Plugin Directory

Test out the new Plugin Directory and let us know what you think.

IP Geo Block

It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.

I was locked down. What shall I do?

Activate the following codes at the bottom of ip-geo-block.php and upload it via FTP.

 * Invalidate blocking behavior in case yourself is locked out.
 * How to use: Activate the following code and upload this file via FTP.
function ip_geo_block_emergency( $validate ) {
    $validate['result'] = 'passed';
    return $validate;
add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
// */

Then "Clear cache" at "Statistics" tab on your dashborad. Remember that you should upload the original one to deactivate above feature.

This document can also help you.

= How to resolve "You are not allowed to access this page"?

If you encounter this message, please refer to this document to resolve your blocking issue.

Some admin function doesn't work. How to solve it?

This could be happened because of the same reason as the previous FAQ. Please follow the steps in this document.

If you can't solve your issue, please let me know about it on the support forum. Your logs in this plugin and "Installation information" at "Plugin settings" will be a great help to resolve the issue.

How can I fix "Unable to write" error?

When you enable "Force to load WP core" options, this plugin will try to configure .htaccess in your /wp-content/plugins/ and /wp-content/themes/ directory in order to protect your site against the malicous attacks to the OMG plugins and shemes.

But some servers doesn't give reading / writing permission against .htaccess to WordPress. In this case, you can configure these .htaccess files by your own hand instead of enabling "Force to load WP core" options.

Please refer to "How can I fix permission troubles?" in order to fix this error.

Does this plugin works well with caching?

For the back-end protection, the answer is YES if you disable caching on back-end. But for the front-end, the answer depends on the caching method you are employing.

Currently, the following cache plugins and configurations can be supported:

  • WP Super Cache
    Select "Use PHP to serve cache files" and enable "Late init".

  • W3 Total Cache
    Select "Disk: Basic" and enable "Late initialization" for page cache. "Disk: Enhanced" (where "Late initialization" is not available) in W3TC seems to work good without any imcompatibility with this plugin.

  • Vendi Cache
    This was formerly built in Wordfence. Select "basic caching" for Vendi Cache and "mu-plugin" (ip-geo-block-mu.php) for IP Geo Block.

If your plugin serves page caching by mod_rewrite via .htaccess (e.g. WP Fastest Cache) or caching by advanced-cache.php drop-in (e.g. Comet Cache) or your hosting provider serves page caching at server side, "Blocking on front-end" might lead to generate inconsistent pages.

For more details, please refer to some documents at "Blocking on front-end".

How can I test this plugin works?

The easiest way is to use free proxy browser addon. Another one is to use http header browser addon. You can add an IP address to the X-Forwarded-For header to emulate the access behind the proxy. In this case, you should add HTTP_X_FORWARDED_FOR into the "$_SERVER keys for extra IPs" on "Settings" tab.

See more details at "How to test prevention of attacks".

Do I have to turn on all the selection to enhance security?

Yes. Roughly speaking, the strategy of this plugin has been constructed as follows:

  • Block by country
    It blocks malicious requests from outside your country.

  • Prevent Zero-day Exploit
    It blocks malicious requests from your country.

  • Force to load WP core
    It blocks the request which has not been covered in the above two.

  • Bad signatures in query
    It blocks the request which has not been covered in the above three.

Please try "Best settings" button at the bottom of this plugin's setting page for easy setup. And also see more details in "The best practice of target settings".

Does this plugin validate all the requests?

Unfortunately, no. This plugin can't handle the requests that are not parsed by WordPress. In other words, a standalone file (PHP, CGI or something excutable) that is unrelated to WordPress can't be validated by this plugin even if it is in the WordPress install directory.

But there're exceptions: When you enable "Force to load WP core" for Plugins area or Themes area, a standalone PHP file becomes to be able to be blocked. Sometimes this kind of file has some vulnerabilities. This function protects your site against such a case.

Requires: 3.7 or higher
Compatible up to: 4.7.2
Last Updated: 2 months ago
Active Installs: 10,000+


4.9 out of 5 stars


21 of 28 support threads in the last two months have been marked resolved.

Got something to say? Need help?


Not enough data

1 person says it works.
0 people say it's broken.

50,2,1 100,1,1
100,1,1 0,2,0
100,1,1 100,3,3
0,1,0 100,1,1