Restricting access to certain parts of a site (e.g. the WordPress Admin) to a defined list or range of IP addresses can be done at the application level.
For this to apply, users must be logged in to access the restricted portions of the site. This is to avoid the caching and leaking of restricted content.
To enforce this, hook into the WordPress login flow and all subsequent logged in requests, and reject access if the user is not visiting from an authorized IP address.
What is restricted
Restrictions that are implemented at the application level via code allow for full control over which WordPress content and pages are restricted.
These restrictions will only apply to content generated by WordPress; media and static assets will continue to be publicly accessible.
Content will also continue to be syndicated via Jetpack’s content distribution tools. To modify this behavior, review available options to Control Content Distribution via Jetpack.