0.3.0.1 Release Note

Posted on May 11, 2021

In this release, I should fix some blocking issues to make it compatible with verious plugins and themes.

Admin lock out by brute-force attack with same IP

At support forum I got an issue which caused self blocking right after this plugin’s upgrade from 0.2.2.9.1 to 3.0.0. It seemed to be caused by the reason “Limited” which means:

The number of login attempts reached to the limit.

Theoretically, it could happen if the dynamically assigned IP address was shared between admin and attacker. But of course, it’s almost unlikely to happen.

I examined http load testing on my local server in order to emulate brute-force attacks using Apache Bench command at about 700 requests per minute. I had done it dozens of times and I had only one unreasonable error which was:

PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'IP_Geo_Block_Logs' does not have a method 'exec_sql' in /Applications/MAMP/htdocs/wp-includes/class-wp-hook.php on line 298

I also tested the previous version 0.2.2.9.1 as same times and I got an error which was quite understandable:

WordPress database error Deadlock found when trying to get lock; try restarting transaction for query DELETE FROM `wp_ip_geo_block_logs` WHERE `hook` = 'login' ORDER BY `No` ASC LIMIT 1 made by require('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), include_once('/mu-plugins/ip-location-block-mu.php'), IP_Geo_Block::get_instance, IP_Geo_Block->__construct, IP_Geo_Block_Loader->run, call_user_func, IP_Geo_Block->validate_login, IP_Geo_Block->validate_ip, IP_Geo_Block_Logs::record_logs, IP_Geo_Block_Logs::add_sql, QM_DB->query

The difference between those two versions related to this issue is the timing when to write the fetched IP address into the MySQL DB whose command would be issued just before sending a response code to the attacker in 0.2.2.9.1 while just at shutdown action hook in 3.0.0.

So I decided to revise the timing in 3.0.0 back to the same as 0.2.2.9.1. Sorry but I can not say this change would fix the issue for certain.

Prevent blocking

As a workaround, I implemented a blocking prevention against this issue. when the above happens, you can see the following warning on admin dashboard:

Dashboard message

When you see this, please go to “Statistics” tab of IP Location Block settings page and execute “Clear cache” to resolve blocking.

Installation information

When you unfortunately encount a blocking issue while you’re logged in, you’ll see the following unless you setup a human friendly error page:

Blocking message

The “Dashboard” is a kind of safety zone for logged in user so that you’ll never be blocked.

As you know, this plugin potencially have some blocking issues that should be improved. When you meet them, please find “Installation information” section at the bottom of the this plugin’s option page and push “Show information” button!

Installation information

This button gathers some useful informations so that you can copy & paste and easily submit your issue at support forum. Please feel free to use it. I always appreciate you to let me know these infomations.

Thanks for reading to the end. emoji