How to whitelist an IP address so it is not blocked after failed login attempts

ckalech asks

Can we whitelist an !P address so that the number of failed attempts does not block a given IP range? I know we can whitelist an IP range so they do not need to log in but that is not what we want. Different users at the same organization with a static IP address need to log in as different users with different permissions. However if one person fails to log in 5 times the whole organization is blocked for 30 minutes.

You will need an MU plugin file to accomplish this. Here’s a quick example.

Create this directory and file:

add_action('ws_plugin__s2member_before_track_failed_logins', function() {
    if ($_SERVER['REMOTE_ADDR'] === '123.456.789.0') { // Change this IP address to the one you want to whitelist.
        $GLOBALS['WS_PLUGIN__']['s2member']['o']['max_failed_login_attempts'] = 0; // Disable.

See also: this reference to the hook in s2Member’s source code.

An easier way is to create an .htaccess file in your wp-admin folder, and deny access to all other IP’s except your own. That way you will not get locked out of your admin.
1- go to and you will see what you IP address is
a number like this

2- go to your server, and I hope you have Cpanel host, create a file (click on “new File”)
3- put this code in this new file:

Block access to wp-admin.

order deny,allow
allow from (replace these x’s with your IP address)
deny from all

4-name this file .htacess and save it in your wp-admin folder
That’s it. now when all the sharks attack, they can’t get in, and you will never be locked out.
You white list as many IP’s as you want. Just don’t use a cell phone for managing your site. a cell phone’s IP changes quite frequently.


… and if you ever try to log in from another IP address when you’re on the road, you’ll have locked yourself out too!

If you’ve read as many threads on WordPress forums as I have, you’ll know that users locking themselves out of their own sites because of something they did to a .htaccess is one of the biggest issue.

That’s why the MU plugin route is so much better.

I haven’t tried the method you are suggesting, but just looking at the code I can see it also does something with the IP address!!! With my method, as long as you know what you did, when you get locked out as the result of using a different computer, just add the IP address of that new computer to the whitelist, and you are good to go.
The forum is full of people that will make changes that were suggested to them without understanding (or remembering) what they did. That’s why they are locked out, and don’t know (don’t remember) why.

The MU-plugin whitelist the IP address. Yours doesn’t just whitelist; it effectively also blacklists every other IP address.

Black listing all other IP’s is the solution. That’s why the admin is getting locked out. It’s due to too many people trying to get in through the back end, and Wordpress’ brute force prevention will lock everybody out (including the admin). Every time I install S2Member I get locked out, not sure why that is, but I got sick of getting locked out. I have had no problems, since I secured my wp-admin with .htaccess
I am just offering another solution, we can let the users decide which method they like better.

we can let the users decide which method they like better.

Of course. But you ought to have stated, when you offered your solution, that it was not merely whitelisting the admin’s IP, but was also blacklisting all other IPs. Failing to do that meant that you weren’t providing users with an informed choice at all.