My custom functions in “functions.php” doesn’t work.

Normally, you can add code snippets for your custom functions into functions.php which is placed in your theme or child theme folder. But in case you select “mu-plugins” (ip-location-block-mu.php) as “Validation timing” in “Validation rule settings” section, your code for this plugin in functions.php would be failed to work as you expected.

Validation timing

This restriction is originated from the excution order described in Action Reference where you can find muplugins_loaded action hook is triggered far before after_setup_theme which is the timing of your functions.php to be parsed.

Action Reference

Then what’t the solution?

Installing “drop-in.php” and "drop-in-admin.php"

To install, upload drop-in.php or drop-in-admin.php  in  /wp-content/uploads/ip-location-block/dropins/

You can find a sample for drop-in.php in /wp-content/plugins/ip-location-block/wp-content/drop-in-sample.php. Just rename it to dropi-in.php and upload in the directory mentioned above.

Both drop-in.php and drop-in-admin.php are similar but are fired on different sides. The first is used on the front-end and the second is used on the admin side.

Note that even in the case of multisite, drop-in.php and drop-in-admin.php  will be called on every site. So if you want each site to behave differently, you should add some code like follows:

 * Drop-in for IP Location Block custom filters
 * @package   IP_Location_Block
 * @link
 * @example   Use `IP_Location_Block::add_filter()` instead of `add_filter()`.
if ( ! class_exists( 'IP_Location_Block' ) ) {

$components = parse_url( site_url() );

switch ( $components['host'] ) {
    case '':
      if ( 0 === strpos( $components['path'], '/subdir1' ) ) {
          // here is code snippet for sub directory 1

      elseif ( 0 === strpos( $components['path'], '/subdir2' ) ) {
          // here is code snippet for sub directory 2

    case '':
      // here is code snippet for sub domain 1

      // here is code snippet for default
NOTE: All your custom functions in functions.php doesn't need to be put together into drop-in.php but functions related to only this plugin such as Filter hooks for this plugin.

How can I fix permission troubles?

This plugin must have read/write permission at the certain places outside of the plugin folder. But in some cases, you might find the error message related to the permission because of your server’s security configurations.

When you meet those cases, you have to configure something related to the WordPress file system by your own hand.

Geolocation API library

Configuring file system

If your host is running under a special installation setup involving symlinks, or certain installations with a PHP FTP extension, you’ll see the following error message when you install and activate this plugin for the first time:

Error of Filesystem

In this case, as of the instruction in this document at codex, you have to configure some symbols in your wp-config.php something like this:

define( 'FTP_HOST', '' );
define( 'FTP_USER', 'username' );
define( 'FTP_PASS', 'password' );

If you have some reasons you can’t do this, please follow the next instruction.

Installing Geolocation API library

When you’ll see the following when you jump to the option page of this plugin:

Error of IP Geo API

In this case, you should install ip-geo-api that includes geolocation API library named IP-Geo-API for Maxmind and IP2Location under one of the following folders:

  1. /wp-content/
  2. /wp-content/uploads/
  3. /wp-content/plugins/ip-location-block/

You can download the ZIP file and upload ip-geo-api in the unzipped folder onto the above 1. or 2 with a proper permission using FTP.


Note: Installing ip-geo-api into 3. is not recommended, because it will be removed at every time this plugin is updated.

Here’s a final tree view after uploading ip-geo-api to 1.

  ├── index.php
  ├── ip2location
  │   ├── IP2Location.php
  │   ├── bcmath.php
  │   └── class-ip2location.php
  └── maxmind
      ├── LICENSE
      ├── class-maxmind.php
NOTE: Please refer to "Hardening WordPress" to give ip-geo-api and the following folders (ip2location and maxmind) a proper permission. It may be 755 but should be confirmed by consulting your hosting administrator.

Force to load WP core

Error of .htaccess

When you enable “Force to load WP core” options, this plugin will try to configure .htaccess in your /wp-content/plugins/ and /wp-content/themes/ folder in order to protect your site against the malicous attacks targeted at the OMG plugins and themes.

If you encounter an “Unable to write” message for plugins, you should put the following directives into your /wp-content/plugins/.htaccess manually instead of enabling this option:

# BEGIN IP Location Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-location-block/
RewriteCond %{REQUEST_URI} !ip-location-block/rewrite.php$
RewriteRule ^.*.php$ rewrite.php [L]
# END IP Location Block

The absolute path /wp-content/plugins/ should be changed according to your site configuration. And here’s an example directives in /wp-content/themes/.htaccess:

# BEGIN IP Location Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-location-block/
RewriteRule ^.*.php$ rewrite.php [L]
# END IP Location Block

I still have access from blacklisted country.

Does this plugin work properly?

Absolutely, YES.

However, there are some reasons why users have such an impression.

1. Wordfence Live Traffic

Sometimes, a Wordfence Security user who found some accesses in its Live Traffic view would claim that:

Hey, this plugin seems to block nothing!

Wordfence Live Traffic

But please do not get ahead of yourself, there’s a proper order for everything!

Before WordPress runs, Wordfence ingeniously filters out malicious requests to your site by enabling auto_prepend_file directive to include PHP based Web Application Firewall. Then this plugin validates the rest of the requests that pass over Wordfence because those were not in WAF rules, especially you enables “Prevent Zero-day Exploit”.

2. Confused Country Code

Unfortunately, accuracy of country code depends on the geolocation databases. Actually, there is a case that a same IP address has different country code.

Different country code

Here are other examples:

Confused country code

Strange country code

In such a case, please consider to select more reliable databases.

Considering the execution order

Please consider to set "mu-plugins" (ip-location-block-mu.php) as Validation timing in Validation rule settings. It enables to capture the requests prior to other plugins.

Validation timing

Find more details at Validation timing.

Why “Sorry, your request cannot be accepted” ?

Even if you encounter blocking, please feel relax. There’re some ways to resolve it.

When and why am I blocked?

Well, actually there’re several rules to validate your requests in this plugin. Each of them is very simple but combination of them is very powerful to protect your sites. But sometimes, those are too strong for some plugins and themes to pass their requests.

One thing you should know is that all activities by an administrator are not always permitted in this plugin in terms of preventing CSRF and SSRF that are usually combined with other vulnerability and attack like XSS, SQLi, LFI and so on.

When you encounter blocking…

You will see the following window by default unless you setup a human friendly error page:

Blocking message

The “Dashboard” is a kind of safety zone protected by WordPress authentication system. None of important jobs would be executed there but just showing something useful about your site. So when you encounter the above message, following the link is always recommended unless you have something to keep before you leave the last page.

How to resolve it?

Step 1: Check your validation rule settings

If you can go to the admin dashboard and find the following message, please confirm your “Validation rule settings” not to block yourself out.

Check your validation rule settings

You can file some details in Get started.

Validation rule settings

Step 2: Check JavaScript errors

A JavaScript file named authenticate.min.js has a very important role for this plugin. For example, “Referrer Suppressor for external link” is done by this script. But once a js error occurs, you might end in seeing “Sorry, your request cannot be accepted”. So please check js errors in your browser at first.

This codex document is very helpful to examine this step.

Step 3: Try “Prevent Zero-day Exploit”

“Prevent Zero-day Exploit” which I named WP-ZEP is the most powerful feature in this plugin to protect your site against undisclosed vulnerability. It can also distinguish the origin of request by a logged in user from an attacker using a scecret key called nonce that should be known only by a logged in user.

Prevent Zero-day Exploit

The priority of this rule is the highest in this plugin. So please try to enable / disable this feature in order to tell this plugin “The request is not from an attacker but from me!”.

Step 4: Find a blocking reason in logs

If the Step 3 can’t resolve the issue, please find the blocked request and look at the “Result”. The following is an example of /wp-admin/admin-ajax.php blocked by “Prevent Zero-day Exploit” that is described as “wp-zep”:

Blocking reason in logs

You can find the full list of “Result” at this document in codex. Then please go to the next step.

Step 5: Give a permission as exception

If you can’t resolve the blocking issue up to the step 3, please try to give a permission to the concerned request as an exception.

- Admin area / Admin ajax/post -

In the case when a request related to wp-admin is blocked, you can give it permission via the custom filter hook ip-location-block-bypass-admins.

For example, if the request has a query action=do-my-action or page=my-plugin-page, then you can add a code snippet into your theme’s functions.php or /path/to/your/ip-geo-api/drop-in.php (typically /wp-content/ip-geo-api/drop-in.php) as below:

function my_bypass_admins( $queries ) {
    $whitelist = array(
    return array_merge( $queries, $whitelist );
add_filter( 'ip-location-block-bypass-admins', 'my_bypass_admins' );
Note: You can add the above code into the functions.php in your theme when you set "init" action hook as Validation timing. But when you select "mu-plugins" (ip-location-block-mu.php), you should use drop-in.php because it's prior to after_setup_theme.
- Plugins area / Themes area -

If the requested URL is directly pointed to the particular plugin or theme, you can resolve its blocking issue by making an exception of that plugin or theme.


It’s also performed by ip-location-block-bypass-plugins and ip-location-block-bypass-themes.

Final step: Installation information

In case you can’t resove your blocking issue up to this step, I should help you to find a solution at support forum. Before submitting your issue to the forum, I expect you to get your “Installation information” at “Plugin settings” section.

Installation information

Please copy and submit them. Those are very helpful to know what happens to your site.

What should I do when I'm locked out?

Emergent Functionality

When you are locked out by misfortune, this feature inhibits the blocking behavior of this plugin.

Download IP Location Block, unzip and open the ip-location-block.php with an appropriate editor. You can find the “Emergent Functionality” code section near the bottom of the file as follows:

 * Emergent Functionality

 * Invalidate blocking behavior in case yourself is locked out.
 * How to use: Activate the following code and upload this file via FTP.
function ip_geo_block_emergency( $validate ) {
	$validate['result'] = 'passed';
	return $validate;
add_filter( 'ip-location-block-login', 'ip_geo_block_emergency', 1, 2 );
add_filter( 'ip-location-block-admin', 'ip_geo_block_emergency', 1, 2 );
// */

This code block can be activated by replacing /* (opening multi-line comment) at the top of the line to // (single line comment), or * at the end of the line to */ (closing multi-line comment).

 * Emergent Functionality

 * Invalidate blocking behavior in case yourself is locked out.
 * How to use: Activate the following code and upload this file via FTP.
function ip_geo_block_emergency( $validate ) {
	$validate['result'] = 'passed';
	return $validate;
add_filter( 'ip-location-block-login', 'ip_geo_block_emergency', 1, 2 );
add_filter( 'ip-location-block-admin', 'ip_geo_block_emergency', 1, 2 );
// */

After saving and uploading it into ip-location-block in your plugins folder (typically /wp-content/plugins/) via FTP or cPanel File Manager, you become to be able to login again as an admin.

Then you can re-configure “Maching rule” and “Country code for matching rule” at “Validation rule settings” properly. After that, do not forget to restore the ip-location-block.php on your server to the original one.

If you have no confidence in editing PHP file, please download ZIP from here and use it that “Emergent Functionality” is already activated.

Deactivate by force

Although the above processes is strongly recommended at your emergency, some users are not familiar with this type of jobs.

In that case, you can rename ip-location-block folder to ip-location-block.bak using FTP or something. Then you cal login and see the following message on your plugin’s dashboard.

Force to deactivate

After renaming ip-location-block.bak to the original, you can activate this plugin again.

Another solution at emergency

You can also just forcibly remove ip-location-block in your plugin’s folder. Then you’ll see the same message as the above picture on your plugin’s dashboard.

After that, you can reinstall through “Add New” button and reactivate again. But you’ll find soon you’re blocked again because your settings still remains in your database.

Blocking message

But don’t worry about that. A background process kicked by the activation will rescue you. After pausing for breath, you can visit your admin dashboard again!

Warning: Do not delete ip-geo-api directory. If you do that, this solution becomes never to work.

For power users

If you’re familiar with the use of phpMyAdmin and know where the plugin’s options are saved, you can change the value of matching_rule to -1 which means Disable. Please do it at your own risk.

Change matching_rule via phpMyAdmin

Quick recovery from blocking on login page

If you see the message “Sorry, your request can not be accepted” on your login page like the picture bellow, please follow the steps:

Blocking message

  1. Rename ip-location-block to ip-location-block- in the plugin directory (/wp-content/plugins/) on your server using FTP or the file manager like cPanel. This makes the plugin deactivated.

  2. Login to your site as an admin. You’ll see the following message on your plugins page.

    The plugin ip-location-block/ip-location-block.php has been deactivated due to an error: Plugin file does not exist.

    Message on plugins page

    Note: When you configure "mu-plugins" (ip-location-block-mu.php) as Validation timing, then you'll also find the message "Can't find IP Location Block in your plugins directory" like the above picture that can be ignored for now.
  3. Revert the renamed ip-location-block- to the original name ip-location-block using FTP or your file manager.

  4. Refresh your plugins page, then activate IP Location Block again.

  5. Resolve the cause of blocking according to the error message as follows.

Error message