admin” (blacklisted)
  • Result: Login allowed (IP whitelist has highest priority)

Scenario 2: Username blacklist blocks even good IPs

  • User from IP 203.0.113.99 (not blacklisted)
  • Username is “admin” (blacklisted)
  • Result: Login blocked (username blacklist takes precedence)

Scenario 3: Both whitelist and blacklist

  • IP whitelist: 203.0.113.10
  • Username whitelist: john, mary
  • User is “steve” from IP 203.0.113.10
  • Result: Login allowed (IP whitelist has highest priority, bypasses username whitelist)

Site-Wide Blocking

Site-Wide Blocking restricts access to your entire site (not just the login page) based on IP address.

What is Site-Wide Blocking?

When enabled, only whitelisted IP addresses can access any part of your site. Non-whitelisted visitors see a “Site Access Denied” message.

This blocks:

  • Frontend pages
  • Backend admin
  • Login page
  • Media files
  • Everything

This allows:

  • Only whitelisted IP addresses

Use Cases

Maintenance Mode:

  • Lock site to public
  • Only your IP can access it
  • Work on site without visitors seeing changes

Private Development Sites:

  • Staging/dev sites for internal use only
  • Limit to office IP or VPN

Pre-Launch Sites:

  • Site under construction
  • Show only to client/stakeholders

Incident Response:

  • Site under attack
  • Lock down completely
  • Whitelist only known IPs

Geographic Restriction:

  • Site only for specific country
  • Whitelist IP ranges from that country

Enabling Site-Wide Blocking

⚠️ CRITICAL: Add your current IP to the IP Whitelist before enabling Site-Wide Blocking, or you’ll lock yourself out!

  1. First: Add your IP to the IP Whitelist
  • Go to Guard Dog → Access Control
  • Add your current IP to IP Whitelist field
  • Save changes
  1. Then: Enable Site-Wide Blocking
  • Check “Enable Site-Wide Blocking”
  • Click Save Changes
  1. Test: Open an incognito window
  • Try visiting your site from a different device/network
  • You should see “Site Access Denied”
  • Access from your whitelisted IP should work normally

Custom Access Denied Message

You can customize the message shown to blocked visitors:

  1. Go to Guard Dog → Access Control
  2. Find Site Access Denied Message
  3. Enter your custom message:
   This site is currently in maintenance mode.
   Please check back later.
  1. Click Save Changes

Tips for effective messages:

  • Be professional and clear
  • Don’t reveal technical details
  • Optionally provide a contact method
  • For client sites, explain it’s intentional

Examples:

Maintenance:

We're performing scheduled maintenance.
The site will be back online shortly.

Private site:

This is a private website.
Access is restricted to authorized users only.

Pre-launch:

Coming soon! This site is not yet publicly available.
Contact us for more information.

Access Denied Messages

What Blocked Users See

Login Access Denied:

Access denied. [Reason]

Reasons include:

  • “Your IP address has been blocked from logging in.”
  • “This username has been blocked from logging in.”
  • “You are not on the allowed list for this site.”

Site Access Denied:
A full page with your custom message (or default message).

Best Practices

IP Whitelisting

DO:

  • ✅ Whitelist your office static IP
  • ✅ Document all whitelisted IPs
  • ✅ Remove IPs when no longer needed (ex-employees)
  • ✅ Use site-wide blocking for staging/dev sites
  • ✅ Test from another network before fully relying on it

DON’T:

  • ❌ Whitelist dynamic home IPs (they change)
  • ❌ Whitelist public WiFi/café IPs
  • ❌ Forget to add your IP before enabling whitelist mode
  • ❌ Whitelist entire /8 or /16 subnets (too broad)

Username Blacklisting

DO:

  • ✅ Blacklist “admin” immediately
  • ✅ Blacklist common generic usernames
  • ✅ Blacklist previous employee usernames after removal
  • ✅ Use descriptive usernames (not easily guessable)

DON’T:

  • ❌ Blacklist current legitimate usernames
  • ❌ Use username blacklist as substitute for deleting accounts
  • ❌ Forget usernames are case-sensitive

IP Range Blocking

Blocking geographic regions:

To block an entire country, you’d need to add all that country’s IP ranges to the blacklist. This is impractical manually.

Better options:

  • Use Cloudflare firewall rules (geographic blocking)
  • Use server-level GeoIP blocking
  • Use a dedicated geographic restriction plugin

Combining Access Control Features

Maximum security for admin users:

  1. IP Whitelist: Add admin home/office IPs
  2. Username Whitelist: Add only admin usernames
  3. Site-Wide Blocking: Disable (too restrictive for public site)
  4. Require 2FA for all admins
  5. Use custom login URL

Maintenance mode:

  1. Add your IP to IP Whitelist
  2. Enable Site-Wide Blocking
  3. Set custom message explaining maintenance
  4. Disable when done

Block known attackers:

  1. Monitor Activity Log for attacks
  2. Add attacking IPs to IP Blacklist
  3. Keep Login Attempt Limiting enabled too
  4. Consider CAPTCHA as well

Monitoring Access Control

Activity Log Events

Access Control events are logged:

  • IP Blacklist: “Access Denied – IP Blacklisted”
  • Username Blacklist: “Access Denied – Username Blacklisted”
  • Not in Whitelist: “Access Denied – Not in Whitelist”
  • Site Access Denied: “Site Access Denied”

View these in Guard Dog → Activity Log.

Checking Current Rules

Review your current access control rules regularly:

  1. Go to Guard Dog → Access Control
  2. Review all whitelists and blacklists
  3. Remove outdated entries
  4. Add new safe IPs as needed
  5. Verify site-wide blocking status

Troubleshooting

Locked Out of Site

Symptom: You can’t access your site after enabling Site-Wide Blocking

Cause: Your IP isn’t on the IP Whitelist

Solution via Database:

  1. Access phpMyAdmin or your database tool
  2. Go to wp_options table
  3. Find row where option_name = guard_dog_site_wide_blocking
  4. Set option_value to 0 (or delete the row)
  5. Site access is restored

Solution via FTP:

  1. Access your site via FTP
  2. Navigate to /wp-content/plugins/
  3. Rename guard-dog to guard-dog-disabled
  4. Access your site normally
  5. Fix your IP Whitelist
  6. Rename folder back to guard-dog

Prevention: Always add your IP to whitelist before enabling Site-Wide Blocking.

IP Whitelist Not Working

Symptom: You’re whitelisted but still can’t log in

Possible causes:

  1. Wrong IP format – Check for typos
  2. Dynamic IP changed – Your IP is different now
  3. Behind proxy/VPN – WordPress sees different IP
  4. IPv6 vs IPv4 – You added IPv4 but WordPress sees IPv6

Solutions:

  1. Check current IP:
  • Visit whatismyipaddress.com
  • Compare to your whitelist entry
  1. Check what WordPress sees:
  • View error in Activity Log
  • It shows the IP that was blocked
  • Add that IP to whitelist
  1. Use CIDR ranges:
  • If your IP changes within a range
  • Whitelist the entire range (e.g., 203.0.113.0/24)

Username Blacklist Not Working

Symptom: Blacklisted username can still log in

Causes:

  1. Case sensitivity – “Admin” vs “admin”
  2. Extra spaces – “admin ” vs “admin”
  3. Username vs Display Name – Blocking display name, not username

Solutions:

  1. Use exact usernames:
  • Go to Users → All Users
  • Hover over user to see their actual username
  • Block the username (not display name)
  1. Check case:
  • Usernames are case-insensitive
  • “admin” and “Admin” are the same username
  1. Check for typos:
  • Remove and re-add the username
  • Ensure no extra spaces

Can’t Determine My IP

Symptoms:

  • IP shown in Access Control doesn’t match whatismyipaddress.com
  • Blocking my own IP doesn’t work

Causes:

  • Behind Cloudflare or CDN
  • Behind reverse proxy
  • Server configuration issue

Solutions:

  1. Check Activity Log:
  • Failed login attempts show the IP WordPress detected
  • Use that IP for whitelisting
  1. Test and observe:
  • Try to log in from incognito mode
  • Check Activity Log to see what IP was recorded
  • That’s the IP you need to whitelist
  1. Check server configuration:
  • If behind Cloudflare, ensure proper IP forwarding
  • Check with your host about proxy configuration

Dynamic IP Keeps Changing

Problem: You whitelisted your home IP but it changed

Solutions:

Option 1: Whitelist IP range

  • Find your ISP’s IP range
  • Add the range with CIDR notation
  • Example: 203.0.113.0/24 covers 203.0.113.0 through 203.0.113.255

Option 2: Use VPN with static IP

  • Subscribe to VPN with static IP option
  • Whitelist the static VPN IP
  • Always connect via VPN to access site

Option 3: Don’t use IP Whitelist

  • Rely on other security features instead
  • Use 2FA, custom login URL, CAPTCHA
  • These don’t depend on IP address

Option 4: Dynamic DNS

  • Not directly supported by Guard Dog
  • Would require custom development

Advanced Usage

Blocking Entire Countries

To block all IPs from a specific country:

  1. Find IP ranges for that country
  • Use services like ip2location.com
  • Download country IP ranges
  1. Add all ranges to IP Blacklist
  • One range per line
  • Use CIDR notation

Note: This is tedious for large countries. Consider using:

  • Cloudflare geographic blocking
  • Server-level GeoIP modules
  • WordPress geographic restriction plugins

Emergency Lockdown

If your site is under active attack:

  1. Add your IP to whitelist (if not already)
  2. Enable Site-Wide Blocking
  3. Clear all caches
  4. Monitor Activity Log for attack patterns
  5. Add attacking IPs to blacklist (for when you disable site-wide)
  6. Contact your host if attacks are DDoS-level

Allowing Support Access

To give support staff temporary access:

Option 1: Temporary IP whitelist

  1. Ask for their IP address
  2. Add to IP Whitelist
  3. Remove after support is complete

Option 2: Temporary user

  • Use Guard Dog’s Temporary User Access feature
  • Create a user that expires automatically
  • More secure than IP whitelisting

Option 3: Disable access control temporarily

  • Only do this if absolutely necessary
  • Re-enable immediately after support

FAQ

Q: Can I whitelist multiple IP addresses?
A: Yes, enter one IP per line in the IP Whitelist field.

Q: What’s the difference between blacklist and whitelist?
A: Blacklist blocks specific IPs/users (default: allow). Whitelist allows only specific IPs/users (default: block).

Q: Does access control affect search engines?
A: Yes. If you enable Site-Wide Blocking without whitelisting search engines, they can’t crawl your site. Only use for private sites.

Q: Can I block a range of IPs?
A: Yes, use CIDR notation: 192.168.1.0/24 blocks all IPs from 192.168.1.0 to 192.168.1.255.

Q: Does username blacklist prevent account creation?
A: No, it only prevents login. To prevent account creation with certain usernames, that requires additional code.

Q: Will whitelisting my IP bypass 2FA?
A: No, IP whitelisting and 2FA are separate. You’ll still need 2FA even if your IP is whitelisted.

Q: How do I find which IPs are attacking my site?
A: Check the Activity Log for failed login attempts and lockout events. The IP addresses are recorded there.