Docs
← Back to site

IP Access Rules

5 min readUpdated April 10, 2026

IP Access Rules let you allow, block, or challenge traffic from specific IP addresses, IP ranges, countries, or entire ASNs — and they apply across your entire Cloudflare account, not just a single zone. They’re the right tool for “this one IP keeps hammering me” or “I want my office IP allowed everywhere I host.”

This is the same feature Cloudflare exposes under Account Home → Security → WAF → Tools → IP Access Rules, just rebuilt inside WP admin so you don’t have to leave the site to add or remove a rule.

When to use IP Access Rules vs WAF Rules#

The two systems do similar things in different ways:

  • WAF Rules (Rules 1–5 from the WAF Rules Reference) are pattern-based and apply per zone. They’re how you implement broad policies like “block scrapers” or “challenge VPN traffic.”
  • IP Access Rules are surgical. They handle a single IP, a CIDR range, a country, or an ASN at a time, and they apply account-wide. They’re how you handle the “I just need this one thing fixed right now” cases.

A good rule of thumb: if you’d write the rule once and forget it, use a WAF rule. If you’re reacting to something specific you just saw in your logs, use an IP Access Rule.

The IP Access Rules dashboard#

In WP admin, go to WAF Manager → IP Access Rules. The page is laid out as:

  • An account selector at the top — if you have multiple Cloudflare accounts connected, pick which one’s rules you want to view and manage
  • An Add Rule button
  • A search box for filtering by IP, country, or note
  • Filter tabs for switching between All, Allow, Block, Managed Challenge, and JS Challenge
  • A table of existing rules with edit and delete buttons on each row

Rules load automatically when you select an account. Anything you’ve added directly in Cloudflare also shows up here — the plugin reads and writes the same list, so the two stay in sync.

Adding a rule#

Click Add Rule to open the rule modal. You’ll fill in three things: target, action, and an optional note.

Target#

Choose what you’re applying the rule to:

  • IP Address — a single IPv4 or IPv6 address (e.g. 203.0.113.42 or 2001:db8::1)
  • IP Range (CIDR) — a range in CIDR notation (e.g. 203.0.113.0/24)
  • Country Code — a two-letter ISO country code (e.g. US, KW, DE)
  • ASN — an autonomous system number (e.g. 13335 for Cloudflare itself)

The hint under the input field updates as you change the target type, so you’ll always see the expected format.

Action#

Pick what Cloudflare should do when the rule matches:

  • ✅ Allow (Whitelist) — let the traffic through unconditionally, bypassing all security checks. Use this for office IPs, your own server’s IP, or trusted partner systems.
  • 🚫 Block — drop the request entirely. The visitor sees a Cloudflare error page.
  • ⚠️ Managed Challenge — Cloudflare decides between an interactive challenge or a silent check based on the visitor’s signals. The friendliest of the challenge options for real users.
  • 🔒 JS Challenge — runs a JavaScript-based challenge in the browser. Stops most simple bots without showing the visitor anything, but blocks anything that doesn’t run JavaScript.

For a hostile IP you’ve just spotted in your logs, Block is usually right. For an entire country you don’t do business with, Block also makes sense. For a noisy-but-not-clearly-hostile range, Managed Challenge is a better first move — you can always escalate to Block later if it keeps misbehaving.

Note#

Optional but worth using. The note field lets you record why you added the rule, so when you come back in six months you don’t have to wonder. Examples: “Office IP — Riyadh,” “Brute-force attempts on wp-login Apr 2026,” “Client’s CI server.”

Click Add Rule to save. The rule is pushed to Cloudflare immediately and appears in the table.

Editing and deleting#

Each row in the rules table has Edit and Delete buttons. Edit reopens the modal with the current values pre-filled — change anything you like and save. Delete removes the rule from Cloudflare after a confirmation prompt.

The filter tabs (All / Allow / Block / Managed Challenge / JS Challenge) let you narrow the list by action, which is helpful once you’ve accumulated dozens of rules. The search box matches against the IP, country, ASN, or note fields, so you can type something like “office” or “wp-login” and find the rules you tagged earlier.

Common patterns#

Whitelist your office — Add an IP Access Rule with your office’s public IP, action Allow, note “Office IP.” Now your team can hit your sites without ever being challenged or rate-limited.

Block a brute-force IP — When you see the same IP hammering wp-login.php in your Security Events log, add a rule with that IP, action Block, and a note describing the incident date.

Block a country — Add a rule with the country code, action Block, note your reasoning. Useful when you only operate in certain regions and want to cut hostile traffic from the rest.

Allow a partner integration — When a third-party service needs to hit your sites and isn’t on Rule 1’s whitelist, add their IP or ASN with action Allow.

Challenge a noisy ASN — If a particular ASN keeps showing up with low-quality traffic but isn’t clearly malicious, add a rule with the ASN and action Managed Challenge. Real users from that ASN will solve the challenge once and continue; bots won’t.

Multi-account workflow#

If you manage Cloudflare accounts for several clients, the account selector at the top of the page lets you switch between them without leaving WP admin. The plugin remembers which account you were last viewing, so you don’t keep losing your place.

A common workflow is to keep a small set of “permanent” allow rules per account (your own monitoring IPs, your team’s offices, trusted partners) and add temporary block rules as incidents come up.

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only