WAF: Exceptions

Sometimes you do not want to block certain IPs or domain names. For example, you don't want to block Google Bot, MSN (Bing) Bot, a third party site management service, a third party CDN service you are using and so on. You can easily add Exceptions from blocking. You can set the following options to prevent Admin Tools from blocking certain IPs and domain names:

Never block these IPs

Enter a comma-separated list of IPs which should never be automatically blocked. For example, such a list can be, Moreover, since Admin Tools 2.2.a3 you can use IP ranges (e.g., implied IP range notation (127.0.0. for the entire to block) and CIDR block notation (e.g. on top of plain old IP addresses.

This field fully supports both IPv4 and IPv6 addresses.

You may enter a dynamic IP domain name prefixed by the at-sign (for IPv4) or hash-sign (for IPv6). This only applies if you are using a dynamic IP address domain provider (e.g. DynDNS). For example, if you are using DynDNS and your dynamic IP address domain name is example.dyndns.info and resolves to an IPv4 address you can enter @example.dyndns.info to whitelist your dynamic IPv4 address. Conversely, if your dynamic hostanem resolves to an IPv6 address you can enter #example.dyndns.info to whitelist your dynamic IPv4 address. Be careful to enter the correct domain name or you may have a delay of up to 30" processing security exceptions.


If you are using the whitelist feature to allow access to the administrator section of your site only to specific IPs, these IPs are automatically added to the safe list of IPs which should never be automatically blocked.


IPs added to this list are fully white-listed. This means that no security measure will be applied against them. Please place only very well trusted IPs in this list! If an attack is launched from this IP, it will not be blocked by Admin Tools!

Whitelisted domains

If the IP address of the visitor who raised a security exception resolves to a domain name ending in what you enter here they will not be blocked. Effectively, these domain names have a free pass on your site.


Malicious URLs from these domain names WILL be blocked but a. this will not be logged and b. their IP address will not be automatically blocked by the "Auto-ban Repeat Offenders" feature below. This is done to protect your site against reflected search engine attacks. Let us explain this.

Some hackers try to exploit search engines' eagerness to scan URLs, crafting malicious URLs to your site and putting them on their own sites. Search engines will see them and try to visit them on your site. You are whitelisting these search engines as you don't want to lock them out of your site. If the malicious URL wasn't blocked just because the request comes from a seemingly innocent source your site would be instantly hacked. That's why the malicious URLs are still blocked, just not logged or cause IP addresses to be automatically banned.

Enter a comma separated list of the domain names you want to whitelist. The default value is .googlebot.com,.search.msn.com which whitelists the search engine indexers Google Bot (used by Google Search) and MSN Bot (used by Bing).