WordPress.org

Plugin Directory

Test out the new Plugin Directory and let us know what you think.

IP Geo Block

It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.

I was locked down. What shall I do?

Activate the following codes at the bottom of ip-geo-block.php and upload it via FTP.

/**
 * Invalidate blocking behavior in case yourself is locked out.
 *
 * How to use: Activate the following code and upload this file via FTP.
 */
/* -- EDIT THIS LINE AND ACTIVATE THE FOLLOWING FUNCTION -- */
function ip_geo_block_emergency( $validate ) {
    $validate['result'] = 'passed';
    return $validate;
}
add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
// */

Then "Clear cache" at "Statistics" tab on your dashborad. Remember that you should upload the original one to deactivate above feature.

This document can also help you.

How can I fix "Unable to write" error?

When you enable "Force to load WP core" options, this plugin will try to configure .htaccess in your /wp-content/plugins/ and /wp-content/themes/ directory in order to protect your site against the malicous attacks to the OMG plugins and shemes.

But some servers doesn't give reading / writing permission against .htaccess to WordPress. In this case, you can configure these .htaccess files by your own hand instead of enabling "Force to load WP core" options.

Please refer to "How can I fix permission troubles?" in order to fix this error.

Does this plugin works well with caching?

For the back-end protection, the answer is YES if you disable caching on back-end. But for the front-end, the answer depends on the caching method you are employing.

Currently, the following cache plugins and configurations can be supported:

  • WP Super Cache
    Select "Use PHP to serve cache files" and enable "Late init".

  • W3 Total Cache
    Select "Disk: Basic" and enable "Late initialization" for page cache. "Disk: Enhanced" (where "Late initialization" is not available) in W3TC 0.9.5.1 seems to work good without any imcompatibility with this plugin.

  • Vendi Cache
    This was formerly built in Wordfence. Select "basic caching" for Vendi Cache and "mu-plugin" (ip-geo-block-mu.php) for IP Geo Block.

If your plugin serves page caching by mod_rewrite via .htaccess (e.g. WP Fastest Cache) or caching by advanced-cache.php drop-in (e.g. Comet Cache) or your hosting provider serves page caching at server side, "Blocking on front-end" might lead to generate inconsistent pages.

For more details, please refer to some documents at "Blocking on front-end".

How can I test this plugin works?

The easiest way is to use free proxy browser addon. Another one is to use http header browser addon. You can add an IP address to the X-Forwarded-For header to emulate the access behind the proxy. In this case, you should add HTTP_X_FORWARDED_FOR into the "$_SERVER keys for extra IPs" on "Settings" tab.

See more details at "How to test prevention of attacks".

Do I have to turn on all the selection to enhance security?

Yes. Roughly speaking, the strategy of this plugin has been constructed as follows:

  • Block by country
    It blocks malicious requests from outside your country.

  • Prevent Zero-day Exploit
    It blocks malicious requests from your country.

  • Force to load WP core
    It blocks the request which has not been covered in the above two.

  • Bad signatures in query
    It blocks the request which has not been covered in the above three.

Please try "Best practice" button at the bottom of this plugin's setting page for easy setup. And also see more details in "The best practice of target settings".

Does this plugin validate all the requests?

Unfortunately, no. This plugin can't handle the requests that are not parsed by WordPress. In other words, a standalone file (PHP, CGI or something excutable) that is unrelated to WordPress can't be validated by this plugin even if it is in the WordPress install directory.

But there're exceptions: When you enable "Force to load WP core" for Plugins area or Themes area, a standalone PHP file becomes to be able to be blocked. Sometimes this kind of file has some vulnerabilities. This function protects your site against such a case.

Some admin function doesn't work when WP-ZEP is enabled.

There are a few cases that WP-ZEP would not work. One is redirection at server side (caused by PHP or .htaccess) and client side (caused by JavaScript location object or meta tag for refresh).

Another is the case related to the content type. This plugin will only support application/x-www-form-urlencoded and multipart/form-data.

The last case is that a ajax/post request comes from not jQuery but flash or something.

In those cases, this plugin should bypass WP-ZEP. So please find the unique strings in the requested queries and add it into the safe query list via the filter hook ip-geo-block-bypass-admins.

If you can not figure out your troubles, please let me know your issues and the name of plugins you are using at support forum.

Are there any other useful filter hooks?

Yes, you can find the list of all hooks and useful samples here.

Requires: 3.7 or higher
Compatible up to: 4.6.1
Last Updated: 3 days ago
Active Installs: 10,000+

Ratings

4.9 out of 5 stars

Support

10 of 17 support threads in the last two months have been marked resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

100,1,1
100,1,1
50,2,1 100,1,1
100,2,2
100,1,1 0,2,0
100,1,1 100,3,3
100,1,1
100,2,2
100,1,1
100,1,1
100,1,1