IP Vault lets you protect your WordPress backend – and any other part of your website – from non verified users.
IP Vault Firewall also preserves your server ressources and bandwidth by blocking hacking attempts before they reach your site.
How does it work ?
Requests to protected files and folders are redirected to the Authentication Page. IP Vault unlocks user’s IP addresses using a key
that is emailed for authentication. Once users verify their account, they can access all restricted areas. Users are automatically verified on registration.
What is protected ?
Out-of-the box, IP Vault restricts access to
.phtml files, as well as
wp-admin folder, which are frequently exploited by bad bots and hackers.
You can choose which part of your site to protect. Need to make the whole website private ? No problem, just restrict access to
The story behind this plugin
In the past 20 years, I have been monitoring a few dozen client sites to prevent malicious access. I have also helped a great number of people to clean their website from malware.
I noticed that even marginal WordPress sites or non-wordpress PHP based sites are constantly exposed to hacking attempts.
Almost all exploits I have seen work by either calling a vulnerable PHP script already on the server, by adding such a script or by injecting their own code into an existing script.
I have tried and tested quite a few security plugins. They can be quite complex to set up and to maintain. Some security plugins try to block access to vulnerable files by comparing requests to a blacklist.
These tend to become quite large and need frequent updates to be efficient. Others use geo-blocking services to block requests from certain countries. However in my experience, hacking attempts can come from just about any location.
I thought there must be a better way using whitelists for verified users instead. And that’s how the idea for IP Vault was born.
- add option to get auth code by SMS (requires users to register phone number)
I love this plugin. How can I contribute ?
- Rate plugin and leave feedback on WordPress.org
- Help resolve questions in support forums
- Help with translations
This plugin uses the following 3rd Party services :
ip-api.com – used to offer insights into IP addresses, namely country and city information. Terms and Policies
ipify.org – used to map IPv6 addresses to IPv4. Terms and Policies
There are no reviews for this plugin.
Contributors & Developers
“Two-factor authentication (formerly IP Vault)” is open source software. The following people have contributed to this plugin.Мүчөлөрү
Translate “Two-factor authentication (formerly IP Vault)” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
- optimization : added a 404 header to disallowed requests, in order to discourage bots from returning
- optimization : mapping (frequently changing) IPv6 addresses to IPv4 using third party service ipify
- fixed potential XSS vulnerabilities
- optimization : complete rewrite of authentication method : replaced secret URL by a 4-digit pin code
- various small fixes
- optimization : set transient for api calls (cache results for 1 week)
- experimental feature : use ASN for authentication (useful if your public IP changes often)
- optimisation : limit requests to ip-api to unknown IP addresses (IPs not yet logged)
- optimisation : settings link added to plugin screen
- optimisation : allow custom comments for whitelisted IPs
- fixed minor bug : title on stats screen displays correct date
- fixed minor bug : removing IP addresses with backslashes from whitelist
- fixed minor bug : missing envelope.svg
- tested up to WP version 5.7.2
- redesigned bar chart and added daily tables in statistics
- authentication mail back to plain text to optimise deliverability
- various small fixes
- added a
soft rewritemode, as
.htaccessmode can be tricky on some installs
- cosmetic changes to authentication mails, now using html
- improved logging and statistics, database cleaned through daily cron job
- Reengineered auth page (no longer depending on frontend page)
- New logo and redesigned auth page
- Improved style and optimised ressource usage
- a lot of small changes
Fixed issue where settings were not properly removed on uninstall