Definitely we need not only hardening security but also speeding up the site. So you may want to use IP Location Block with a caching plugin.
This is a big challenge to make this plugin compatible with cache plugins, because they would respond the requested content without executing any PHP codes at the very beginning of WordPress core process or even before the core starts.
Requirements for compatibility
To achieve the demand for both security and speed, the cache plugins need to support the following requirements.
Do not cache page
One of the most important thing for this plugin is to prevent caching an error page where an access denied message is rendered. For this purpose, this plugin defines DONOTCACHEPAGE constant and set the flag for is_404().
On a cache plugin side, one of the followings needs to be supported.
- Support
DONOTCACHEPAGE - Support “Do not cache 404 page”
For example, WP Super Cache supports both of them by default, while many other plugins have 2. in their setting options.
Deferred execution
IP Location Block provides the option “Validation timing” which kick off this plugin at an earlier phase than other typical plugins.
In correspondence with it, a cache plugin need to support the option for “deferred execution” or “late initialization” to give this plugin a chance to render an error page before the cached page is responded against the requests from blacklisted countries (or IPs).
Supported plugins
Here’s a list of supported requirements mentioned above.
| Plugin Name | Do not cache page | Deferred execution |
|---|---|---|
| WP Fastest Cache | ✓ | N/A |
| Rapid Cache | ✓ | N/A |
| Comet Cache | ✓ | N/A |
| Hyper Cache | ✓ | N/A |
| WP Rocket | ✓ | N/A |
| WP Super Cache | ✓ | ✓ |
| W3 Total Cache | ✓ | ✓ |
| Swift Performance Lite | ✓ | ✓ |
| Vendi Cache | ✓ | ✓ |
This list shows that:
- WP Fastest Cache, Comet Cache, Hyper Cache and WP Rocket can be used with IP Location Block but do not have full compatibility.
- WP Super Cache, W3 Total Cache, Swift Performance Lite and Vendi Cache can be fully compatible with IP Location Block by their certain setting of options.
The followings are the options setting in each plugin.
WP Rocket
Some users reported that WP Rocket’s feature “Critical CSS” triggers error while using IP Location Block. This is because WP Rocket is trying to reach the site but their server IPs are not on the whitelist.
To solve this issue please read the following article by WP Rocket:
Troubleshooting Critical CSS generation issues
WP Super Cache
W3 Total Cache
Swift Performance Lite
Vendi Cache
Installing MU-Plugins
A must-use plugin is a plugin that will always be activated by default and be loaded prior to other typical plugins when you install it into your wp-content/mu-plugins/ directory.
You must select "mu-plugins" (ip-location-block-mu.php) as Validation Timing in “Validation rule settings” section to install this plugin as “must-use plugin”.
Restrictions
Installing ip-location-block-mu.php has following restrictions mainly because of its execution timing which is before after_setup_theme action hook:
- You should write your own code for custom filter hooks not in your theme’s
functions.phpbutdrop-in.phpin your geolocation database directory. - Human friendly error page should be saved as a static file.
Please refer to “Validation timing” for more details.
What will become of my site if I use other plugin?
Well, it would not be so serious. Let’s think about WP Fastest Cache for example.
If someone requests a page where a cache hit occurs, no PHP code would be executed but static contents in the cache would be responded. In this case, this plugin has no chance to block anything.
If someone requests a page where a cache miss occurs, then WordPress would start to handle the request. In this case, this plugin would have a chance to validate the request.
So a visitor from forbidden countries sometimes gets cached contents and sometimes gets blocked. This means attack from forbedden countires would fail. As a consequence, blocking by country can still reduce the risk of infection.
How about Object Cache plugins?
WP_Object_Cache is a core class that implements an object cache. It stores all of the cache data to memory and makes them reusable within a request, but it does not make them reusable between different user agents even for the same content.
Unlike the full page cache plugins mentioned above, object cache plugins like LiteSpeed Cache on OpenLiteSpeed Web Server and Redis Object Cache using Redis make the “object” persistent. So the mechanism of persistent object cache is suitable for dynamic contents, and should be compatible with IP Location Block.