0.2.2.0 Release Note

Posted on May 11, 2021

I’m very pleased to announce the release of IP Location Block 0.2.2.0. In this release, 2 new features are implemented to enhance its the protection ability against the malicious accesses.

The estimated amount of true positive against preventing malicous accesses in the real world would be about 80% now.

New feature: Extra IPs for white/black list

While it blocks (or accepts) accesses from forbidden (or permitted) countries, extra IP addresses can be bypassed (or blocked) prior to the validation of country code.

You can put the extra IP addresses of both IPv4 and IPv6 with CIDR notation into the Validation rule settings.

Extra IPs

You can also register your own filter hook via ip-location-block-extra-ips to add more IPs programmatically. The following is a sample snippet in functions.php to retrieve IPs from TOR node listing services like this.

define( 'MY_EXTRA_IPS_LIST', 'my_extra_ips_list' );
define( 'MY_EXTRA_IPS_CRON', 'my_extra_ips_cron' );

function my_extra_ips_get() {
    $list = json_decode(
        @file_get_contents( 'http://pike.hqpeak.com/api/free.php' ),
        TRUE // convert object to array
    );

    //  keep the list in the cache (matching 0.2msec)
    if ( is_array( $list ) ) {
        $list = implode( ',', $list );
        set_transient( MY_EXTRA_IPS_LIST, $list, DAY_IN_SECONDS );
    }

    if ( ! wp_next_scheduled( MY_EXTRA_IPS_CRON ) ) {
        wp_schedule_single_event( time() + HOUR_IN_SECONDS, MY_EXTRA_IPS_CRON );
    }

    return $list;
}

function my_extra_ips_hook( $extra_ips, $hook ) {
    $list = get_transient( MY_EXTRA_IPS_LIST );

    // if the list does not exist, then update
    if ( ! $list ) {
        wp_schedule_single_event( time(), MY_EXTRA_IPS_CRON );
    }

    // restrict the target hook
    if ( $list && in_array( $hook, array( 'xmlrpc', 'login' ) ) ) {
        $extra_ips['black_list'] .= ( $extra_ips['black_list'] ? ',' : '' ) . $list;
    }

    return $extra_ips;
}

add_action( MY_EXTRA_IPS_CRON, 'my_extra_ips_get' );
add_filter( 'ip-location-block-extra-ips', 'my_extra_ips_hook', 10, 2 );

Remarks in Validation Logs

Now validation results are logged in detail.

Validation logs

New feature: Evolution of validation target settings

Validation target of “Block by country” and “Prevent Zero-day Exploit” are more conspicuous than before for “Admin area” and “Admin ajax/post”.

Block by country
It will block the requests related to the backend services for both public facing page and dashboard.
Prevent Zero-day Exploit
Regardless of the country code, it will block the malicious requests related to the backend services only for dashboard.

Applying both is the most effective because it can protect any malicous access to the dashboard while providing any services such as ajax to users from the permitted countries. On the other hand, enabling only wp-zep is still useful because everybody can receive the services on the public facing pages.

Validation target settings

And new target “Important files” is added to prevent exposing wp-config.php and /etc/passwd.

Privacy considerations about IP address

An IP addresses can be considered as a personal data when it is combined with other information such as country or any other environment variables.

With regard to European data protection law, this question and ansewer tells the important principle:

Any processing of client data such as IP addresses must be in line with the national laws implementing the requirements of Directive 95/46/EC; … personal data must be processed on legitimate grounds, for a specific purpose and must be proportionate to the aim pursued. The clients … must be informed about the processing.

So I added some notices at Geolocation API settings and Anonymize IP address at Record settings. Current anonymizing will mask the last three digits of IP address when it is recorded into the log. But this is not enough. Just better than none at all.

Record settings