My custom functions in “functions.php” doesn’t work.
Normally, you can add code snippets for your custom functions into functions.php which is placed in your theme or child theme folder. But in case you select “mu-plugins” (ip-location-block-mu.php) as “Validation timing” in “Validation rule settings” section, your code for this plugin in functions.php would be failed to work as you expected.
This restriction is originated from the excution order described in Action Reference where you can find muplugins_loaded action hook is triggered far before after_setup_theme which is the timing of your functions.php to be parsed.
Then what’t the solution?
Installing “drop-in.php” and "drop-in-admin.php"
To install, upload drop-in.php or drop-in-admin.php in /wp-content/uploads/ip-location-block/dropins/
You can find a sample for drop-in.php in /wp-content/plugins/ip-location-block/wp-content/drop-in-sample.php. Just rename it to dropi-in.php and upload in the directory mentioned above.
Both drop-in.php and drop-in-admin.php are similar but are fired on different sides. The first is used on the front-end and the second is used on the admin side.
Note that even in the case of multisite, drop-in.php and drop-in-admin.php will be called on every site. So if you want each site to behave differently, you should add some code like follows:
NOTE: All your custom functions in functions.php doesn't need to be put together into drop-in.php but functions related to only this plugin such as Filter hooks for this plugin.
How can I fix permission troubles?
This plugin must have read/write permission at the certain places outside of the plugin folder. But in some cases, you might find the error message related to the permission because of your server’s security configurations.
When you meet those cases, you have to configure something related to the WordPress file system by your own hand.
Geolocation API library
Configuring file system
If your host is running under a special installation setup involving symlinks, or certain installations with a PHP FTP extension, you’ll see the following error message when you install and activate this plugin for the first time:
In this case, as of the instruction in this document at codex, you have to configure some symbols in your wp-config.php something like this:
If you have some reasons you can’t do this, please follow the next instruction.
Installing Geolocation API library
When you’ll see the following when you jump to the option page of this plugin:
In this case, you should install ip-geo-api that includes geolocation API library named IP-Geo-API for Maxmind and IP2Location under one of the following folders:
You can download the ZIP file and upload ip-geo-api in the unzipped folder onto the above 1. or 2 with a proper permission using FTP.
Note: Installing ip-geo-api into 3. is not recommended, because it will be removed at every time this plugin is updated.
Here’s a final tree view after uploading ip-geo-api to 1.
NOTE: Please refer to "Hardening WordPress" to give ip-geo-api and the following folders (ip2location and maxmind) a proper permission. It may be 755 but should be confirmed by consulting your hosting administrator.
Force to load WP core
When you enable “Force to load WP core” options, this plugin will try to configure .htaccess in your /wp-content/plugins/ and /wp-content/themes/ folder in order to protect your site against the malicous attacks targeted at the OMG plugins and themes.
If you encounter an “Unable to write” message for plugins, you should put the following directives into your /wp-content/plugins/.htaccess manually instead of enabling this option:
The absolute path /wp-content/plugins/ should be changed according to your site configuration. And here’s an example directives in /wp-content/themes/.htaccess:
I still have access from blacklisted country.
Does this plugin work properly?
However, there are some reasons why users have such an impression.
1. Wordfence Live Traffic
Sometimes, a Wordfence Security user who found some accesses in its Live Traffic view would claim that:
Hey, this plugin seems to block nothing!
But please do not get ahead of yourself, there’s a proper order for everything!
Before WordPress runs, Wordfence ingeniously filters out malicious requests to your site by enabling auto_prepend_file directive to include PHP based Web Application Firewall. Then this plugin validates the rest of the requests that pass over Wordfence because those were not in WAF rules, especially you enables “Prevent Zero-day Exploit”.
2. Confused Country Code
Unfortunately, accuracy of country code depends on the geolocation databases. Actually, there is a case that a same IP address has different country code.
Here are other examples:
In such a case, please consider to select more reliable databases.
Considering the execution order
Please consider to set "mu-plugins" (ip-location-block-mu.php) as Validation timing in Validation rule settings. It enables to capture the requests prior to other plugins.
Even if you encounter blocking, please feel relax. There’re some ways to resolve it.
When and why am I blocked?
Well, actually there’re several rules to validate your requests in this plugin. Each of them is very simple but combination of them is very powerful to protect your sites. But sometimes, those are too strong for some plugins and themes to pass their requests.
One thing you should know is that all activities by an administrator are not always permitted in this plugin in terms of preventing CSRF and SSRF that are usually combined with other vulnerability and attack like XSS, SQLi, LFI and so on.
The “Dashboard” is a kind of safety zone protected by WordPress authentication system. None of important jobs would be executed there but just showing something useful about your site. So when you encounter the above message, following the link is always recommended unless you have something to keep before you leave the last page.
How to resolve it?
Step 1: Check your validation rule settings
If you can go to the admin dashboard and find the following message, please confirm your “Validation rule settings” not to block yourself out.
“Prevent Zero-day Exploit” which I named WP-ZEP is the most powerful feature in this plugin to protect your site against undisclosed vulnerability. It can also distinguish the origin of request by a logged in user from an attacker using a scecret key called nonce that should be known only by a logged in user.
The priority of this rule is the highest in this plugin. So please try to enable / disable this feature in order to tell this plugin “The request is not from an attacker but from me!”.
Step 4: Find a blocking reason in logs
If the Step 3 can’t resolve the issue, please find the blocked request and look at the “Result”. The following is an example of /wp-admin/admin-ajax.php blocked by “Prevent Zero-day Exploit” that is described as “wp-zep”:
You can find the full list of “Result” at this document in codex. Then please go to the next step.
Step 5: Give a permission as exception
If you can’t resolve the blocking issue up to the step 3, please try to give a permission to the concerned request as an exception.
For example, if the request has a query action=do-my-action or page=my-plugin-page, then you can add a code snippet into your theme’s functions.php or /path/to/your/ip-geo-api/drop-in.php (typically /wp-content/ip-geo-api/drop-in.php) as below:
Note: You can add the above code into the functions.php in your theme when you set "init" action hook as Validation timing. But when you select "mu-plugins" (ip-location-block-mu.php), you should use drop-in.php because it's prior to after_setup_theme.
- Plugins area / Themes area -
If the requested URL is directly pointed to the particular plugin or theme, you can resolve its blocking issue by making an exception of that plugin or theme.
In case you can’t resove your blocking issue up to this step, I should help you to find a solution at support forum. Before submitting your issue to the forum, I expect you to get your “Installation information” at “Plugin settings” section.
Please copy and submit them. Those are very helpful to know what happens to your site.
What should I do when I'm locked out?
When you are locked out by misfortune, this feature inhibits the blocking behavior of this plugin.
Download IP Location Block, unzip and open the ip-location-block.php with an appropriate editor. You can find the “Emergent Functionality” code section near the bottom of the file as follows:
This code block can be activated by replacing /* (opening multi-line comment) at the top of the line to // (single line comment), or * at the end of the line to */ (closing multi-line comment).
After saving and uploading it into ip-location-block in your plugins folder (typically /wp-content/plugins/) via FTP or cPanel File Manager, you become to be able to login again as an admin.
Then you can re-configure “Maching rule” and “Country code for matching rule” at “Validation rule settings” properly. After that, do not forget to restore the ip-location-block.php on your server to the original one.
If you have no confidence in editing PHP file, please download ZIP from here and use it that “Emergent Functionality” is already activated.
Deactivate by force
Although the above processes is strongly recommended at your emergency, some users are not familiar with this type of jobs.
In that case, you can rename ip-location-block folder to ip-location-block.bak using FTP or something. Then you cal login and see the following message on your plugin’s dashboard.
After renaming ip-location-block.bak to the original, you can activate this plugin again.
Another solution at emergency
You can also just forcibly remove ip-location-block in your plugin’s folder. Then you’ll see the same message as the above picture on your plugin’s dashboard.
After that, you can reinstall through “Add New” button and reactivate again. But you’ll find soon you’re blocked again because your settings still remains in your database.
But don’t worry about that. A background process kicked by the activation will rescue you. After pausing for breath, you can visit your admin dashboard again!
Warning: Do not delete ip-geo-api directory. If you do that, this solution becomes never to work.
For power users
If you’re familiar with the use of phpMyAdmin and know where the plugin’s options are saved, you can change the value of matching_rule to -1 which means Disable. Please do it at your own risk.
Quick recovery from blocking on login page
If you see the message “Sorry, your request can not be accepted” on your login page like the picture bellow, please follow the steps:
Rename ip-location-block to ip-location-block- in the plugin directory (/wp-content/plugins/) on your server using FTP or the file manager like cPanel. This makes the plugin deactivated.
Login to your site as an admin. You’ll see the following message on your plugins page.
The plugin ip-location-block/ip-location-block.php has been deactivated due to an error: Plugin file does not exist.
Note: When you configure "mu-plugins" (ip-location-block-mu.php) as Validation timing, then you'll also find the message "Can't find IP Location Block in your plugins directory" like the above picture that can be ignored for now.
Revert the renamed ip-location-block- to the original name ip-location-block using FTP or your file manager.
Refresh your plugins page, then activate IP Location Block again.
Resolve the cause of blocking according to the error message as follows.
Validation rules and behavior
When you find the following message: In this case, check your country code and configure properly on Settings tab: Or check whether your IP address is blacklisted:
Statistics in IP address cache
When you find the following message: In this case, remove your IP address from the cache on Statistics tab:
Geolocation API libraries
When you find the following message: In this case, please try to deactivate IP Location Block once and re-activate again to re-install Geolocation API libraries on Plugins page.