How to whitelist request paths

This option is used to prevent requests to particular paths on your site from triggering the IP blacklisting system.

That is to say, if you specify the following whitelisted path:


... and a visitor makes a request to your site to this URL: /my-whitelisted-path/

... and it triggers the Shield Security system to blacklist or blackmark the visitor IP address, this trigger will be ignored.

This option should be used with care as you could inadvertently whitelist paths that should be protected.

If you find you're adding a lot of paths to this list, then you're probably doing it wrong and you should contact support for guidance. For example, you shouldn't whitelist your "wp-admin", or "wp-login.php" paths... these should always remain protected and shouldn't be whitelisted.

An example where you might want to always whitelist a path is for a particular API request against the site. We do this for our Shield Security Pro license checking to ensure that websites do not inadvertently blacklist their IP address with us and can no longer check for a licenses.

All Path Entries Are Exact Comparisons

For each rule, if the path of the request path matches exactly with your rule, then the request will be whitelisted.

Here is one example:


This will whitelist the following request paths:

  • /my-whitelisted-path/

But it will not whitelist the following:

  • /my-whitelisted-path/abc/
  • /my-whitelisted-path/abc/123/

You May Use The Wildcard Character (*) To Match Multiple Characters

The example above was of an exact match rule.

But to make your rule match the other 2 requests above, you can use an asterisk (*) to match any character. For example:


This rule will match the following:

  • /my-whitelisted-path/
  • /my-whitelisted-path/abc/
  • /my-whitelisted-path/abc/123/

All Path Entries Are Treated As Case-Insensitive

This means that the path:


will match:

  • /my-whitelisted-path/
  • /My-Whitelisted-Path/

There Is No Automatic Adjustment for Trailing Slash (/)

Every website handles the trailing slash differently. And Shield does not try to handle them automatically.

This means that if you want to ensure that you whitelist "/my-whitelisted-path/" and "/my-whitelisted-path", you must specify both rules, e.g.:


All Whitelist Entries Are Matched Only Against The Path, NOT The Query String

This means that if a visitor requests:


only the section before the "?" will be examined, and "?param1=value1&param2=value2will be completely ignored.

All Whitelist Entries Are Tested Against Your WP & Home Page URL

If any of your whitelist rules match your WP Home URL, they are automatically removed.

For example, if you simply suppled "/", this will match against your home URL and be removed from the list.