WordPress.org

Plugin Directory

Test out the new Plugin Directory and let us know what you think.

IP Geo Block

It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.

A considerable number of WordPress vulnerabilities in plugins and themes have been disclosed every month. You can easily find them at WPScan Vulnerability Database and Exploits Database for example. It means that many WordPress sites can be always exposed to the threats of being exploited caused by those vulnerabilities.

This plugin protects your site against such threats of attack to the back-end of your site not only by blocking requests from undesired countries but also with the original feature 'Zero-day Exploit Prevention' (WP-ZEP).

And it also blocks undesired requests to the login form (login attempt), comment form (spam and trackback) and XML-RPC (login attempt and pingback).

Up to version 2.x, this plugin had been dedicated to protect the back-end of your site. From version 3.x, it becomes to be able to block access to your public facing pages, aka front-end. See this analysis about protection performance against 50 samples of vulnerable plugins.

Features

  • Immigration control:
    Access to the basic and important entrances into the back-end such as wp-comments-post.php, xmlrpc.php, wp-login.php, wp-signup.php, wp-admin/admin.php, wp-admin/admin-ajax.php, wp-admin/admin-post.php will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to specify the countires.

  • Zero-day Exploit Prevention:
    The original feature "Zero-day Exploit Prevention for WP" (WP-ZEP) is simple but still smart and strong enough to block any malicious accesses to wp-admin/*.php, plugins/*.php and themes/*.php even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, even if you have some in your site. Find more details in FAQ and this plugin's blog.

  • Guard against login attempts:
    In order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.

  • Protection of wp-config.php:
    A malicious request to try to expose wp-config.php via vulnerable plugins or themes can be blocked. A numerous such attacks can be found in this article.

  • Minimize server load against brute-force attacks:
    You can configure this plugin as a Must Use Plugins which would be loaded prior to regular plugins and can massively reduce the load on server. And furthermore, a cache mechanism for the fetched IP addresses and country code can help to reduce load on the server against the burst accesses with a short period of time.

  • Support of BuddyPress and bbPress:
    You can configure this plugin such that a registered user can login as the membership from anywhere, but a request such as a new user registration, lost password, creating a new topic, and subscribing comment is blocked by the country code. It is suitable for BuddyPress and bbPress to help reducing spams.

  • Referrer suppressor for external links:
    When you click an external hyperlink on admin screen, http referrer will be eliminated to hide a footprint of your site.

  • Multiple source of IP Geolocation databases:
    Free IP Geolocation database and REST APIs are installed into this plugin to get a country code from an IP address. MaxMind GeoLite free databases and IP2Location LITE databases can be available in this plugin. Those will be downloaded and updated (once a month) automatically.

  • Customizing response:
    HTTP response code can be selectable as 403 Forbidden to deny access pages, 404 Not Found to hide pages or even 200 OK to redirect to the top page. You can also have the custom error page (for example 403.php) in your theme template directory or child theme directory to fit your theme.

  • Validation logs:
    Logs will be recorded into MySQL data table to audit posting pattern under the specified condition.

  • Cooperation with full spec security plugin:
    This plugin is simple and lite enough to be able to cooperate with other full spec security plugin such as Wordfence Security (because country bloking is available only for premium users). See this report about page speed performance.

  • Extendability:
    "Settings minimum, Customizability maximum" is the basic concept of this plugin. You can customize the behavior of this plugin via add_filter() with pre-defined filter hook. See various use cases in the documents and samples.php bundled within this package.

  • Self blocking prevention and easy rescue:
    Most of users do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can rescue yourself easily.

  • Clean uninstallation:
    Nothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin's functionality. Several days later, you'll find many undesirable accesses in your validation logs if all validation targets are enabled.

Attribution

This package includes GeoLite library distributed by MaxMind, available from MaxMind, and also includes IP2Location open source libraries available from IP2Location.

Also thanks for providing the following great services and REST APIs for free.

Development

Development of this plugin is promoted at WordPress-IP-Geo-Block and class libraries to handle geo-location database are developed separately as "add-in"s at WordPress-IP-Geo-API. All contributions will always be welcome. Or visit my development blog.

Requires: 3.7 or higher
Compatible up to: 4.7.1
Last Updated: 2 weeks ago
Active Installs: 10,000+

Ratings

4.9 out of 5 stars

Support

10 of 18 support threads in the last two months have been marked resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

100,1,1
100,1,1
50,2,1 100,1,1
100,2,2
100,1,1 0,2,0
100,1,1 100,3,3
100,1,1
100,2,2
100,1,1
100,1,1
100,1,1
0,1,0 100,1,1