Plugin Directory

IP Geo Block

A WordPress plugin that will block any spams, login attempts and malicious access to the admin area posted from outside your nation.


  • Fixed an issue that a certain type of attack vector to the admin area ( example ) could not be blocked by the reason that some plugins accept it on earlier hook (ie init) than this plugin (previously admin_init).
  • Added re-creating DB table for validation logs in case of accidentally failed at activation process.
  • The time of day is shown with local time by adding GMT offset based on the time zone setting.
  • Optimized resource loading and settings to avoid redundancy.
  • See details at this plugin's blog.


  • Avoid JavaScript error which occurs if an anchor link has no href.
  • Improved UI on admin screen.
  • Added a diagnosis for creation of database table.


  • Sorry for urgent update but avoid an javascript error.


  • Sorry for frequent update but added a function of showing admin notice when none of the IP geolocation providers is selected. Because the user will be locked out from admin screen when the cache expires.
  • Bug fix: Fixed an issue of get_geolocation() method at a time of when the cache of IP address is cleared.
  • Referer suppressor now supports meta referrer


  • Bug fix: Fixed an issue that empty black list doesn't work correctly when matching rule is black list.
  • New feature: Added 'Zero-day Exploit Prevention for wp-admin'. Because it is an experimental feature, please open a new issue at support forum if you have any troubles with it.
  • New feature: Referer suppressor for external link. When you click an external hyperlink on admin screen, http referer will be suppressed to hide a footprint of your site.
  • Also added the filter hook ip-geo-block-admin-actions for safe actions on back-end.


  • New feature: Include wp-admin/admin-post.php as a validation target in the Admin area. This feature is to protect against a vulnerability such as Analysis of the Fancybox-For-WordPress Vulnerability on Sucuri Blog.
  • Added a sample code snippet as a use case for 'Give ajax permission in case of safe actions on front facing page'. See Example 10 in sample.php.


  • Fixed the issue of improper scheme from the HTTPS site when loading js for google map.
  • In order to prevent accidental disclosure of the length of password, changed the length of * (masked password) which is logged into the database.


  • New feature: Protection against brute-force and reverse-brute-force attacks to wp-login.php, xmlrpc.php and admin area. This is an experimental function and can be enabled on Settings tab. Malicious access can try to login only 5 times per IP address. This retry counter can be reset to zero by Clear statistics on Statistics tab.


  • New feature: Added a new class for recording the validation logs to analyze posting pattern.
  • Fixed an issue of not being set the own country code at first installation.
  • Fixed an error which occurs when ip address is unknown.


  • New feature: Added validation of trackback spam.
  • Added $_SERVER keys for extra IPs into options to validate additional IP addresses.
  • Removed some redundant codes and corrected all PHP notices and warnings which had been suppressed by WordPress.


  • New feature: Added validation of pingback.ping through xmlrpc.php and new option to validate all the IP addresses in HTTP_X_FORWARDED_FOR.
  • Fixed an issue: Maxmind database file may be downloaded automatically without deactivate/re-activate when upgrade is finished.
  • This is the final version on 1.x. On next release, accesses to login.php and admin area will be also validated for security purpose.


  • Fixed an issue: Option table will be updated automatically without deactivate/re-activate when this plugin is upgraded.
  • A little bit performance improvement: Less memory footprint at the time of downloading Maxmind database file. Less sql queries when Save statistics is enabled.


  • New feature: Added Maxmind GeoLite database auto downloader and updater.
  • The filter hook ip-geo-block-validate was discontinued. Instead of it, the new filter hook ip-geo-block-comment is introduced.
  • Performance improvement: IP address is verified at an earlier stage than before.
  • Others: Fix a bug of handling cache, update status of some REST APIs.


  • Fixed issue of default country code. When activating this plugin for the first time, get the country code from admin's IP address and set it into white list.
  • Add number of calls in cache of IP address.


  • Implement the cache mechanism to reduce load on the server.
  • Better handling of errors on the search tab so as to facilitate the analysis of the service problems.
  • Fixed a bug of setting user agent strings in 1.0.2. Now the user agent strings (WordPress/3.9.2; http://example.com/) becomes to its own (WordPress/3.9.2; ip-geo-block 1.1.0).


  • Temporarily stop setting user agent strings to supress a bug in 1.0.2.


  • Update provider settings. Smart-IP.net was terminated, ipinfo.io is now available for IPv6.
  • Set the own user agent strings for WP_Http.


  • Modify Plugin URL.
  • Add apply_filters() to be able to change headers.


  • Ready to release.

Requires: 3.7 or higher
Compatible up to: 4.2.1
Last Updated: 2015-4-29
Active Installs: 1,000+


3.5 out of 5 stars


4 of 4 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.