Plugin Directory

IP Geo Block

It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.

I was locked down. What shall I do?

Activate the following codes at the bottom of ip-geo-block.php and upload it via FTP.

 * Invalidate blocking behavior in case yourself is locked out.
 * @note: activate the following code and upload this file via FTP.
 */ //
function ip_geo_block_emergency( $validate ) {
    $validate['result'] = 'passed';
    return $validate;
add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
// */

Then Clear cache at Statistics tab on your dashborad. Remember that you should upload the original one to deactivate above feature.

How can I protect my `wp-config.php` against malicious access?

function my_protectives( $validate ) {
    $blacklist = array(

    $req = strtolower( urldecode( serialize( $_GET + $_POST ) ) );

    foreach ( $blacklist as $item ) {
        if ( strpos( $req, $item ) !== FALSE ) {
            $validate['result'] = 'blocked';

    return $validate; // should not set 'passed' to validate by country code
add_filter( 'ip-geo-block-admin', 'my_protectives' );

Are there any other filter hooks?

Yes, here is the list of all hooks.

  • ip-geo-block-ip-addr : IP address of accessor.
  • ip-geo-block-headers : compose http request headers.
  • ip-geo-block-comment : validate IP address at wp-comments-post.php.
  • ip-geo-block-xmlrpc : validate IP address at xmlrpc.php.
  • ip-geo-block-login : validate IP address at wp-login.php.
  • ip-geo-block-admin : validate IP address at wp-admin/*.php.
  • ip-geo-block-xxxxxx-status : http response status code for comment|xmlrpc|login|admin.
  • ip-geo-block-xxxxxx-reason : http response reason for comment|xmlrpc|login|admin.
  • ip-geo-block-bypass-admins : array of admin queries which should bypass WP-ZEP.
  • ip-geo-block-bypass-plugins : array of plugin name which should bypass WP-ZEP.
  • ip-geo-block-bypass-themes : array of theme name which should bypass WP-ZEP.
  • ip-geo-block-backup-dir : full path where log files should be saved.
  • ip-geo-block-maxmind-dir : full path where Maxmind GeoLite DB files should be saved.
  • ip-geo-block-maxmind-zip-ipv4 : url to Maxmind GeoLite DB zip file for IPv4.
  • ip-geo-block-maxmind-zip-ipv6 : url to Maxmind GeoLite DB zip file for IPv6.
  • ip-geo-block-ip2location-path : full path to IP2Location LITE DB file.

For more details, see samples.php bundled within this package.

How does WP-ZEP prevent zero-day attack?

A considerable number of vulnerable plugins are lacking in validating either the nonce and privilege or both. WP-ZEP will make up both of them embedding a nonce into the link, form and ajax request from jQuery on every admin screen.

This simple system will validate both of them on behalf of vulnerable plugins in your site and will block a request with a query parameter action through wp-admin/(admin|admin-ajax|admin-post).php if it has no nonce and privilege. Moreover, it doesn't affects a request from non-logged-in user.

On the other hand, the details of above process are slightly delicate. For example, it's incapable of preventing Privilege Escalation (PE) because it can't be decided which capabilities does the request need.

See more details on this plugin's blog.

Some admin function doesn't work when WP-ZEP is on.

There are a few cases that WP-ZEP would not work. One is redirection at server side (caused by PHP or .htaccess) and client side (by caused JavaScript location object or meta tag for refresh).

Another is the case related to the content type. This plugin will only support application/x-www-form-urlencoded and multipart/form-data.

The other case is that a ajax/post request comes from not jQuery but flash or something.

In those cases, this plugin should bypass WP-ZEP. So please find the unique strings in the requested queries and add it into the safe query list via the filter hook ip-geo-block-bypass-admins.

If you can not figure out your troubles, please let me know about the plugin you are using at the support forum.

I want to use only WP-ZEP.

Uncheck the Comment post, XML-RPC and Login form in Validation settings on Settings tab. And choose Prevent zero-day exploit for Admin area.

At last empty the textfield of White list or Black list according to the Matching rule.

Requires: 3.7 or higher
Compatible up to: 4.3
Last Updated: 2015-9-3
Active Installs: 2,000+


4.5 out of 5 stars


7 of 7 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.