For additional security and preventing un-authorized IP addresses from accessing Matomo (Piwik) dashboards, you can configure a set of allowed IP addresses. Since Matomo 3.6 you can also configure hostnames. However, please consider that any hostname will be resolved within each request. This may slightly slow down your Matomo.

IP addresses can be allowlisted by adding them under your [General] section in config/config.ini.php:

login_allowlist_ip[] =
login_allowlist_ip[] = 204.93.240.*
login_allowlist_ip[] =
login_allowlist_ip[] = 2001:db8::/48
login_allowlist_ip[] =

When configured, only users from a configured IP address can log into your Matomo. You can define one or multiple ; IPv4, IPv6, and IP ranges.

By default, if a allowlisted IP address is specified via login_allowlist_ip[] then both the reporting user interface as well as HTTP Reporting API requests will only work for these allowlisted IPs. But in some cases you need to allow all IP addresses access to your Matomo HTTP Reporting API endpoint. To allow all IP addresses to access the Matomo Reporting API, set in your config file under [General]:

login_allowlist_apply_to_reporting_api_requests = 0

When allowlisted IP addresses are configured and you try to access Matomo but your IP is not allowed, you will see an error like this: “You cannot use this Matomo as your IP is not allowlisted”.

See also: How do I exclude traffic from an IP or a range of IP addresses?

Previous FAQ: What is two-factor authentication?