I’m very pleased to announce the release of IP Location Block 0.2.2.0. In this release, 2 new features are implemented to enhance its the protection ability against the malicious accesses.
The estimated amount of true positive against preventing malicous accesses in the real world would be about 80% now.
New feature: Extra IPs for white/black list
While it blocks (or accepts) accesses from forbidden (or permitted) countries, extra IP addresses can be bypassed (or blocked) prior to the validation of country code.
You can put the extra IP addresses of both IPv4 and IPv6 with CIDR notation into the Validation rule settings.
You can also register your own filter hook via
ip-location-block-extra-ips to add more IPs programmatically. The following is a sample snippet in
functions.php to retrieve IPs from TOR node listing services like this.
Remarks in Validation Logs
Now validation results are logged in detail.
New feature: Evolution of validation target settings
Validation target of “Block by country” and “Prevent Zero-day Exploit” are more conspicuous than before for “Admin area” and “Admin ajax/post”.
Block by country
It will block the requests related to the backend services for both public facing page and dashboard.
Prevent Zero-day Exploit
Regardless of the country code, it will block the malicious requests related to the backend services only for dashboard.
Applying both is the most effective because it can protect any malicous access to the dashboard while providing any services such as ajax to users from the permitted countries. On the other hand, enabling only wp-zep is still useful because everybody can receive the services on the public facing pages.
And new target “Important files” is added to prevent exposing
Privacy considerations about IP address
An IP addresses can be considered as a personal data when it is combined with other information such as country or any other environment variables.
With regard to European data protection law, this question and ansewer tells the important principle:
Any processing of client data such as IP addresses must be in line with the national laws implementing the requirements of Directive 95/46/EC; … personal data must be processed on legitimate grounds, for a specific purpose and must be proportionate to the aim pursued. The clients … must be informed about the processing.
So I added some notices at Geolocation API settings and Anonymize IP address at Record settings. Current anonymizing will mask the last three digits of IP address when it is recorded into the log. But this is not enough. Just better than none at all.
Bug fix: Text message on comment form
Now this issue is fixed and you can also use some tags same as comment form.
In the past, I analyzed the attack vectors against the WordPress plugins in this article and now have updated for this release.
The estimated best result is as follows :
|Blocking Method||True Positive||False Negative|
|Block by country||41/50 (82%)||9/50 (18%)|
|WP-ZEP||38/50 (76%)||12/50 (24%)|
Leave a Reply