Using WordPress post simulator

Posted on May 11, 2021

You may want to test the blocking behavior of this plugin. This document shows you how to use WordPress Post Simulator which simulate various attacks to the WordPress site through the comment spam, trackback, pingback, ajax and so on.

Preparation

The simulator is composed by JavaScript. So it should be uploaded to the same domain with the target WordPress site because of the limitation of Same-origin policy.

Please download the ZIP file of IP Location Block master, unzip it, then upload css, js and index.html in the test folder to the appropriate directory on your server.

Files required to be uploaded

To prevent abuse by someone, the name of the uploaded directory should be secret which can be made up by referring WordPress Secret Key API for example, but only choosing unreserved characters in RFC3986.

WordPress Post Simulator

When you access to the uploaded index.html, you can see the following page.

WordPress post simulator

Page Settings

The first step is to set up the WordPress related URL and proxy IP address.

  1. WordPress Home
    Home URL of your WordPress site. Push Validate to check the page.
  2. Single Page
    URL of a single page which has a comment form. Push Validate to check the page.
  3. Proxy IP address
    When you push Generate, a random IP address is generated. It will be set as the HTTP_X_FORWARDED_FOR header in order to simulate the attacks from outside of your country. If empty, no header will be sent.

Submission Settings

Currently, you can test 13 methods for submission. In each method, you can set the attack vectors as follows:

Request parameter settings

Submission

The last thing you should do is to submit the requests. Then you can get the responses against each request in the text area.

Submitting and results