Back-end target settings

May 11, 2021
Darko G.

WordPress has many important backend entrances (i.e. endpoint) that will affect on the website. In this section, you can set up rules to validate requests for particularly important endpoints among them.

Comment post

It validates requests to wp-comments-post.php.

Note: The request to subscribing to bbPress forum can also be blocked by this option.
  • Message on comment form
    You can put the specified message at the point where template action hook comment_form or comment_form_top is fired. The following tags are allowed: <a>, <abbr>, <acronym>, <b>, <cite>, <code>, <del>, <em>, <i>, <q>, <s>, <strike>, <strong>


It validates requests to xmlrpc.php.

The plugin Jetpack by will access this endpoint from their servers in United States. Therefore, cooperation with does not work if the country code US is not in “Whitelist of country code” or not in the blacklist.

In such a case, please put IP addresses of Jetpack servers or the AS number AS2635 of Automattic, Inc into “Whitelist of extra IP addresses prior to country code”.

Login form

It validates requests to wp-login.php and wp-signup.php.

  • Target actions
    In addition to login, you can enable actions such as user registration, password protected page and so on.

Login form target actions

Note: The request to the registration page of BuddyPress can also be blocked by this option.

Admin area

It validates requests to wp-admin/*.php.

Requests to this area would cause a redirection to the login page or unintentional affects on the website due to attacks that exploit vulnerabilities in themes and plugins (in case of being authenticated).

  • Prevent Zero-day Exploit
    You can protect your site from these attacks that can not be prevented with “Block by country”.

Admin ajax/post

It validates requests especially to wp-admin/admin-ajax.php and wp-admin/admin-post.php.

These endpoints are used as WordPress standard interfaces for themes and plugins to perform their specific tasks. But many vulnerable themes and plugins were out there due to lack of secure coding to use these endpoints.

  • Prevent Zero-day Exploit
    You can protect your site from attacks targeted at those vulnerabilities that can not be prevented with “Block by country”.

  • Exceptions
    When “Prevent Zero-day Exploit” is enabled, unintentional blocking may occur depending on a theme or plugin. In such a case, please select the corresponded action / page in the list. You can easily find such blocking using a magnifying glass button ( Find blocked requests in “Logs” ) then an alert button ( Navigate to “Logs” tab ) can navigate you to the Logs tab to closely look up such blocking.

    Special care must be taken when you specify actions with only a lock icon ( Unlock icon ) as exceptions, because those actions are for administrator only.

Find blocked request button

Plugins area

It validates requests to wp-content/plugins/⋯/*.php.

  • Prevent Zero-day Exploit
    Many vulnerabilities are found in plugins that are programmed to call PHP directly under their own directly. This option protects the site against attacks against these vulnerabilities that can not be prevented by “Blocking by country” alone.

  • Force to load WP core
    Like TimThumb, there are certain types of plugins which have PHP files that can be called independently of WordPress. This ends not to perform validation by this plugin. For such cases, this option can protect the site that can not be prevented by “Blocking by country”.

  • Exception
    It is almost the same as “Admin ajax/post”, but plugin name should be specified.

Themes area

It validates requests to wp-content/themes/⋯/*.php.

Force to load WP core” and “Exception” are almost the same as “Plugins area”.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2023 - IP Location Block by IDEOLOGIX Media