Skip to content
Vulnity Vulnity Docs

Whitelist

What is it for?

Section titled “What is it for?”

The Whitelist section defines IP addresses that will never be blocked automatically by the mitigation system, no matter how many alerts they generate. It is a critical protection layer to avoid self-blocking administrators, offices, and other legitimate systems.

Whitelist interface

Main features

Section titled “Main features”

1. Permanent protection

Section titled “1. Permanent protection”
  • IPs in the whitelist are completely immune to automatic blocks.
  • Administrators can still block them manually if necessary.
  • Active 24/7 protection without intervention.

2. Information for each whitelisted IP

Section titled “2. Information for each whitelisted IP”

For each IP, the interface shows:

  • IP address: protected IP, highlighted with a green badge.
  • Description: information about who or what uses that IP.
  • Date added: when it was added to the whitelist, shown as relative time.
  • Added by: user who added the IP to the list.

3. IP management

Section titled “3. IP management”

A) Add IP to whitelist

  • Main button: “Add IP”.
  • Dialog fields:
    • IP address: required field with IPv4 validation.
    • Description: optional but recommended for documentation, for example “Main office”, “CEO IP”, or “Monitoring server”.
  • Immediate confirmation after adding.

B) Remove from whitelist

  • “Remove” button on each row.
  • The IP can then be blocked automatically again.

4. Synchronization

Section titled “4. Synchronization”
  • Without siteId: global whitelist using localStorage.
  • With siteId: site-specific whitelist stored in the database.
  • Automatic synchronization with the WordPress plugin.
  • Changes applied immediately.

When to use the Whitelist

Section titled “When to use the Whitelist”

Essential use cases:

  1. Administrator IPs
    • Your own office/home IP.
    • Your development team’s IPs.
    • Site administrator IPs.
  2. Technical infrastructure
    • Monitoring servers.
    • Automated backup systems.
    • APIs that interact with the site.
    • CDN/load balancer IPs.
  3. Corporate locations
    • Fixed office IP.
    • Company VPN.
    • Coworking connections.
  4. Trusted third-party systems
    • Payment gateway services.
    • Email marketing platforms.
    • CRM systems connected to the site.
  5. False-positive resolution
    • IPs that generate legitimate but frequent alerts.
    • VIP site users.
    • Internal automated systems.

Best practices

Section titled “Best practices”

=== “Do”

- Add your administrator IP immediately after enabling mitigations.
- Document each IP clearly using the description.
- Review the whitelist monthly.
- Add automated-system IPs before configuring them.
- Use site-specific whitelists when possible.

=== “Do not”

- Add IPs without descriptions.
- Whitelist full ranges unless necessary.
- Leave old IPs without review.
- Whitelist dynamic IPs that change frequently.
- Add IPs "just in case" without a specific reason.

Important warnings

Section titled “Important warnings”

!!! warning "" The whitelist does NOT protect against:

- Manual blocks performed by administrators.
- Server/firewall-level external blocks.
- Other WordPress security measures.

!!! danger “Security considerations” - Do not add IPs unless you fully trust them. - Compromised whitelisted IPs are a critical vulnerability. - Review logs regularly to detect abuse from whitelisted IPs.