Page speed performance

Conditions

The Validation timing shoule be set as "init" action hook. If you set it as "mu-plugins" (ip-location-block-mu.php), P3 would fail to measure the performance of this plugin because Must-use plugins would be into the race condition.

Results

P3 (Plugin Performance Profiler) can investigate WordPress plugins’ performance by measuring their impact on your site’s load time.

This awesome tool has two mode to measure the performance. One is “Auto scan” which will access to both admin area and public facing pages under the confition of logged in as an admin. On the other hand, “Manual scan” mode can make it possible to freely access. So in this report, “Manual scan” had performed only by accessing front-end pages.

The following results were measured with a private window.

Compatibility with cache plugins

Definitely we need not only hardening security but also speeding up the site. So you may want to use IP Location Block with a caching plugin.

This is a big challenge to make this plugin compatible with cache plugins, because they would respond the requested content without executing any PHP codes at the very beginning of WordPress core process or even before the core starts.

Requirements for compatibility

To achieve the demand for both security and speed, the cache plugins need to support the following requirements.

Do not cache page

One of the most important thing for this plugin is to prevent caching an error page where an access denied message is rendered. For this purpose, this plugin defines DONOTCACHEPAGE constant and set the flag for is_404().

On a cache plugin side, one of the followings needs to be supported.

  1. Support DONOTCACHEPAGE
  2. Support “Do not cache 404 page”

For example, WP Super Cache supports both of them by default, while many other plugins have 2. in their setting options.

Deferred execution

IP Location Block provides the option “Validation timing” which kick off this plugin at an earlier phase than other typical plugins.

In correspondence with it, a cache plugin need to support the option for “deferred execution” or “late initialization” to give this plugin a chance to render an error page before the cached page is responded against the requests from blacklisted countries (or IPs).

Supported plugins

Here’s a list of supported requirements mentioned above.

Plugin Name Do not cache page Deferred execution
WP Fastest Cache N/A
Rapid Cache N/A
Comet Cache N/A
Hyper Cache N/A
WP Rocket N/A
WP Super Cache
W3 Total Cache
Swift Performance Lite
Vendi Cache

This list shows that:

The followings are the options setting in each plugin.

WP Rocket

Some users reported that WP Rocket's feature "Critical CSS" triggers error while using IP Location Block. This is because WP Rocket is trying to reach the site but their server IPs are not on the whitelist.

WP Rocket - Critical CSS Blocked

To solve this issue please read the following article by WP Rocket:
Troubleshooting Critical CSS generation issues

WP Super Cache

WP Super Cache

W3 Total Cache

W3 Total Cache - Page Cache Method

W3 Total Cache - Late Initialization

Swift Performance Lite

Swift Performance Lite - Caching Mode

Vendi Cache

Vendi Cache - Cache Mode

Installing MU-Plugins

A must-use plugin is a plugin that will always be activated by default and be loaded prior to other typical plugins when you install it into your wp-content/mu-plugins/ directory.

You must select "mu-plugins" (ip-location-block-mu.php) as Validation Timing in “Validation rule settings” section to install this plugin as “must-use plugin”.

Validation Timing

Restrictions

Installing ip-location-block-mu.php has following restrictions mainly because of its execution timing which is before after_setup_theme action hook:

Please refer to “Validation timing” for more details.

What will become of my site if I use other plugin?

Well, it would not be so serious. Let’s think about WP Fastest Cache for example.

If someone requests a page where a cache hit occurs, no PHP code would be executed but static contents in the cache would be responded. In this case, this plugin has no chance to block anything.

If someone requests a page where a cache miss occurs, then WordPress would start to handle the request. In this case, this plugin would have a chance to validate the request.

So a visitor from forbidden countries sometimes gets cached contents and sometimes gets blocked. This means attack from forbedden countires would fail. As a consequence, blocking by country can still reduce the risk of infection.

How about Object Cache plugins?

WP_Object_Cache is a core class that implements an object cache. It stores all of the cache data to memory and makes them reusable within a request, but it does not make them reusable between different user agents even for the same content.

Unlike the full page cache plugins mentioned above, object cache plugins like LiteSpeed Cache on OpenLiteSpeed Web Server and Redis Object Cache using Redis make the “object” persistent. So the mechanism of persistent object cache is suitable for dynamic contents, and should be compatible with IP Location Block.

Analysis of Attack Vectors

Conditions

Attack Vector = Type x Path
Abbreviation of Type Description
AB Authentication Bypass
AFU Arbitrary File Upload
CSRF Cross-Site Request Forgery
DT Directory Traversal
LFI Local File Inclusion
PE Privilege Escalation
RCE Remote Code Execution
RFU Remote File Upload
SQLI SQL Injection
XSS Cross-Site Scripting
Abbreviation of Path Description
AA Admin area
AX Admin ajax / post
PD Plugin Direct
FE Front End
Symbol Description
OK Success when enables blocking on front-end.
OK Success when enables blocking on back-end.
NG Fail to block.

Results

Source: © The WPScan Team

Vulnerability Version Type Path Geo ZEP
WP Business Intelligence Lite <= 1.6.1 SQLI PD+ OK OK
Ptengine <= 1.0.1 XSS FE OK NG
EZ Portfolio <= 1.0.1 XSS AX OK OK
WonderPlugin Audio Player <= 2.0 SQLI, XSS AX OK OK
Aspose Cloud eBook Generator <= 1.0 LFI PD- OK OK
WPshop - eCommerce <= 1.3.9.5 AFU PD+ OK OK
WPBook <= 2.7 CSRF AA OK OK
WP-ViperGB <= 1.3.10 XSS, CSRF AA OK OK
WordPress Survey & Poll <= 1.1.7 SQLI AX OK OK
WP Media Cleaner <= 0.2.2.6 XSS AA OK OK
WP Easy Slideshow <= 1.0.3 CSRF AA OK OK
N-Media Website Contact Form <= 1.3.4 AFU AX+ OK NG
Tune Library <= 1.5.4 SQLI FE OK NG
Redirection Page <= 1.2 CSRF, XSS AA OK OK
PHP Event Calendar <= 1.5 AFU PD OK OK
My Wish List <= 1.4.1 XSS FE OK NG
Mobile Domain <= 1.5.2 CSRF, XSS AA OK OK
MailChimp Subscribe Form <= 1.1 RCE PD OK OK
IP Blacklist Cloud <= 3.4 SQLI AA OK OK
IP Blacklist Cloud <= 3.42 LFI FE OK NG
InBoundio Marketing <= 2.0.3 RFU PD OK OK
Image Metadata Cruncher <= 1.8 CSRF, XSS AA OK OK
CrossSlide jQuery <= 2.0.5 CSRF, XSS AA OK OK
Aspose PDF Exporter < 2.0 LFI PD- OK OK
Aspose Importer & Exporter <= 1.0 LFI PD- OK OK
Aspose DOC Exporter <= 1.0 LFI PD- OK OK
WP Ultimate CSV Importer <= 3.6.74 AB PD+ OK OK
WP Ultimate CSV Importer <= 3.7.1 DT PD+ OK OK
WP Mobile Edition <= 0.2.2.7 LFI PD- OK OK
WP All Import <= 3.2.3 RCE AX OK OK
WP All Import <= 3.2.4 CSRF, XSS AX OK OK
UpdraftPlus <= 1.9.50 PE AX OK NG
Ultimate Member <= 1.0.78 AFU PD+ OK OK
Ultimate Product Catalogue <= 3.1.1 AFU AX OK OK
Ultimate Product Catalogue <= 3.1.2 SQLI AX OK OK
Ultimate Product Catalogue <= 3.1.2 SQLI FE OK NG
TinyMCE Advanced <= 4.1 CSRF AX OK OK
Huge-IT Slider <= 2.6.8 SQLI AX OK OK
Simple Ads Manager <= 2.5.94 AFU, SQLI PD+ OK OK
Related Posts for WordPress <= 1.8.1 XSS FE OK NG
Ajax Search Lite <= 3.1 RCE AX OK OK
Blubrry PowerPress <= 6.0 XSS AA OK OK
PlusCaptcha <= 2.0.14 CSRF AA OK OK
Plugin Performance Profiler <= 1.5.3.8 XSS AA NG NG
NEX-Forms <= 3.0 SQLI AX OK OK
MiwoFTP <= 1.0.4 LFI FE OK NG
MiwoFTP <= 1.0.5 CSRF, XSS AA OK OK
MainWP Child <= 2.0.9.1 AB FE OK NG
Mashshare <= 2.3.0 AB AX OK OK
WordPress Leads <= 1.6.2 XSS AX+ OK NG
The total amount of OK 41 38

Total Protection Performance

Blocking Method True Positive False Negative
Block by country on both front/back-end 49/50 (98%) 1/50 ( 2%)
Block by country only on back-end 41/50 (82%) 9/50 (18%)
WP-ZEP 38/50 (76%) 12/50 (24%)

Customizing the response code and message

When this plugin blocks a request, it behaves differently depending on the setting of the “Response code”. This document explains about the details and also how to customize the error page for human.

(more…)

Referer Checker

Variable Contents
HTTP_USER_AGENT
HTTP_REFERER

Back to the article: Referrer Suppressor for external link

UA string and Qualification

For SEO, you must be sure to grant permission against search engine bots or crawlers such as google, yahoo and being while shut out the bad bots. This feature is possible to fulfill your wishes by giving a pair of “UA string” and “Qualification” separated by an applicable rule which can be “:” (pass) or “#” (block).

Syntax and Synopsis

UA string

You can specify a part of user agent string (case sensitive). An asterisk “*” matches all user agents.

Qualification

Currently, you can obtain 7 types of qualification listed bellow:

Qualification Description
FEED True if the request is the feed url.
HOST True if the result of host name is available.
HOST=string True if the host name includes string.
REF=string True if the HTTP referer includes string.
Country code True if the request comes from the specified country.
IP address (CIDR) True if the IP address is within the specific range.
AS number True if the AS number is matched.
* Always true

The host name HOST corresponding IP address will be retrieved via DNS reverse lookup which is disabled by default.

Negative operation

A negative operation “!” can be placed just before a qualification. It inverts the meaning of qualification.

DNS reverse lookup

DNS reverse lookup will attempt to fetch a dns PTR record for an IP address. Its cost against the server’s resources is relatively high. For example, the following picture shows the result of 1st and 2nd time which is available at “Installation information” in “Plugin settings” section. It means that the fetched result would be cached in your server.

DNS reverse lookup

If “DNS reverse lookup” is disabled, then HOST and HOST=... will always return true. For example, Google:HOST would be converted to Google:*. In this case, only user agent string would be checked. If the converted result is one of *:*, *:!*, *#* and *#!*, it would be eliminated.

Examples

UA string and qualification

Sample Description
*:2620:101:4000::/42 Pass if an IP address is within the range.
Google:HOST Pass if UA includes “Google” and host name is available.
Google#!HOST Block if UA includes “Google” and host name is unavailable.
Yandex#* Block if UA includes “Yandex”.
*#HOST=amazonaws Block all UA if host name includes “amazonaws”.
Note: The rules in "UA string and Qualification" will be processed in order. For example, when bot:HOST appears before xyz-bot#HOST, then all the bots will be passed whose user agent string includes "bot" and its host name is available.

References

Utilizing AS number

This document introduces some useful tools to make practical and effective use of AS number in IP Location Block.

If you want to know about AS number itself, please refer to 0.3.0.4 Release Note.

(more…)

Validation timing

Normally, a plugin will be loaded at a certain phase during WordPress boot process and will typically do its jobs after init action hook. It means that a plugin will be kept waiting until almost all plugins have finished to be loaded.

But it’s wasteful to give spams and attackers those resources of your server.

The “Validation timing” at “Validation rule settings” can help to drastically reduce load on server especially against brute-force attacks.

(more…)

The best practice for target settings

At the “Validation target settings”, you can enable the option, “Block by country” for each target as a basic configuration. Additionally, “Prevent Zero-day Exploit” can be enabled as an extended option. This document helps you to configure those options to fit for your site.

(more…)