Access Control
Access Control features allow you to restrict who can access your website based on IP addresses, geographic location, and specific URI paths.
IP Whitelist
What it is: A list of IP addresses that are always allowed to access your site, bypassing all other security checks.
Use cases:
- Your office IP address
- Admin/developer IP addresses
- Trusted partner IPs
- Monitoring services
Format: One IP address per line, supports CIDR notation
192.168.1.100
203.0.113.0/24
2001:db8::1Important: Whitelisted IPs bypass WAF, rate limiting, and geographic restrictions. Only whitelist IPs you fully trust.
IP Blacklist
What it is: A list of IP addresses that are always blocked from accessing your site.
Use cases:
- Known attacker IPs
- Spam sources
- Abusive users
Response Options:
- 403 Forbidden: Show "Access Denied" message
- 404 Not Found: Pretend the site doesn’t exist
- 451 Unavailable: Legal/compliance blocking
Format: Same as whitelist – one IP per line, supports CIDR notation
Geographic Access Control
What it is: Block or allow access based on the visitor’s country.
Block Mode: Select countries to block (all others allowed)
Allow Mode: Select countries to allow (all others blocked)
Use cases:
- Comply with data privacy regulations (GDPR)
- Reduce spam from specific regions
- Restrict service to specific countries
Important: Geographic blocking is based on IP geolocation databases which are ~95% accurate but not perfect.
Page Protection Rules
What it is: Apply security actions to specific URI patterns – IP restrictions, rate limiting, or CAPTCHA challenges.
Use cases:
- Protect
/adminarea to office IPs only - Rate limit
/api/*endpoints to prevent abuse - Add CAPTCHA to
/wp-login.phpfor brute-force protection - Lock down sensitive pages with custom response codes
Creating a Protection Rule
- Enable the rule with the toggle
- Rule Name: Give it a descriptive name (e.g., "Admin Area Protection")
- URI Pattern: Specify what to protect
- Wildcard:
/admin/*(protects all admin pages) - Exact:
/api/internal(protects specific path) - Prefix:
/api*(matches/api,/api/,/api/v1, etc.)
- Wildcard:
- Action: Choose the protection method:
- IP Restriction: Block/allow based on IP addresses
- Rate Limiting: Limit requests per minute per IP
- Captcha Challenge: Require proof-of-work verification before access
- Geographic Access: Block/allow based on visitor’s country
IP Restriction Action
When you choose IP Restriction:
- Whitelisted IP Groups: Select reusable IP groups
- Additional IPs: Add specific IPs for this rule only
- Inherit Global Whitelist: Include IPs from global whitelist
- Response Action: What to return to blocked users
- 403 Forbidden: Standard "Access Denied"
- 404 Not Found: Stealth mode (hide resource)
- 451 Unavailable: Legal/compliance blocking
- 503 Service Unavailable: Maintenance mode
- CAPTCHA: Proof-of-work challenge
Example: Protect admin area
Rule Name: Admin Area Protection
URI Pattern: /admin/*
Action: IP Restriction
Whitelisted IPs: 203.0.113.45
Inherit Global Whitelist: Yes
Response Action: 404 Not FoundRate Limiting Action
When you choose Rate Limiting:
- Requests Per Minute: Maximum requests per IP (1-10,000 for Free/Advanced)
- Allow Global Whitelist to Bypass: Let trusted IPs bypass the limit
Response: Always returns HTTP 429 (Too Many Requests) when limit exceeded.
Example: Protect login page
Rule Name: Login Brute-Force Protection
URI Pattern: /wp-login.php
Action: Rate Limiting
Requests Per Minute: 10
Allow Global Whitelist to Bypass: YesSee the Rate Limiting guide for more details.
Captcha Challenge Action
When you choose Captcha Challenge:
- Allow Global Whitelist to Bypass: Let trusted IPs bypass the captcha
Response: Redirects to captcha challenge page. After solving, user is returned to original URI.
Use Cases:
- Brute-force protection for login pages (
/wp-login.php) - Bot protection for registration forms
- Prevent automated scraping of sensitive content
- Add friction to API abuse without hard blocking
Example: Protect login page
Rule Name: Login Captcha Protection
URI Pattern: /wp-login.php
Action: Captcha Challenge
Allow Global Whitelist to Bypass: YesHow it works:
- User requests protected URI (e.g.,
/wp-login.php) - Caddy redirects to captcha challenge page
- User solves proof-of-work challenge
- User is redirected back to original URI
- Session expires after use (one-time verification)
Geographic Access Action
When you choose Geographic Access:
- Geographic Access Mode: Choose whitelist or blacklist mode
- Whitelist Mode: Only allow selected countries (block all others)
- Blacklist Mode: Block selected countries (allow all others)
- Allowed/Blocked Countries: Select countries from the list
- Response Status Code: HTTP status returned to blocked visitors
- 403 Forbidden: Standard access denied
- 404 Not Found: Stealth mode
- 451 Unavailable For Legal Reasons: Legal/compliance blocking (recommended)
- 503 Service Unavailable: Maintenance mode
- 410 Gone: Resource permanently removed
- Block Message: Custom message shown to blocked visitors
Use Cases:
- Restrict specific content to certain regions (
/eu-only/*→ whitelist EU countries) - Block high-risk countries from admin areas (
/admin/*→ blacklist specific countries) - Comply with regional data regulations (GDPR, CCPA)
- Reduce spam/abuse from specific regions on API endpoints
Example: Restrict admin to US/CA only
Rule Name: Admin Geographic Restriction
URI Pattern: /admin/*
Action: Geographic Access
Mode: Whitelist
Allowed Countries: US, CA
Response Status Code: 451 Unavailable For Legal Reasons
Block Message: This content is not available in your regionExample: Block high-risk countries from login
Rule Name: Login Geographic Protection
URI Pattern: /wp-login.php
Action: Geographic Access
Mode: Blacklist
Blocked Countries: CN, RU, KP
Response Status Code: 403 Forbidden
Block Message: Access denied from your locationImportant Notes:
- Geographic blocking uses IP geolocation databases (~95% accurate)
- VPN users can bypass geographic restrictions
- No country limit per page rule (only limited by number of rules in your plan)
- Global geographic access control still available for site-wide blocking
Best Practices
- Always whitelist your own IP before enabling restrictions
- Test from a non-whitelisted IP to verify blocking works
- Use 404 for stealth – attackers won’t know the resource exists
- Document your rules – use descriptive rule names
- Monitor logs – check for legitimate users being blocked
Troubleshooting
I’m locked out of my own site
- Contact support to temporarily disable access control
- Always whitelist your IP before enabling restrictions
Legitimate users are being blocked
- Check if their country is in the blocked list
- Verify their IP isn’t in the blacklist
- Check Page Protection rules for conflicts
Geographic blocking isn’t working
- Verify the feature is enabled
- Check that countries are selected
- Note: VPN users may bypass geographic restrictions
Frequently Asked Questions
What is IP whitelisting and how do I use it?
Granting trusted IPs unrestricted accessIP whitelisting allows specific IP addresses to bypass security measures like WAF rules, rate limiting, and geographic restrictions. Add IPs that should always have access, such as your office, home network, or monitoring services. Format: single IPs (192.168.1.100), CIDR notation (192.168.1.0/24), or comma-separated values.
How does the IP blacklist work?
Blocking malicious IP addressesThe IP blacklist immediately blocks all requests from specified addresses before any other processing. Blocked visitors see a 403 Forbidden error. Use it for known attackers, spammers, or IPs you want to permanently block. You can add single IPs, CIDR ranges, or comma-separated lists.
What's the difference between whitelist and blacklist modes for geographic blocking?
Understanding geographic access control modesWhitelist mode only allows traffic from selected countries (blocks everyone else). Blacklist mode blocks selected countries (allows everyone else). Use whitelist for strict regional compliance (e.g., EU-only content) and blacklist to block high-risk regions while allowing most traffic.
What response codes should I use for blocked visitors?
Choosing the right HTTP status for access denialChoose based on your intent: 403 Forbidden is standard access denial. 404 Not Found provides stealth (attackers don’t know the resource exists). 451 Unavailable For Legal Reasons signals legal/compliance blocking. 503 Service Unavailable suggests maintenance. 410 Gone indicates permanent removal.
What are Page Protection Rules?
Path-specific access control configurationPage Protection Rules let you apply different security controls to specific URLs or patterns. You can set actions like IP Restriction, Rate Limiting, Captcha Challenge, or Geographic Access per URI pattern. Use wildcards like /admin/* to protect all paths under a directory. Rules are evaluated in order.
How does the Captcha Challenge action work?
Bot protection through proof-of-work verificationWhen a user requests a captcha-protected URI, they’re redirected to a proof-of-work challenge page. After solving it, they return to the original URL. The verification is one-time per session. Use it for brute-force protection on login pages, registration forms, or to add friction against automated abuse without hard blocking.
Can I apply different security rules to different parts of my site?
Using Page Protection Rules for granular controlYes! Create Page Protection Rules with different URI patterns and actions. For example: rate limit /wp-login.php at 10 requests/minute, require captcha for /admin/*, and whitelist only US/CA for /api/payments/*. Each rule can have its own action type, countries, rate limits, and whitelist bypass settings.
What happens if my IP gets accidentally blacklisted?
Recovering from accidental self-blockingAlways whitelist your own IP before enabling restrictions. If locked out, contact Atomic Edge support to temporarily disable access control. Best practice: add your home IP, office IP, and any VPN IPs to the whitelist first, then test blocking from a non-whitelisted IP before enabling site-wide.
How accurate is geographic blocking?
Understanding IP geolocation limitationsGeographic blocking uses IP geolocation databases with approximately 95% accuracy. VPN users and proxies can bypass geographic restrictions. Mobile users may appear in different locations. Use geographic blocking as one layer of defense, not your only security measure.
Can I use the global whitelist with Page Protection Rules?
Inheriting global whitelist in page-specific rulesYes! Enable ‘Allow Global Whitelist to Bypass’ in your Page Protection Rules. This lets your globally whitelisted IPs (office, home, monitoring services) bypass page-specific restrictions without adding them to each rule individually. Useful for admin areas that need both strict access control and trusted IP bypass.