Is it possible to spoof your IP... is testing ip addresses secure?

My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?

No, unless they also have access to the networks of one of the allowed IPs, or any of the allowed machines under one of the IPs is compromised and proxies traffic.

In your scenario, it seems good enough. Well, except the privileged users will not be allowed to access the content from other IPs without some kind of VPN.

Note that IP spoofing generally has a different meaning than the one you're using. It means only forge the source address of a packet. This by itself is worthless because to access the service, it would also be necessary to receive the response from the server. Even "IP spoofing" in this sense is rare today due to better routing.

It is impossible to spoof a TCP connection over the open internet due to the Three Way Handshake. However, it maybe possible to access this feature using CSRF.

PHP pulls $_SERVER['REMOTE_ADDR'] directly from Apache's TCP socket, there for it cannot be influenced by an attacker. And yes, i have looked at this code.