Plugin Directory

IP Geo Block

It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.

I was locked down. What shall I do?

Activate the following codes at the bottom of ip-geo-block.php and upload it via FTP.

 * Invalidate blocking behavior in case yourself is locked out.
 * @note: activate the following code and upload this file via FTP.
function ip_geo_block_emergency( $validate ) {
    $validate['result'] = 'passed';
    return $validate;
add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
// */

Then "Clear cache" at "Statistics" tab on your dashborad. Remember that you should upload the original one to deactivate above feature.

How can I test that this plugin works?

The easiest way is to use free proxy browser addon. Another one is to use http header browser addon. You can add an IP address to the X-Forwarded-For header to emulate the access behind the proxy. In this case, you should add HTTP_X_FORWARDED_FOR into the "$_SERVER keys for extra IPs" on "Settings" tab.

Are there any filter hooks?

Yes, here is the list of all hooks to extend the feature of this plugin.

  • ip-geo-block-ip-addr : IP address of accessor.
  • ip-geo-block-headers : compose http request headers.
  • ip-geo-block-comment : validate IP address at wp-comments-post.php.
  • ip-geo-block-xmlrpc : validate IP address at xmlrpc.php.
  • ip-geo-block-login : validate IP address at wp-login.php.
  • ip-geo-block-admin : validate IP address at wp-admin/*.php.
  • ip-geo-block-extra-ips : white/black list of extra IPs for prior validation.
  • ip-geo-block-xxxxxx-status : http response status code for comment|xmlrpc|login|admin.
  • ip-geo-block-xxxxxx-reason : http response reason for comment|xmlrpc|login|admin.
  • ip-geo-block-bypass-admins : array of admin queries which should bypass WP-ZEP.
  • ip-geo-block-bypass-plugins : array of plugin name which should bypass WP-ZEP.
  • ip-geo-block-bypass-themes : array of theme name which should bypass WP-ZEP.
  • ip-geo-block-backup-dir : full path where log files should be saved.
  • ip-geo-block-api-dir : full path to the API class libraries and local DB files.
  • ip-geo-block-maxmind-dir : full path where Maxmind GeoLite DB files should be saved.
  • ip-geo-block-maxmind-zip-ipv4 : url to Maxmind GeoLite DB zip file for IPv4.
  • ip-geo-block-maxmind-zip-ipv6 : url to Maxmind GeoLite DB zip file for IPv6.
  • ip-geo-block-ip2location-dir : full path where IP2Location LITE DB files should be saved.
  • ip-geo-block-ip2location-path : full path to IP2Location LITE DB file (IPv4).

For more details, see samples.php bundled within this package.

How does WP-ZEP prevent zero-day attack?

A considerable number of vulnerable plugins are lacking in validating either the nonce and privilege or both. WP-ZEP will make up both of them embedding a nonce into the link, form and ajax request from jQuery on every admin screen.

This simple system will validate both of them on behalf of vulnerable plugins in your site and will block a request with a query parameter action through wp-admin/(admin|admin-ajax|admin-post).php if it has no nonce and privilege. Moreover, it doesn't affects a request from non-logged-in user.

On the other hand, the details of above process are slightly delicate. For example, it's incapable of preventing Privilege Escalation (PE) because it can't be decided which capabilities does the request need.

See more details on this plugin's blog.

How can I use "Block by country" and "WP-ZEP" properly?

The basic concept is that the "Block by country" is for blocking malicious accesses from undesired countries and "WP-ZEP" is for blocking from permitted contries.

So using both of them is the best.

Speaking about Ajax, the "Block by country" will block both front-end and back-end services while "WP-ZEP" will block only back-end services.

So if you have some plugins providing Ajax services for front-end and prefer to serve them for everyone, using only "WP-ZEP" for "Admin ajax/post" may be your choise.

Some admin function doesn't work when WP-ZEP is on.

There are a few cases that WP-ZEP would not work. One is redirection at server side (caused by PHP or .htaccess) and client side (by caused JavaScript location object or meta tag for refresh).

Another is the case related to the content type. This plugin will only support application/x-www-form-urlencoded and multipart/form-data.

The other case is that a ajax/post request comes from not jQuery but flash or something.

In those cases, this plugin should bypass WP-ZEP. So please find the unique strings in the requested queries and add it into the safe query list via the filter hook ip-geo-block-bypass-admins.

If you can not figure out your troubles, please let me know about the plugin you are using at the support forum.

Requires: 3.7 or higher
Compatible up to: 4.3.1
Last Updated: 6 days ago
Active Installs: 4,000+


4.6 out of 5 stars


12 of 13 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.