With the Restricted Site Access plugin, you can restrict public access to WordPress and only allow access for registered visitors or certain IP addresses. Visitors without access can choose to see a certain page, message or login screen or are forwarded to another URL.
Restricted Site Access Plugin
You can download Restricted Site Access from the official WordPress.org directory. The plugin is actively maintained and further developed. Questions and problems are regularly replied to in the support forum.
Configure access to WordPress website
After installing the plugin, you can configure access to your WordPress installation under Settings → Read in your WordPress backend. For this purpose, the option for visibility in search engines is extended by another checkbox.
Attention: When the plugin is activated, access to the website for unregistered visitors is automatically limited and the plugin is active, even without configuration.
In the second option of the plugin, you can set how the plugin should behave for visitors without access to the website. You can send unregistered visitors to the WordPress login screen, forward them to any URL, or display a static page of your WordPress installation.
Depending on the option selected, additional settings open, e.g. B. to define the URL and the status code for forwarding.
Allow access to WordPress for specific IP addresses or IP ranges
While access to the WordPress installation is only allowed for registered visitors by default, you can also activate certain IP addresses or IP ranges for access. After entering one or more IPs, these visitors can visit the website normally without registering.
This enables public intranets or extranets, for example, to be implemented. The option can also be useful for developers, for example to give customers access to test the website in advance.
Limitations of the plugin
It is important to note that the plugin can restrict access to the WordPress installation, but is not active on the server level. Among other things, this means that uploaded files such as images can still be accessed via the direct file URL, WordPress is not running here either.
You also have to be careful with caching plugins. These often save the entire website as static HTML and deliver it to logged-out visitors without WordPress being active. The plugin does not work here, which is why I would generally not use caching in combination with the plugin.
IP addresses can also be falsified and thus unintentionally open access to undesired persons. In short: The plug-in is a practical little helper and useful tool, but I would not operate an intranet with highly sensitive information with it.
If you only want to temporarily switch your website offline for updates and do not need a feature for accessing certain IP addresses, I recommend one of the many plugins instead to put WordPress in maintenance mode.