This module allows administrators to restrict access to the site to an administrator defined set of IP addresses. Anyone trying to access the site from an IP address not in the list of allowed IP addresses will be redirected to an access denied page with the message "Your address is not in the list of allowed IP addresses". No blocks will be rendered, and no JavaScript will be added to the page. This will happen for any and all pages these users try to access. The module also has various configuration options to whitelist or blacklist pages, bypass IP checking by role, and alter the output when the user is blocked.


  • IP check can be bypassed by role. Roles are selected on the site permissions page, after enabling this feature on the module settings page
  • When roles are allowed to be bypassed, users can either be redirected to the login page, or be shown a link to the login page on the access denied page
  • IP checking can be set for the entire site (check IP addresses on any and all paths), selected paths can be blacklisted (check IP addresses only on those paths), or selected paths can be whitelisted (check IP addresses on all paths other than those paths)
  • Countries can be whitelisted (only users from those countries will be allowed access) or blacklisted (users from those countries will not be allowed access). Note that this functionality requires the following modules:
  • Regions on the page can be whitelisted by implementing hook_restrict_ip_whitelisted_regions() (see restricted_ip.api.php)
  • JavaScript files can be whitelisted by implementing hook_restrict_ip_whitelisted_js_keys() (see restricted_ip.api.php)
  • The output on the access denied page can be changed/added to/removed by implementing hook_restrict_ip_access_denied_page_alter() (see restricted_ip.api.php)
  • Comments can be added to the configuration page, allowing users to leave notes on which IP address (or range) is for what. Comments of the following formats are allowed:
    • //comments
    • #comment
    • /*
  • The README.txt contains recipes on how to perform various actions, and customize the output when a user is restricted by IP address
  • Denied access attempts can be logged to to the Drupal log. This requires the Database logging (dblog aka watchdog) module to be enabled, and the box to be checked on the settings page.
  • Whitelisted URLs can be added to the settings.php file, by creating the following array:
    • D8: $conf['ip_whitelist']. Example:

      $conf['ip_whitelist'] = [''];

    • D7: $conf['restrict_ip_whitelist']. Example:

      $conf['restrict_ip_whitelist'] = array('');


8.x-2.0-beta1 has been released, with the white/black listing by country feature enabled, however, no automated tests have yet been written. It seems to work fine, and could use some user testing. A release candidate and full version will be released after automated tests have been written.


  1. Install the module as you would any other module
  2. Navigate to Admin -> Configuration -> People -> IP Address Whitelist
  3. Enter enter allowed IP addresses. You can enter either a single address in IPv4 or IPv6 format, or a range of addresses in the form of AAA.BBB.CCC.XXX - AAA.BBB.CCC.YYY. Each address or range of addresses should go on a separate line.
  4. Ensure the 'Enable module' checkbox is checked
  5. Submit the form to enable the module


If you enable IP restriction and do not enter your own IP address, you will be locked out of the site immediately upon save. Your own IP address is given on the settings page so that you can enter it into the list. If you do accidentally lock yourself out of your site, see the README.txt file for instructions on how to get back access to the site.

Project Information