Plugin Directory

IP Geo Block

It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.

There are some cases of a site being infected. The first one is the case that contaminated files are uploaded via FTP or some kind of uploaders. In this case, scaning and verifing integrity of files in your site is useful to detect the infection.

The second one is cracking of the login username and password. In this case, the rule of right is to strengthen the password.

The third one is caused by malicious access to the core files. The major issue in this case is that a plugin or theme in your site can potentially has some vulnerability such as XSS, CSRF, SQLi, LFI and so on. For example, if a plugin has vulnerability of Local File Inclusion (LFI), the attackers can easily download the wp-config.php without knowing the username and password by simply hitting wp-admin/admin-ajax.php?action=show&file=../wp-config.php on their browser.

For these cases, the protection based on the IP address is not a perfect solution for everyone. But for some site owners or some certain cases such as 'zero-day attack', it can still reduce the risk of infection against the specific attacks.

That's why this plugin is here.


This plugin will examine a country code based on the IP address. If a comment, pingback or trackback comes from the specific country, it will be blocked before Akismet validate it.

With the same mechanism, it will fight against burst access of brute-force and reverse-brute-force attacks to the login form and XML-RPC.

  • Immigration control:
    Access to the basic and important entrances into the back-end such as wp-comments-post.php, xmlrpc.php, wp-login.php, wp-admin/admin.php, wp-admin/admin-ajax.php, wp-admin/admin-post.php will be validated by means of a country code based on IP address.

  • Guard against login attempts:
    In order to prevent the invasion through the login form and XML-RPC against the brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.

  • Zero-day Exploit Prevention:
    The original feature "Zero-day Exploit Prevention for WP" (WP-ZEP) will block any malicious accesses to wp-admin/*.php even from the permitted countries. It will protect against certain types of attack such as CSRF, SQLi and so on, even if you have some vulnerable plugins in your site. Because this is an experimental feature, please open an issue at support forum if you have any troubles. I'll be profoundly grateful your contribution to improve this feature. See more details on this plugin's blog.

  • Protection of wp-config.php:
    A malicious request to try to expose wp-config.php via vulnerable plugins or themes can be blocked. A numerous such attacks can be found in this article.

  • Support of BuddyPress and bbPress:
    You can configure this plugin such that a registered user can login as the membership from anywhere, but a request such as a new user registration, lost password, creating a new topic, and subscribing comment is blocked by the country code. It is suitable for BuddyPress and bbPress to help reducing spams.

  • Referrer suppressor for external links:
    When you click an external hyperlink on admin screen, http referrer will be eliminated to hide a footprint of your site.

  • Multiple source of IP Geolocation databases:
    Free IP Geolocation database and REST APIs are installed into this plugin to get a country code from an IP address. There are two types of API which support only IPv4 or both IPv4 and IPv6. This plugin will automatically choose an appropriate API.

  • Database auto updater:
    MaxMind GeoLite free databases and IP2Location LITE databases can be incorporated with this plugin. Those will be downloaded and updated (once a month) automatically.

  • Cache mechanism:
    A cache mechanism with transient API for the fetched IP addresses has been equipped to reduce load on the server against the burst accesses with a short period of time.

  • Customizing response:
    HTTP Response code can be selectable as 403 Forbidden to deny access pages, 404 Not Found to hide pages or even 200 OK to redirect to the top page. You can also have the custom error page (for example 403.php) in your theme template directory or child theme directory to fit your theme.

  • Validation logs:
    Logs will be recorded into MySQL data table to audit posting pattern under the specified condition.

  • Cooperation with full spec security plugin:
    This plugin is simple and lite enough to be able to cooperate with other full spec security plugin such as Wordfence Security (because the function of country bloking is available only for premium users).

  • Extensibility:
    You can customize the basic behavior of this plugin via add_filter() with pre-defined filter hook. See various use cases in samples.php bundled within this package.

  • Self blocking prevention and easy rescue:
    Most of users do not prefer themselves to be blocked. This plugin prevents such thing unless you force it. (release 2.1.4) And futhermore, if such a situation occurs, you can rescue yourself easily. (release 2.1.3)

  • Clean uninstallation:
    Nothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin's functionality. Several days later, you'll find many undesirable accesses in your validation logs if all validation targets are enabled.


This package includes GeoLite data created by MaxMind, available from MaxMind, and also includes IP2Location open source libraries available from IP2Location.

Also thanks for providing the following great services and REST APIs for free.


Development of this plugin is promoted on GitHub. All contributions will always be welcome. Or visit my development blog.

Requires: 3.7 or higher
Compatible up to: 4.3.1
Last Updated: 4 days ago
Active Installs: 4,000+


4.6 out of 5 stars


10 of 11 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.