Web Rules Engine

The Web Rules Engine is a User Portal-based service that enables you to self-serve site access rules as an alternative to .htaccess rules. The service currently supports management of the following rule types: IP Allow/Deny rules.


The Web Rules Engine enables you to self-manage certain site behaviors from the User Portal, such as:

  • Disallowing IP/Range access to protect against malicious attacks and other negative site behavior
  • Allowing IP/Range access for known good actors
  • Preventing direct access to private files

For those who previously leveraged .htaccess file rules to self-manage and control these behaviors, the Web Rules service can now be used instead via the User Portal. 

Access Web Rules

To access the Web Rules engine for any environment:

  1. Log in to the User Portal
  2. Select the environment name
  3. Click Web Rules in the menu

Web Rules functionality is enabled by default on all environments. If you do not see the “Web Rules” link in your User Portal, please reach out to our Support team.

In some cases there may temporarily be a third Global Setting available on the page above that reads “Enable .htaccess support”. This option is only available in specific cases, you can learn more about it here.

Add Web Rule

To add a new web rule:

  1. Open the Web Rules engine
  2. Click Add Rule
  3. Enter the rule
  4. Click Add Rule to validate and save the new rule
  5. Once your web rules have been validated and applied, they will populate in the rule table

Insert Relative Web Rule

Users with existing web rules have additional options for adding new rules in relation to existing rules. This can be useful when creating rules whose order is significant.

  1. Open the Web Rules page
  2. Locate an existing rule
  3. Click the 3 dot menu icon to the right
  4. Select Insert rule above or Insert rule below

Edit Web Rule

To edit an existing web rule, for example manually changing the order or IP:

  1. Open the Web Rules page
  2. Locate the rule you wish to edit
  3. Click the 3 dot menu icon to the right
  4. Select Edit Rule
  5. Make the necessary changes, then click Save and apply to revalidate and apply the update

Delete Web Rule

To delete an existing web rule:

  1. Open the Web Rules page
  2. Locate the rule you wish to edit
  3. Click the 3 dot menu icon to the right
  4. Select Delete Rule

Web Rule Order

Web rules are read from top to bottom and the web Rule order allows you to manually organize the rules. The lowest order number is at the top of the list (read first) and the highest order number is at the bottom of the list (read last). Rules must have an order value that is greater than zero and should be within a reasonable range. For example, if you have two rules they should have the order 1 and 2, not 1 and 100.

The order of web rules can be critical to how they function because rules can impact each other depending on the order they are read. Rules that are read first take priority. For example, an IP range can be blocked but a specific IP address within that range can be allowed. To do this the rule allowing the specific IP address must be read before (listed above) the rule blocking the IP range.

For example, to block all IPs from accessing the wp-admin but allow a single IP access, the rules should look like the following:

When adding a rule relative to another rule the order values will be updated automatically. It’s recommended to use the relative adding method when possible, rather than manually setting each value, to ensure the order is applied as intended.

Web Rule Conditions

The Web Rules engine currently supports Allow/Deny for IP addresses/IP ranges with conditions.

Conditions can be one of the following types:

  • URI

Conditions can with the following operators, depending on the type:

  • Equal to ( = )
  • Not equal to ( != )
  • Regex match ( ~ )
  • Negative regex match ( !~ )

Below are the supported parameters for each conditional variable type:

TypeName [Optional]Operator(s)Value
URInull=, ~, !=, !~str
QUERY_ARGnull=, ~, !=, !~str
REQUEST_METHODnull=, !=enum
HEADERstr=, ~, !=, !~str

Web Rule Examples

Below are some examples of common rules you may use. Rules can be modified as necessary, for example switching deny and allow, or using an IP range versus a single IP.

Deny an IP address:

  • Action: Deny
  • IP: [IP address to deny]
  • Conditions: None are needed

Deny a bot by way of its user agent:

  • Action: Deny
  • IP: All
  • Conditions:
    • Type: Header
    • Name: User-Agent
    • Operator: Regex matches (~)
    • Value: [Enter the actual user agent name in this field] EX: badbot

Block xmlrpc.php for all IP addresses:

  • Action: Deny
  • IP: All
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: xmlrpc.php

Allow a single IP address access to wp-admin and deny all other IPs access:

First rule:

  • Order: 1
  • Action: Allow
  • IP: [IP address to allow]
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: wp-login

Second Rule:

  • Order: 2
  • Action: Deny
  • IP: All
  • Conditions:
    • Type: URI
    • Operator: Regex matches (~)
    • Value: wp-login

NEXT STEP: Learn how to enable WebP for image optimization

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.

Chat with us!