How to Whitelist IP Address in Cloudflare: Complete 2025 Guide (5 Methods + Troubleshooting)

Is Cloudflare blocking your team from accessing your own website? You’re not alone. Thousands of website owners face this frustrating issue daily when Cloudflare’s security features mistake legitimate traffic for potential threats.

Whether you’re trying to give your remote team access to your WordPress admin panel, whitelist payment gateway IPs for your e-commerce store, or allow third-party services to connect to your API, this comprehensive guide will show you exactly how to whitelist IP addresses in Cloudflare using 5 proven methods.

In this guide, you’ll learn:

• 5 different methods to whitelist IP addresses (from beginner to advanced)
• When to use each whitelisting method for maximum effectiveness
• How to troubleshoot common issues when IP whitelisting doesn’t work
• Best practices for secure and efficient IP management
• Step-by-step instructions with updated 2025 Cloudflare interface screenshots

Based on our experience managing over 1,000 Cloudflare configurations, we’ll show you the exact process we use to implement bulletproof IP whitelisting that works reliably for businesses of all sizes.

Ready to regain control of your website access? Let’s dive in.

What Does IP Whitelisting Mean in Cloudflare?

IP whitelisting (also called IP allowlisting) is a security method that allows only pre-approved IP addresses to access your website while blocking all other traffic by default. In Cloudflare’s context, whitelisting means configuring rules that bypass normal security screenings for specific, trusted IP sources.

How Cloudflare IP Whitelisting Works

When you whitelist an IP address in Cloudflare, you’re essentially telling Cloudflare’s Web Application Firewall (WAF): “This IP address is trusted – let all traffic from this source pass through without additional security challenges or blocks.”

Unlike IP blacklisting that blocks specific addresses, whitelisting takes a more permissive approach for authorized users while maintaining protection against unknown threats. Your whitelisted IPs will bypass features like:

• DDoS protection challenges
• Bot detection systems
• Rate limiting restrictions
• Country-based blocking rules
• Security level challenges

When You Need to Whitelist IP Addresses in Cloudflare

Office and Corporate Network Access

Most businesses need to whitelist their office IP addresses to prevent employees from being blocked when accessing company websites, especially WordPress admin panels or internal business applications.

Remote Work and Team Management

With remote work becoming standard, you’ll often need to whitelist home office IPs, co-working spaces, or VPN endpoints to ensure team members can access necessary tools without security interruptions.

Third-Party Service Integrations

Many business tools require IP whitelisting to function properly:

• Payment gateways (Stripe webhooks, PayPal IPN, Square webhooks) need whitelisted IPs for webhook notifications
• API services and webhooks from CRM systems, marketing automation tools
• Backup services that connect to your website
• Monitoring tools like Pingdom and UptimeRobot

Development and Staging Environments

Development teams often need to whitelist specific IPs to access staging sites, run automated tests, or deploy applications without triggering Cloudflare’s security features.

Preventing False Positive Blocking

Sometimes Cloudflare’s intelligent systems can be overly cautious, blocking legitimate users from specific geographic regions or network providers. IP whitelisting provides a reliable solution to ensure important visitors always have access.

Understanding Cloudflare Actions: Allow vs Whitelist vs Skip

Before we dive into the methods, it’s crucial to understand the different actions Cloudflare uses:

• Allow: Permits traffic to pass through while still running some background security checks. This is the most common whitelisting action.

• Skip: Bypasses specific security features (like managed rules or rate limiting) but continues other security processing.

• Allow (Whitelist): The strongest permission level that bypasses virtually all Cloudflare security features for the specified IP addresses.

Now that you understand the fundamentals, let’s explore the five methods to implement IP whitelisting in your Cloudflare account.

Prerequisites and Important Notes

Before implementing any IP whitelisting method, ensure you have:

Required Access:

• An active Cloudflare account with your domain properly configured
• Admin or Super Administrator permissions for the Cloudflare account
• Access to your current IP address (find it here)

Plan Considerations:

• Free Plan: Limited to 5 custom firewall rules, basic IP Access Rules available
• Pro Plan ($20/month): Unlimited custom rules, advanced firewall features
• Business Plan ($200/month): Enhanced security options, priority support
• Enterprise: Full feature access including advanced lists and automation

Critical Safety Tips: ⚠️ Always test rules in a controlled environment first
⚠️ Maintain a backup access method (like mobile hotspot) before implementing restrictive rules
⚠️ Document all whitelisted IPs with business justification and review dates
⚠️ Never rely on a single whitelisting method for critical business access

What You’ll Need to Know:

• Your organization’s current public IP address(es)
• Whether your ISP provides static or dynamic IP addresses
• Any VPN or proxy services your team uses
• The specific areas of your website that need whitelisting

Tip: If you’re unsure about your IP setup, check with your IT team or internet service provider before proceeding.

External Resources for IP Detection:

• WhatIsMyIPAddress.com – Most reliable IP detection
• IPify API – Programmatic IP detection
• Cloudflare’s IP ranges – Official Cloudflare IP list for origin server whitelisting

Method 1: Cloudflare Firewall Rules (Most Flexible)

Cloudflare Custom Rules (formerly Firewall Rules) offer the most powerful and flexible approach to IP whitelisting. This method gives you granular control over exactly which traffic to allow and under what conditions.

When to Use Firewall Rules for IP Whitelisting

Best suited for:

• Complex whitelisting scenarios with multiple conditions
• Businesses that need URL-specific or time-based access control
• Organizations with Pro, Business, or Enterprise Cloudflare plans
• Teams requiring detailed logging and monitoring of whitelisted access
• Scenarios where you need to combine IP whitelisting with other conditions (user agent, country, etc.)

Plan Requirements: Available on Pro plans and above (Free plans are limited to 5 custom rules)

Step-by-Step Firewall Rule Implementation

Step 1: Access Your Cloudflare Dashboard

Log into your Cloudflare account and select the domain you want to configure. Navigate to the left sidebar and click Security → WAF.

Step 2: Create a New Custom Rule

In the WAF section, click on the Custom rules tab. You’ll see any existing rules here, or a clean slate if this is your first rule.

Click the Create rule button to begin setting up your IP whitelist rule.

Step 3: Configure Your Rule Settings

Rule Name: Use a descriptive name like “Whitelist [Your Company] Office IPs” or “Allow Remote Team Access”. Clear naming helps with future management and troubleshooting.

Choose Field and Operator:

• Field: Select “IP Source Address” from the dropdown
• Operator: Choose the appropriate operator based on your needs:
  • equals for a single IP address
  • is in for multiple IP addresses
  • is in list for pre-created IP lists (Enterprise feature)

Step 4: Enter Your IP Address(es)

For a Single IP Address:

IP Source Address equals 192.168.1.100

For Multiple IP Addresses:

IP Source Address is in {192.168.1.100 192.168.1.101 192.168.1.102}

For IP Ranges (CIDR Notation):

IP Source Address is in {192.168.1.0/24}

This CIDR example allows any IP from 192.168.1.1 to 192.168.1.254.

Step 5: Set the Action to “Allow”

In the Choose action section, select Allow. This tells Cloudflare to permit traffic from your specified IP addresses to bypass security screening.

Step 6: Deploy and Test Your Rule

Click Deploy to activate your firewall rule. The rule typically takes effect within 30-60 seconds globally across Cloudflare’s network.

Test your configuration by accessing your website from the whitelisted IP address. You should notice faster loading times and no security challenges.

Advanced Firewall Rule Examples

Geographic + IP Combination Rule:

(IP Source Address is in {203.0.113.0/24}) OR 
(Country equals "United States" AND IP Source Address is in {198.51.100.0/24})

Time-Based IP Whitelisting (Business Hours Only):

IP Source Address is in {192.168.1.0/24} AND 
cf.edge.server_hour >= 9 AND cf.edge.server_hour <= 17

URL-Specific IP Whitelisting:

URI Path starts with "/wp-admin/" AND 
IP Source Address is in {203.0.113.100 203.0.113.101}

This advanced rule only whitelists specific IPs for WordPress admin access while maintaining normal security for the rest of the site.

Firewall Rules Best Practices

Rule Organization: Create separate rules for different purposes (office access, API access, emergency access) rather than one complex rule with many conditions.

Performance Optimization: Place the most frequently matched conditions first in your rule logic to improve processing speed.

Monitoring: Regularly review your Security Events log to ensure whitelisted IPs are working correctly and not causing unexpected behavior.

Documentation: Maintain clear documentation of what each rule does, why it was created, and when it should be reviewed or removed.

For more details on Cloudflare’s rule expressions, check the official documentation.

Method 2: IP Access Rules (Simplest Method)

IP Access Rules provide the most straightforward way to whitelist IP addresses in Cloudflare. This method is perfect for users who need simple, effective IP whitelisting without complex conditions or advanced features.

When to Use IP Access Rules

Ideal for:

• Simple, global IP whitelisting across your entire domain
• Users on Cloudflare’s Free plan (no custom rule limitations)
• Quick emergency access when someone is locked out
• Straightforward office or home IP whitelisting
• When you want to bypass ALL Cloudflare security features for trusted IPs

Key Benefits:

• Available on all Cloudflare plans including Free
• Bypasses virtually all security features (strongest whitelist action)
• Simple interface with no complex configuration required
• Global application across all subdomains

Step-by-Step IP Access Rules Configuration

Step 1: Navigate to IP Access Rules

From your Cloudflare dashboard, go to Security → WAF → Tools. You’ll find the IP Access Rules section here.

Step 2: Add a New IP Access Rule

In the IP Access Rules section, you’ll see a form to add new rules:

Value: Enter your IP address, IP range, or country code

• Single IP: 203.0.113.100
• IP Range: 203.0.113.0/24
• Country: US (for United States)

Action: Select Allow from the dropdown menu. Other options include:

• Block: Denies access from the specified IPs
• Challenge: Presents a CAPTCHA challenge
• JS Challenge: Runs a JavaScript-based challenge

Zone: Choose the scope of your rule:

• This website: Applies only to the current domain
• All websites in account: Applies to all domains in your Cloudflare account

Step 3: Add Notes (Optional but Recommended)

Include a brief description like “Main office IP address” or “CEO home office access” to help with future management and auditing.

Step 4: Save and Verify

Click Add to create your rule. The rule takes effect immediately and will appear in your list of active IP Access Rules below the form.

IP Access Rules vs Firewall Rules: Key Differences

IP Access Rules Advantages:

• Simpler to configure and manage
• Available on all plans including Free
• Bypasses more security features than Firewall Rules
• No rule quantity limits on any plan
• Instant global application

IP Access Rules Limitations:

• Less granular control (no URL-specific or time-based conditions)
• Cannot combine with other conditions
• Limited customization options
• May bypass security features you want to keep active

Firewall Rules Advantages:

• Advanced conditional logic and combinations
• URL-specific whitelisting capabilities
• Time-based and geographic combinations
• Better logging and monitoring options
• More precise control over which security features to bypass

When to Choose Each Method:

Choose IP Access Rules when:

• You need simple, reliable whitelisting
• You’re on the Free plan with limited custom rules
• You want maximum bypass of security features
• You need emergency access restoration

Choose Firewall Rules when:

• You need conditional or complex whitelisting logic
• You want to maintain some security features
• You need detailed logging and monitoring
• You’re implementing URL-specific access control

Managing Multiple IP Access Rules

Bulk Management Tips:

• Use clear, consistent naming conventions for notes
• Group related IPs (office networks, remote team, services) with similar note prefixes
• Regularly audit and remove outdated rules
• Consider using IP ranges instead of individual IPs when appropriate

Common IP Range Examples:

• Small office: 192.168.1.0/28 (16 IP addresses)
• Medium office: 192.168.1.0/24 (256 IP addresses)
• Large corporate network: 10.0.0.0/16 (65,536 IP addresses)

External Resources for IP Management:

• CIDR Calculator – Calculate IP ranges and subnets
• IP Range to CIDR Converter – Convert IP ranges to CIDR notation
• Cloudflare IP Ranges – Official Cloudflare IPs for origin server configuration

Method 3: Page Rules for URL-Specific Whitelisting

Page Rules offer a unique approach to IP whitelisting by allowing you to disable or modify Cloudflare’s security features for specific URLs or URL patterns. While not a direct IP whitelisting method, Page Rules can effectively create IP-friendly zones on your website.

Understanding Page Rules for Access Control

Page Rules work by modifying Cloudflare’s behavior for specific URL patterns. When combined with other whitelisting methods, they create powerful, targeted access control solutions.

How Page Rules Support IP Whitelisting:

• Reduce security levels for specific URLs
• Disable certain security features on admin areas
• Create “safe zones” for legitimate automated traffic
• Optimize access for business-critical application endpoints

Use Cases for Page Rule IP Whitelisting

WordPress Admin Protection: Create rules that reduce security screening for /wp-admin/* URLs, making it easier for whitelisted IPs to access admin functions without additional challenges.

API Endpoint Optimization:
Disable unnecessary security features for API endpoints (/api/*) to ensure reliable connectivity for whitelisted services and applications.

Staging Environment Access: Configure subdomain-specific rules for staging environments (staging.yoursite.com/*) with reduced security to facilitate development work.

E-commerce Backend Access: Optimize access to e-commerce admin panels, payment processing endpoints, or inventory management systems.

Step-by-Step Page Rules Configuration

Step 1: Access Page Rules

From your Cloudflare dashboard, navigate to Rules → Page Rules. You’ll see any existing rules and the option to create new ones.

Step 2: Create a New Page Rule

Click Create Page Rule to start configuring your URL-specific rule.

Step 3: Define Your URL Pattern

URL Pattern Examples:

• WordPress Admin: yoursite.com/wp-admin/*
• API Endpoints: yoursite.com/api/*
• Specific Admin Page: yoursite.com/admin/dashboard
• Staging Subdomain: staging.yoursite.com/*

Wildcard Usage:

• * matches any string of characters
• yoursite.com/*admin* matches URLs containing “admin” anywhere in the path
• *.yoursite.com/api matches API endpoints on any subdomain

Step 4: Configure Security Settings

Primary Settings for IP-Friendly Access:

Security Level: Set to “Essentially Off” to minimize security challenges for the specified URLs. This is the most effective setting for IP whitelisting support.

Cache Level: Consider setting to “Bypass” for admin areas to ensure users always see fresh content.

Browser Cache TTL: Set to a low value or “Respect Existing Headers” for dynamic admin content.

Disable Security Features (Advanced):

• Turn off “Email Obfuscation” for admin areas
• Disable “Server Side Excludes” if they interfere with admin functionality
• Consider disabling “Hotlink Protection” for admin assets

Step 5: Save and Test

Click Save and Deploy to activate your Page Rule. Test by accessing the specified URLs from both whitelisted and non-whitelisted IPs to verify the rule is working correctly.

Page Rules Limitations and Considerations

Rule Limits by Plan:

• Free: 3 Page Rules
• Pro: 20 Page Rules
• Business: 50 Page Rules
• Enterprise: 125 Page Rules

Order Matters: Page Rules are processed in the order shown in your dashboard. Rules higher in the list take precedence over lower rules.

Performance Impact: Too many Page Rules can impact site performance. Consolidate similar rules when possible.

For detailed Page Rules documentation, visit the official Cloudflare guide.

Method 4: Using Lists for Bulk IP Management (Enterprise Focus)

Cloudflare Lists provide a scalable solution for organizations managing large numbers of IP addresses or frequently changing IP requirements. This method is particularly valuable for enterprises with multiple offices, remote teams, or complex infrastructure requirements.

When Lists Become Essential

Large-Scale IP Management:

• Organizations with 50+ IP addresses to manage
• Multiple office locations with different IP ranges
• Frequent changes to approved IP addresses
• Integration with external systems for automated IP updates

Dynamic Business Requirements:

• Remote workforce with changing VPN endpoints
• Temporary contractor or vendor access
• Seasonal staff or location changes
• Integration with cloud infrastructure that provides dynamic IPs

Compliance and Auditing:

• Businesses requiring detailed access logs and IP tracking
• Organizations with strict compliance requirements
• Companies needing centralized IP management across multiple domains
• Situations requiring bulk IP imports from external systems

Creating and Managing IP Lists

Step 1: Access Lists Configuration

Navigate to your Cloudflare dashboard and go to Manage Account → Configurations → Lists. This section is separate from your individual domain settings.

Step 2: Create a New IP List

Click Create List and configure:

List Name: Use descriptive names like “Corporate_Office_IPs” or “Remote_Team_Whitelist”

List Type: Select IP addresses from the dropdown

Description: Add detailed information about the list’s purpose, maintenance schedule, and contact person for updates

Step 3: Add IP Addresses to Your List

Manual Entry:

• Add individual IPs: 203.0.113.100
• Add IP ranges: 203.0.113.0/24
• Add notes for each entry explaining its purpose

Bulk Import Options:

• CSV Upload: Prepare a CSV file with columns for IP addresses and notes
• API Integration: Use Cloudflare’s API for programmatic updates
• Copy/Paste: Bulk paste IP addresses from spreadsheets or other sources

Step 4: Reference Lists in Firewall Rules

Once your list is created, reference it in Custom Rules:

Field: IP Source Address
Operator: is in list
Value: Select your created list from the dropdown

Action: Allow

This approach allows you to manage hundreds of IP addresses through a single firewall rule while maintaining the flexibility to update the list independently.

API Integration for Dynamic IP Management

For organizations with changing IP requirements, API integration provides automated list management:

Automated Office IP Updates:

# Example API call to update list
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/rules/lists/{list_id}/items" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{
    "items": [
      {"ip": "203.0.113.100", "comment": "Main Office"},
      {"ip": "203.0.113.101", "comment": "Branch Office"}
    ]
  }'

Integration Scenarios:

• DHCP Integration: Automatically sync office IP changes
• VPN Management: Update lists when VPN endpoints change
• Cloud Infrastructure: Sync with AWS IP ranges, Azure IP ranges, or GCP IP ranges
• HR Systems: Add/remove IPs based on employee onboarding/offboarding

For complete API documentation, visit Cloudflare’s Lists API guide.

Method 5: Zone Lockdown (Domain-Wide Protection)

Zone Lockdown represents Cloudflare’s most restrictive IP whitelisting method, allowing you to lock down entire domains or specific URL patterns to only accept traffic from predetermined IP addresses. This method is ideal for highly sensitive applications or when you need comprehensive access control.

Understanding Zone Lockdown

Zone Lockdown goes beyond typical IP whitelisting by creating an impenetrable barrier around your specified URLs. Unlike other methods that may allow some traffic through based on various conditions, Zone Lockdown creates a binary access control system: either your IP is on the list and you have access, or you don’t.

Key Characteristics:

• Absolute Access Control: Only specified IPs can access protected URLs
• URL Pattern Flexibility: Protect entire domains, subdomains, or specific paths
• No Bypass Options: Even legitimate users must be on the whitelist
• Enterprise-Grade Security: Designed for applications requiring maximum protection

When to Implement Zone Lockdown

High-Security Applications:

• Banking and financial application admin panels
• Healthcare systems with HIPAA compliance requirements
• Government or defense contractor websites
• E-commerce platforms during maintenance or sensitive updates

Internal Business Systems:

• HR management systems with sensitive employee data
• Financial reporting and accounting applications
• Executive dashboard and business intelligence tools
• Development and staging environments with proprietary information

Compliance Requirements:

• Applications requiring PCI DSS compliance
• Systems handling personally identifiable information (PII)
• Regulatory compliance in finance, healthcare, or government sectors
• Internal audit and compliance reporting systems

Zone Lockdown Configuration Process

Step 1: Access Zone Lockdown Settings

From your Cloudflare dashboard, navigate to Security → WAF → Tools → Zone Lockdown

Step 2: Create a New Zone Lockdown Rule

Click Add Zone Lockdown Rule to begin configuration.

Step 3: Configure URL Patterns

URL Pattern Examples:

Entire Domain Protection:

• yoursite.com/* (protects everything)
• admin.yoursite.com/* (protects entire subdomain)

Specific Application Areas:

• yoursite.com/admin/* (admin panel protection)
• yoursite.com/financial/* (financial application protection)
• yoursite.com/api/sensitive/* (sensitive API endpoints)

Step 4: Add Authorized IP Addresses

Single IP Address:

203.0.113.100

Multiple IP Addresses (one per line):

203.0.113.100
203.0.113.101  
203.0.113.102

IP Ranges (CIDR Notation):

203.0.113.0/24
10.0.0.0/16

Mixed IP Types:

203.0.113.100        # CEO home office
203.0.113.0/28       # Corporate headquarters  
198.51.100.50        # Emergency access IP
10.0.0.0/24          # VPN endpoint range

Step 5: Test Configuration Thoroughly

⚠️ Critical Testing Phase: Zone Lockdown can completely block access, including your own. Always test thoroughly:

1. Pre-deployment Testing: Verify your current IP is in the whitelist
2. Access Validation: Test access from all authorized IPs
3. Block Verification: Test from unauthorized IPs to confirm blocking works
4. Emergency Access: Ensure you have alternative access methods

Zone Lockdown Best Practices

Emergency Access Planning:

• Always maintain alternative access methods (mobile hotspot, backup ISP)
• Document emergency procedures for rule modification or removal
• Designate multiple administrators who can modify Zone Lockdown rules
• Test emergency procedures regularly to ensure they work when needed

Risk Management:

• Avoid over-broad protection that could impact business operations
• Plan for IP changes (ISP changes, office moves, VPN updates)
• Coordinate with business teams before implementing restrictive rules
• Have rollback procedures documented and tested

External Resources for Zone Lockdown:

• Cloudflare Zone Lockdown Documentation
• PCI DSS Network Security Requirements
• NIST Cybersecurity Framework – For compliance-driven implementations

Advanced IP Whitelisting Scenarios

Real-world IP whitelisting often requires combining multiple methods and handling complex business requirements. This section covers sophisticated scenarios that go beyond basic single-method implementations.

Combining Multiple Whitelisting Methods

The Layered Security Approach:

Most enterprise implementations benefit from combining different whitelisting methods to create comprehensive, resilient access control systems.

Example Multi-Layer Configuration:

Layer 1 – Global IP Access Rules:

Corporate Headquarters: 203.0.113.0/24 (Allow)
Emergency Access IP: 198.51.100.50 (Allow)  

Layer 2 – Firewall Rules for Conditional Access:

Rule: "Remote Team Business Hours"
Condition: (IP Source Address is in {10.0.0.0/16}) AND 
           (cf.edge.server_hour >= 8 AND cf.edge.server_hour <= 18)
Action: Allow

Layer 3 – Zone Lockdown for Critical Areas:

URL: yoursite.com/executive-dashboard/*
Allowed IPs: 203.0.113.100, 203.0.113.101 (Executive team only)

Layer 4 – Page Rules for Application Optimization:

URL: yoursite.com/api/*  
Security Level: Low (for whitelisted API consumers)

Why This Layered Approach Works:

• Redundancy: Multiple protection layers prevent single points of failure
• Flexibility: Different methods handle different business requirements
• Performance: Optimized for various access patterns and user types
• Compliance: Meets diverse regulatory and security requirements

Geographic and IP Combined Rules

Global Business Scenarios:

Modern businesses often need to balance geographic restrictions with specific IP whitelisting for international operations.

Scenario 1: Multinational Corporate Access

Rule: "Global Office Access with Country Restrictions"
Condition: (Country equals "United States" AND IP Source Address is in {203.0.113.0/24}) OR
           (Country equals "United Kingdom" AND IP Source Address is in {198.51.100.0/24}) OR  
           (Country equals "Japan" AND IP Source Address is in {192.0.2.0/24}) OR
           (IP Source Address is in {10.0.0.0/8})  // Global VPN range
Action: Allow

This rule allows access from specific IP ranges within approved countries, plus a global VPN range that works from anywhere.

Scenario 2: Restricted Geographic Access with Executive Override

Rule: "Geographic Restriction with Executive Bypass"  
Condition: (Country is in {"US" "CA" "GB" "DE"}) OR
           (IP Source Address is in {203.0.113.100 203.0.113.101})  // Executive IPs
Action: Allow

Rule: "Block High-Risk Countries"
Condition: Country is in {"CN" "RU" "KP"}  // Example high-risk countries
Action: Block

Time-Based IP Whitelisting

Business Requirements for Time-Based Access:

Many organizations need to restrict access to business hours for security, compliance, or operational reasons.

Scenario 1: Standard Business Hours Access

Rule: "Office Hours Only Access"
Condition: (IP Source Address is in {203.0.113.0/24}) AND
           (cf.edge.server_hour >= 8 AND cf.edge.server_hour <= 17) AND
           (cf.edge.server_dow >= 1 AND cf.edge.server_dow <= 5)  // Monday-Friday
Action: Allow

Scenario 2: Extended Hours for IT Team

Rule: "IT Extended Hours"
Condition: (IP Source Address is in {203.0.113.200/29}) AND  // IT subnet
           (cf.edge.server_hour >= 6 AND cf.edge.server_hour <= 22)
Action: Allow

Rule: "Emergency IT Access"
Condition: IP Source Address is in {203.0.113.250 203.0.113.251}  // On-call IPs
Action: Allow  // 24/7 access for emergencies

Integration-Specific Whitelisting Scenarios

WordPress and CMS Integration Requirements:

WooCommerce Payment Gateway Configuration:

Rule: "Payment Gateway Webhooks"
Condition: (IP Source Address is in {
  18.209.80.0/21    // Stripe webhook IPs
  173.0.80.0/20     // PayPal webhook IPs  
  64.4.244.0/21     // Square webhook IPs
}) AND (URI Path starts with "/wc-api/")
Action: Allow

Business Tools Integration:

CRM and Marketing Automation:

Rule: "Business Tool Webhooks"
Condition: (IP Source Address is in {
  13.110.112.0/20   // HubSpot IP range
  34.237.75.0/24    // Salesforce IP range  
  52.84.0.0/15      // Mailchimp IP range
}) AND (URI Path contains "/webhook/")
Action: Allow

API Gateway Protection:

Rule: "Authenticated API Access"
Condition: (IP Source Address is in {203.0.113.0/24}) AND  // Internal systems
           (URI Path starts with "/api/") AND
           (Header["Authorization"] exists)
Action: Allow

External Resources for Integration IPs:

• Stripe Webhook IPs – Official Stripe IP ranges
• PayPal IPN IPs – PayPal webhook IPs
• HubSpot IP Ranges – HubSpot integration IPs
• Mailchimp IP Addresses – Email automation IPs

Testing Your IP Whitelist Configuration

Proper testing is crucial for IP whitelisting success. A misconfigured rule can either block legitimate users or fail to provide the intended security benefits. This comprehensive testing approach ensures your whitelist works reliably before full deployment.

Pre-Deployment Testing Strategy

The Three-Phase Testing Approach:

Phase 1: Rule Simulation (Risk-Free Testing)

Before deploying any rules, use Cloudflare’s built-in testing features:

Firewall Rule Simulation:

1. In the Custom Rules interface, click Edit on your rule
2. Click Test instead of Deploy
3. Enter test IP addresses to see how the rule would behave
4. Verify expected outcomes for both allowed and blocked IPs

Security Events Preview:

• Check the Security Events log while testing
• Look for any unexpected rule triggers or conflicts
• Verify that your rule logic produces expected results

Phase 2: Controlled Environment Testing

Staging Environment Testing: If you have a staging environment, deploy rules there first:

• Mirror your production Cloudflare configuration
• Test with real user scenarios and IP addresses
• Validate that applications function correctly with whitelisting active
• Check for any performance impacts or unexpected behaviors

Limited Scope Deployment: For production testing, start with limited scope:

• Apply rules to non-critical URLs first (/test/* or staging subdomains)
• Test with a small group of known IP addresses
• Gradually expand scope as confidence builds

Phase 3: Production Validation

Gradual Rollout Process:

1. Deploy during low-traffic periods to minimize impact
2. Monitor continuously for the first hour after deployment
3. Have rollback procedures ready in case issues arise
4. Communicate with affected users about potential access changes

Using Cloudflare’s Security Events Log

Accessing Security Events: Navigate to Security → Events in your Cloudflare dashboard to monitor real-time rule activity.

Key Metrics to Monitor:

Rule Trigger Analysis:

• Action Taken: Verify rules are triggering expected actions (Allow/Block)
• Rule Name: Confirm the correct rules are processing traffic
• IP Addresses: Check that expected IPs are being allowed/blocked
• Request Patterns: Look for unexpected traffic patterns or rule bypasses

Performance Impact Assessment:

• Response Times: Monitor if rules add significant processing delay
• Error Rates: Watch for increases in 4xx/5xx errors after deployment
• Traffic Patterns: Analyze changes in legitimate vs blocked traffic ratios

Emergency Access Procedures and Rollback Planning

Emergency Access Preparation:

Multiple Access Methods:

• Mobile Hotspot Access: Use cellular data as backup internet connection
• Alternative Admin Accounts: Maintain admin access from different IP ranges
• API Access: Keep API tokens accessible from emergency IPs
• Support Contacts: Have Cloudflare support information readily available

Rollback Procedures:

Immediate Rollback Steps:

1. Access Cloudflare dashboard from emergency IP or contact method
2. Navigate to the problematic rule in Security settings
3. Click “Edit” and then “Pause” to immediately disable the rule
4. Verify access restoration from affected IP addresses
5. Document the issue for post-incident analysis

Automated Rollback Options:

# API command to disable a rule (prepare in advance)
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules/{rule_id}" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{"paused": true}'

External Resources for Testing:

• Cloudflare API Documentation – Complete API reference for automation
• Security Events API – Programmatic access to security logs
• Cloudflare Status Page – Service status for troubleshooting

Common Issues and Troubleshooting

Even with careful planning and testing, IP whitelisting can encounter issues. This comprehensive troubleshooting guide addresses the most common problems and provides step-by-step solutions.

“My IP Is Still Being Blocked” – Top Causes and Solutions

Issue 1: Rule Precedence and Order Conflicts

Symptoms:

• Whitelisted IP addresses still receive security challenges or blocks
• Security Events show conflicting rule triggers
• Some users allowed while others with similar IPs are blocked

Solution Steps:

1. Check Rule Order: In Custom Rules, ensure whitelist rules appear before blocking rules
2. Review All Active Rules: Look for conflicting conditions in other rules
3. Simplify Rule Logic: Remove unnecessary conditions that might cause conflicts
4. Test Rule Precedence: Use the simulation feature to verify rule interactions

Issue 2: Cached Security Responses

Symptoms:

• Rules appear correct but changes don’t take effect
• Some users see old security challenges despite being whitelisted
• Inconsistent behavior between different browsers or sessions

Solution Steps:

1. Clear Cloudflare Cache: Go to Caching → Configuration → Purge Everything
2. Wait for Rule Propagation: Allow 30-60 seconds for rules to propagate globally
3. Clear Browser Cache: Have affected users clear browser cache and cookies
4. Test from Incognito/Private Mode: Verify rules work in fresh browser sessions

“Whitelist Works Sometimes But Not Always” – Intermittent Issues

Issue 1: Dynamic IP Address Changes

Symptoms:

• Access works from office but not from home
• Users report inconsistent access throughout the day
• Same user blocked and allowed at different times

Solutions:

Short-term Fix:

• Identify the full IP range used by the ISP or network
• Expand whitelist to include broader CIDR ranges
• Monitor Security Events to identify additional IPs to whitelist

Long-term Solution:

Replace: 203.0.113.100
With: 203.0.113.0/24 (allows 203.0.113.1-203.0.113.254)

Or use smaller ranges if security requires:
203.0.113.100/28 (allows 203.0.113.97-203.0.113.110)

Error Code-Specific Troubleshooting

Error 1020: Access Denied

What Error 1020 Means: Cloudflare is actively blocking the request due to a firewall rule violation.

Troubleshooting Steps:

1. Check Security Events: Look for the specific rule causing the block
2. Verify IP Address: Confirm the user’s actual IP matches whitelist entries
3. Review Rule Logic: Ensure rule conditions are correctly configured
4. Check Rule Status: Verify the whitelist rule is active and deployed

Error 521: Web Server Is Down

What Error 521 Means: Cloudflare can connect to your origin server, but the server is refusing the connection.

IP Whitelisting Related Causes:

• Origin server has its own firewall blocking Cloudflare IPs
• Server-side IP restrictions not accounting for Cloudflare’s IP ranges

Solution Steps:

1. Whitelist Cloudflare IPs on Origin Server: Add all Cloudflare IP ranges to your server’s firewall
2. Check Server-Side IP Restrictions: Review .htaccess, server firewall, and application-level IP filtering

External Troubleshooting Resources:

• Cloudflare Error 1020 Guide – Official troubleshooting guide
• Error 521 Documentation – Server connection issues
• Cloudflare Community Forum – User discussions and solutions
• Security Events Troubleshooting – Log analysis guide

Best Practices for Cloudflare IP Whitelisting

Implementing IP whitelisting effectively requires more than just technical configuration. These proven best practices ensure your whitelist remains secure, maintainable, and aligned with business needs over time.

Security Best Practices

Principle of Least Privilege

Grant the minimum necessary access to accomplish business objectives. This fundamental security principle applies directly to IP whitelisting.

Implementation Guidelines:

• URL-Specific Whitelisting: Instead of domain-wide access, restrict to specific paths ❌ Overly Broad: yoursite.com/* ✅ Targeted: yoursite.com/admin/* or yoursite.com/api/internal/*
• Time-Based Restrictions: Limit access to business hours when appropriate
• Role-Based IP Groups: Different IP ranges for different access levels (executives, IT, general staff)
• Regular Access Reviews: Question every whitelisted IP regularly – is it still needed?

Network Segmentation Strategy

Tiered Access Approach:

Tier 1 - Executive Access: 203.0.113.0/28 (16 IPs)
→ Full admin access, financial systems, strategic data

Tier 2 - IT Administration: 203.0.113.16/28 (16 IPs)  
→ Technical admin, system management, development tools

Tier 3 - General Staff: 203.0.113.32/27 (32 IPs)
→ Standard business applications, limited admin functions

Tier 4 - Guest/Contractor: 203.0.113.64/26 (64 IPs)
→ Basic access, specific project resources only

Maintenance and Monitoring Procedures

Regular IP Auditing Schedule

Weekly Quick Reviews (15 minutes):

• Check Security Events for any blocked legitimate traffic
• Review new access requests or IT tickets related to blocking
• Verify critical business functions are accessible
• Monitor for unusual traffic patterns in whitelisted ranges

Monthly Comprehensive Audits (1-2 hours):

• IP Address Validation: Audit Checklist:□ Verify each whitelisted IP is still business-relevant□ Check for IP address changes (dynamic IPs, ISP updates) □ Confirm contact information for each IP range owner□ Document business justification for continued access□ Remove or update obsolete entries

Quarterly Strategic Reviews (4+ hours):

• Business Alignment Assessment: Do current whitelist rules support business objectives?
• Threat Landscape Review: Have new security threats emerged requiring rule adjustments?
• Compliance Check: Do rules meet current regulatory requirements?
• Cost-Benefit Analysis: Are Cloudflare plan costs justified by security benefits?

Performance Optimization Strategies

Rule Efficiency Best Practices

Logical Condition Ordering: Place the most selective (likely to exclude traffic) and fastest-to-evaluate conditions first:

✅ Optimized Order:
1. IP Source Address (fastest lookup, most selective)
2. URI Path (fast string matching, moderately selective)  
3. Country (moderate speed, less selective)
4. Time conditions (slower evaluation, less selective)

❌ Inefficient Order:  
1. Time conditions (slow, affects all traffic)
2. Country (broad, affects many requests)
3. URI Path (processed for most requests)
4. IP Source Address (only processed last, defeats purpose)

IP Range Optimization:

❌ Inefficient (multiple individual IP rules):
203.0.113.100, 203.0.113.101, 203.0.113.102, ..., 203.0.113.115

✅ Efficient (single CIDR range):  
203.0.113.100/28 (covers 203.0.113.97-203.0.113.110)

Performance Impact:
- Individual IPs: 16 separate evaluations per request
- CIDR Range: 1 evaluation per request (16x faster)

Change Management and Documentation

Structured Change Control Process

Change Request Template:

IP Whitelist Change Request #2025-001

Requested By: John Smith, IT Manager
Date Requested: 2025-01-15
Business Justification: New remote employee needs admin access
Change Type: Addition / Modification / Removal

Technical Details:
- IP Address/Range: 198.51.100.50/32
- Access Level Required: WordPress Admin  
- Duration: Permanent / Temporary until 2025-12-31
- Emergency Priority: Yes / No

Approval Chain:
□ Requestor Manager Approval
□ IT Security Review  
□ Change Advisory Board (if required)
□ Implementation Authorization

Testing Plan:
□ Rule simulation completed
□ Test access from target IP
□ Verify no unintended access granted
□ Confirm monitoring alerts work

Implementation:
Scheduled Date/Time: 2025-01-18 14:00 UTC
Implemented By: Network Administrator
Rollback Plan: Pause rule if access issues occur within 2 hours

External Resources for Best Practices:

• NIST Cybersecurity Framework – Federal security guidelines
• ISO 27001 Access Control – International security standards
• SANS Access Control Guidelines – Industry best practices

Cloudflare Plan Comparison for IP Whitelisting

Understanding the differences between Cloudflare plans is crucial for making informed decisions about your IP whitelisting strategy. Each plan offers different capabilities that can significantly impact your implementation approach.

Free Plan Capabilities and Limitations

What’s Included in Free Plan:

IP Access Rules:

• ✅ Unlimited IP Access Rules – Add as many individual IP addresses as needed
• ✅ Global application across all websites in account
• ✅ Allow, Block, Challenge actions available
• ✅ IPv4 and IPv6 support for comprehensive coverage
• ✅ Country-level blocking/allowing (basic geographic controls)

Custom Rules (Limited):

• ⚠️ 5 Custom Rules maximum – Significant limitation for complex scenarios
• ✅ Basic rule logic with AND/OR conditions
• ✅ IP-based conditions and standard field matching
• ❌ No Lists support – Cannot reference IP lists for bulk management
• ❌ Limited rule actions – Basic Allow/Block/Challenge only

Free Plan Best Practices:

Maximize Your 5 Custom Rules:

Rule 1: "Corporate Office Access" 
- IP is in {203.0.113.0/24 198.51.100.0/28}
- Action: Allow

Rule 2: "Block High-Risk Countries"  
- Country is in {"CN" "RU" "KP"} (example)
- Action: Block

Rule 3: "Admin Area Protection"
- URI starts with "/wp-admin/" AND IP not in {203.0.113.0/24}
- Action: Challenge

Rule 4: "API Rate Limiting"
- URI starts with "/api/" AND Rate exceeds 100/minute
- Action: Block

Rule 5: "Emergency Access"  
- Reserved for temporary rules during incidents

Pro Plan Benefits ($20/month)

Enhanced Custom Rules:

• ✅ Unlimited Custom Rules – No more 5-rule limitation
• ✅ Advanced rule logic with complex conditions
• ✅ Skip actions to bypass specific security features
• ✅ Enhanced logging and rule performance metrics

Pro Plan Optimization Strategies:

Rule Organization: With unlimited Custom Rules, organize by function rather than trying to consolidate everything:

Administrative Access Rules:
- "WordPress Admin - Office Hours"
- "WordPress Admin - Emergency Access"  
- "cPanel Access - IT Team Only"
- "Database Admin - Senior IT Only"

Business Application Rules:
- "CRM System - Sales Team"
- "Financial Dashboard - Executives"
- "HR System - HR Department"  
- "Analytics - Marketing Team"

API and Integration Rules:
- "Payment Gateway Webhooks"
- "Marketing Automation APIs"
- "Backup Service Access"
- "Monitoring Tools Access"

Business Plan Advanced Features ($200/month)

Enterprise-Grade Security:

• ✅ Priority support with faster response times for critical issues
• ✅ Advanced DDoS protection including Layer 7 application attacks
• ✅ Custom WAF rules with advanced logic and actions
• ✅ Enhanced analytics with detailed security insights

Advanced IP Management:

• ✅ Lists functionality for bulk IP address management
• ✅ Advanced rate limiting with granular controls
• ✅ Load balancing with health checks and failover
• ✅ Page Rules (50 rules for complex URL-based logic)

Plan Upgrade Decision Framework

When to Stay on Free Plan:

✅ Small business with simple IP whitelisting needs
✅ Less than 5 different whitelisting scenarios  
✅ Basic office + remote worker access sufficient
✅ Cost optimization is primary concern
✅ Technical team comfortable with limitations

When to Upgrade to Pro ($20/month):

✅ Need more than 5 Custom Rules for complex scenarios
✅ Require advanced rule logic and conditional access
✅ Want enhanced security features (WAF, advanced DDoS)
✅ Need better support response times for business-critical sites
✅ Growing business with increasing security requirements

When to Upgrade to Business ($200/month):

✅ Managing 50+ IP addresses requiring bulk management
✅ Multiple office locations with complex access patterns
✅ Compliance requirements demanding detailed logging/reporting
✅ High-traffic sites requiring advanced DDoS protection  
✅ Need Lists functionality for scalable IP management

ROI Calculation Example:

Scenario: Growing SaaS Company

Free Plan Hidden Costs:
- 3 hours/month managing individual IP rules = $150/month (IT time)
- 2 security incidents from inadequate rules = $2,000/month (average)
- Customer complaints from access issues = $500/month (support time)
Total Hidden Costs: $2,650/month

Pro Plan Benefits:  
- Plan cost: $20/month
- Reduced management time: $100/month savings
- Fewer security incidents: $1,800/month savings  
- Improved customer experience: $400/month savings
Net Savings: $2,280/month - $20/month = $2,260/month ROI

External Plan Resources:

• Cloudflare Pricing Page – Official plan comparison
• Feature Comparison Matrix – Detailed feature lists
• Enterprise Contact – Custom enterprise solutions

Conclusion

IP whitelisting in Cloudflare provides powerful access control capabilities that can significantly enhance your website security while ensuring legitimate users maintain seamless access to critical business resources. Throughout this comprehensive guide, we’ve covered five distinct methods, each suited for different business scenarios and technical requirements.

Key Method Recommendations by Use Case

For Small Businesses and Simple Requirements: Start with Method 2 (IP Access Rules) for straightforward, reliable whitelisting. This method works on all Cloudflare plans and provides strong protection with minimal configuration complexity.

For Growing Companies with Complex Needs:
Implement Method 1 (Custom Firewall Rules) to take advantage of conditional logic, time-based access, and advanced monitoring capabilities. The flexibility justifies the Pro plan investment for most businesses.

For Enterprise Organizations: Combine Method 4 (Lists) with Method 1 (Custom Rules) for scalable, manageable IP whitelisting across large organizations. The bulk management capabilities and automation options provide excellent ROI for complex environments.

For High-Security Applications: Deploy Method 5 (Zone Lockdown) for mission-critical systems requiring absolute access control. This method works best when combined with other methods for comprehensive defense in depth.

Critical Success Factors

1. Proper Testing is Non-Negotiable Never deploy IP whitelisting rules directly to production without thorough testing. Use the three-phase approach: simulation, controlled testing, and gradual rollout. Always maintain emergency access methods before implementing restrictive rules.

2. Regular Maintenance Prevents Problems
IP whitelisting is not a “set and forget” security measure. Implement regular auditing schedules:

• Weekly: Quick checks for blocked legitimate traffic
• Monthly: Comprehensive IP address validation and rule review
• Quarterly: Business alignment assessment and optimization

3. Documentation Saves Time and Prevents Errors Maintain detailed records of every whitelisted IP address, including business justification, contact information, and review schedules. This documentation becomes invaluable during troubleshooting, compliance audits, and staff transitions.

4. Layer Security Methods for Best Results The most effective implementations combine multiple whitelisting methods rather than relying on a single approach. Use IP Access Rules for global permissions, Custom Rules for conditional logic, and Page Rules for URL-specific optimization.

Next Steps for Implementation

Immediate Actions (This Week):

1. Audit your current security setup to identify IP whitelisting opportunities
2. Gather all IP addresses that need whitelisting (office, remote workers, services)
3. Choose your primary method based on complexity requirements and Cloudflare plan
4. Set up testing environment or plan for low-traffic testing window

Short-term Goals (Next Month):

1. Implement core IP whitelisting rules for primary business access
2. Establish monitoring and alerting for rule performance and issues
3. Train team members on emergency access procedures and rule management
4. Document all rules and procedures for future reference and compliance

Long-term Strategy (Next Quarter):

1. Optimize rules for performance based on usage patterns and monitoring data
2. Implement advanced scenarios like time-based access or geographic restrictions
3. Evaluate plan upgrade needs based on business growth and complexity requirements
4. Integrate with broader security strategy including authentication systems and monitoring tools

Final Security Recommendations

Remember the Fundamentals:

• IP whitelisting is one component of comprehensive security, not a complete solution
• Regular audits and updates are essential for maintaining effectiveness
• Emergency access procedures must be tested and documented
• Business continuity planning should account for IP whitelisting dependencies

Stay Current with Changes:

• Cloudflare regularly updates features and interfaces – review your rules when updates occur
• Internet infrastructure changes can affect IP addresses – monitor for ISP and network changes
• Business requirements evolve – align your IP whitelisting strategy with organizational changes

Get Expert Help When Needed: If you’re managing complex IP whitelisting requirements or encountering challenging implementation scenarios, don’t hesitate to seek professional assistance. Cloudflare’s support team, particularly on Pro and Business plans, can provide valuable guidance for optimization and troubleshooting.

Ready to implement secure, reliable IP whitelisting for your website? Start with the method that best fits your current needs, and remember that you can always evolve your approach as your business requirements change. The investment in proper IP whitelisting implementation pays dividends in improved security, reduced false positive blocking, and seamless access for legitimate users.

Frequently Asked Questions

How long does it take for IP whitelist changes to take effect?

Cloudflare rule changes typically propagate across their global network within 30-60 seconds. However, cached responses might take longer to clear:

• Custom Rules: 30-60 seconds for full global propagation
• IP Access Rules: Immediate effect, usually within 10-15 seconds
• Cached Security Responses: May take 2-5 minutes to fully clear
• Browser Cache: Users may need to clear browser cache or use incognito mode

Pro Tip: If changes don’t take effect immediately, try clearing Cloudflare’s cache (Caching → Configuration → Purge Everything) and have users test from an incognito/private browser window.

Can I whitelist multiple IPs at once in Cloudflare?

Yes, there are several methods for bulk IP whitelisting:

Custom Rules Method (Most Flexible):

IP Source Address is in {203.0.113.100 203.0.113.101 203.0.113.102 198.51.100.0/24}

This single rule can include individual IPs and IP ranges.

IP Access Rules Method (Simple but Manual): Add each IP individually through the IP Access Rules interface. While more time-consuming, this method works on all plans including Free.

Lists Method (Business Plan+): Create an IP list containing hundreds or thousands of addresses, then reference the list in Custom Rules. This is the most scalable approach for large organizations.

What’s the difference between “Allow” and “Whitelist” in Cloudflare?

The terminology can be confusing, but here’s the breakdown:

“Allow” Action in Custom Rules:

• Permits traffic to continue through Cloudflare’s security pipeline
• Still processes some security features (like certain WAF rules)
• Recommended for most whitelisting scenarios
• Provides good balance of access and security

“Allow” in IP Access Rules:

• Bypasses virtually ALL Cloudflare security features
• Strongest form of whitelisting available
• Traffic passes through with minimal processing
• Best for trusted IPs that need unrestricted access

Practical Recommendation: Start with “Allow” in Custom Rules for most scenarios, and only use IP Access Rules “Allow” for completely trusted traffic sources.

How do I find my current IP address for whitelisting?

Quick Methods:

• Visit whatismyipaddress.com for instant IP detection
• Google search “what is my ip address” for immediate results
• Use command line: curl ifconfig.me or dig +short myip.opendns.com @resolver1.opendns.com

Important Considerations:

Dynamic vs Static IPs:

• Home/Office Internet: Often dynamic (changes periodically)
• Business Internet: May be static (consistent) or dynamic
• Mobile Networks: Always dynamic and change frequently
• VPN Services: Can be static (dedicated IP) or dynamic

Pro Tip: If your IP changes frequently, consider using IP ranges (CIDR notation) like 203.0.113.0/28 to cover multiple addresses in your ISP’s pool.

Can I whitelist an entire country or region?

Yes, Cloudflare offers several geographic whitelisting options:

Country-Level Whitelisting:

Custom Rule Example:
Country is in {"US" "CA" "GB"}
Action: Allow

Combined Geographic and IP Rules:

Advanced Example:
(Country equals "United States" AND IP Source Address is in {203.0.113.0/24}) OR
(IP Source Address is in {10.0.0.0/16})

Available Geographic Filters:

• Country: Two-letter country codes (US, GB, DE, etc.)
• Continent: Broad continental groupings
• Region/State: Available in some countries (US states, etc.)
• ASN (Autonomous System Number): ISP-level filtering

Why is my whitelisted IP still being challenged?

Common Causes and Solutions:

1. Rule Precedence Issues: More restrictive rules may be processing before your whitelist rule.

Solution: Check Custom Rules order - whitelist rules should be at the top
Go to Security → WAF → Custom Rules and drag whitelist rules above blocking rules

2. Multiple Security Features Active: Different security systems may conflict with your whitelist.

Check These Settings:
- Bot Fight Mode (Security → Bots)
- Rate Limiting (Security → WAF → Rate limiting rules)  
- WAF Managed Rules (Security → WAF → Managed rules)
- Security Level (Security → Settings)

Solution: Use "Skip" actions in Custom Rules to bypass specific features

3. Cached Security Responses: Previous security challenges may be cached.

Solutions:
- Clear Cloudflare cache: Caching → Configuration → Purge Everything
- Clear browser cache and cookies
- Test in incognito/private browsing mode
- Wait 2-5 minutes for cache expiration

How many IPs can I whitelist on the free plan?

IP Access Rules: Unlimited individual IP addresses can be added through IP Access Rules, even on the Free plan. This is the most scalable option for Free plan users.

Custom Rules Limitation: Free plans are limited to 5 Custom Rules total, but each rule can contain multiple IP addresses:

Single Custom Rule Can Include:
- Up to ~1,000 individual IP addresses in a single "is in" condition
- Multiple IP ranges using CIDR notation
- Combination of individual IPs and ranges

Example Efficient Rule:
IP Source Address is in {
  203.0.113.0/24        # 256 IP addresses  
  198.51.100.100        # 1 individual IP
  192.0.2.0/28          # 16 IP addresses
  10.0.0.0/16           # 65,536 IP addresses
}
Total: 65,809 IP addresses in one Custom Rule

Do I need to whitelist IPv6 addresses separately?

Yes, IPv4 and IPv6 are treated as separate address spaces and typically need separate whitelisting rules.

Why This Matters: Modern devices and networks often support both IPv4 and IPv6 (dual-stack networking). Depending on network conditions, your device might connect using either protocol:

Method 1: Combined Rule (Recommended):

Rule: "Office Access - Dual Stack"
Condition: (IP Source Address is in {203.0.113.0/24}) OR
           (IP Source Address is in {2001:db8:85a3::/48})
Action: Allow

Finding Your IPv6 Address:

• Visit whatismyipaddress.com – shows both IPv4 and IPv6
• Command line: curl -6 ifconfig.co (forces IPv6)
• Many users won’t have IPv6 – it’s becoming more common but not universal

Have questions about implementing IP whitelisting for your specific use case? Leave a comment below and our team will help you create the perfect whitelisting strategy for your business needs.