Over the past period we have been working to develop our own GeoLocation API and close the gap that was there. So far the plugin relied on third-party databases and APIs but in future those integrations will receive minimal maintenance and even some of them will be deprecated.
Why our own Geolocation API
Third-party integrations require maintenance and a lot of testing to ensure they are working properly, and in the same time their providers are constantly introducing new things, changing API endpoints and therefore this affects the overall plugin stability. Also, not to mention that some of them enforce their own Licensing which is too restrictive.
Another important reason is that we can not develop specific features with if their APIs doesn't provide specific information. We have been researching on adding blocking by US state and therefore this is difficult to achieve with existing providers. Also there are some other ideas that also require data that other providers doesn't serve.
How it compares to other providers
We have been working hard in the past few months to make this happen and ensure it's stability, while we agree that there is not a perfect software, we also believe our product is stable enough for launching into production. Since we implemented a load balanced setup, the service improved greatly and is capable of handling millions of requests. It also uses advanced caching mechanisms to ensure lightning fast responses.
Biggest advantage besides performance is extendibility. Since we have full control of this API and we can introduce new features that the IP Location Block plugin will benefit from. Pure example is State blocking or Timezone blocking, in this case other providers does not serve this data pieces neeeded and therefore it is not possible to implement the feature in the WordPress plugin. However, with our API we can always provide additional endpoints specifically for the IP Location Block plugin.
How can I register and start using the API
To register just go to the signup link and go through the procedure.
Assuming that you have access to the Dashboard, go to API > Credentials to obtain your key.
Enter the key in the IP Location Block plugin settings and disable other providers, you don't really need any other at this point.
I added option to migrate from IP Geo Block. This option will just copy the options form IP Geo Block to IP Location Block.
To migrate, go to Settings > IP Location Block > Plugin settings and follow the steps:
Deactivate IP Geo Block but don’t remove it yet because it will remove the settings as well.
In IP Location Block settings, use the “Migrate from IP Geo Block” option at the bottom to copy the settings from IP Geo Block
You can now remove IP Geo Block
Note: The tool will NOT remove those options from IP Geo Blockyet because IP Geo Block has the functionality to remove those settings itself when you uninstall it if the checkbox "Remove all settings and records at uninstallation" is checked. When uninstalling sure you enable this option and then uninstall it.
Note: This option will be only visible is valid IP Geo Block settings are detected.
The above graph shows recent statistics of WordPress vulnerability from WPScan Vulnerability Database summarized by Sucuri which is a worldwide security company especially famous for analyzing vulnerability in WordPress.
Why so many vulnerabilities are there in WP plugins?
After reading the Sucuri Blog deeply and widely, I came to the conclusion that there is some kind of disuse and misuse of WordPress core functions.
I’d like to verify each vulnerability from this point of view.
IP Location Block is the only plugin which has an ability to prevent zero-day attack even if some of the plugins in a WordPress site have unveiled vulnerability. I call it “Zero-day Exploit Prevention for WordPress” (WP-ZEP).
In this article, I’ll explain its mechanism and also its limitations. Before that, I’ll mention the best practice of plugin actions.
On the WPScan Vulnerability Database maintained by Sucuri, we can find many new plugins and themes every month. Of course, WP-ZEP is not God Almighty against these. Then you may wonder about:
Which attack can WP-ZEP prevent?
How many attacks can WP-ZEP prevent?
I’m with you!!
So I picked up the latest 50 vulnerabilities from WPScan DB, and dig into each attack vector one by one to investigate which can be prevented or not by WP-ZEP.
From July to September in 2015, 33 types of malicious requests to attempt exposing the wp-config.php via vulnerable plugins and themes had been observed on my site. I analyzed all of them to identify if IP Location Block can block them or not.
Source: © The WPScan Team