Docs

IP Protection

IP protection restricts access to specific URLs so only visitors from your allowlisted IP addresses can reach them. It is disabled by default and only applies to the URLs you choose to protect.

How it works

  1. First, add your allowed IP addresses in IP Rules > Allow.
  2. Navigate to Protect Pages > IP Allowlist in the sidebar.
  3. Enter the URL path you want to restrict (e.g., /admin, /internal).
  4. Click Restrict Page.

Only visitors whose IP address is on your allowlist will be able to access the protected URL. All other visitors will be blocked.

Common uses

  • Restrict admin panels (/admin, /wp-admin) to office or VPN IP addresses.
  • Protect internal tools and staging URLs from public access.
  • Add an extra layer of security on top of application-level authentication.

Important

  • You must configure allowed IPs in IP Rules > Allow before IP-restricted pages will be accessible to anyone.
  • IP protection applies at the WAF level, before requests reach your origin server.
  • Removing protection from a page takes effect immediately.