Limiting to only my IP


I have a website domain which I use to do testing/development on and I’d like to restrict access to only allow myself and client to have access to.

I hope I’ve done this correctly, but this is what I’ve done so far:

  1. Created a Custom List called “list_safe_ip” and added only mine and client’s IP address.
  2. Went to Security > WAF > Custom rules
  3. Created a rule of “IP Source Address + is not in list + list_safe_ip = block”

However when I try and visit the site from a different network (eg vpn or cellphone) I still can access the website.

Am I doing this correctly?
Am I missing a step - or is there a delay period?

If it is only your IP address, I wouldn’t bother with a list. Create a rule (ip.src ne (where is your IP address.) Set action to block.
This works for me.

1 Like

Thanks, yes I tried that first but doesn’t seem to work.

For example I have (ip.src ne which believe should mean can only access from this IP.

But when I visit from another IP it still seem to access it

I have exactly the same rule (different IP of course) and it works fine. Can you post a screenshot of what you have?

1 Like

Thanks, here is the first

and then setting

1 Like

That is the same rule spec as what I have. I have tested using a different network and was blocked. I cannot explain why it doesn’t work for you.

1 Like

How bizarre.
I did the same setup rules again on a completely new website domain with fresh wordpress install and got the same… seem to be able to visit from any/

Is there a setting which overrides or needs to be enabled for the WAF to be applied?

Is your domain even proxied? The WAF rules would obviously not work in DNS-only mode.


OMG. I’m going to go and crawl into a corner and hide in pure embarrassment.

Took for granted that it was proxied. :sweat_smile:


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.