In addition to blocking based on IP address geolocation information, this plugin blocks malicious requests by validating based on some additional rules. In this section, such validation rules and behavior at blocking are described.
Your IP address / Country
The information shown here is your IP address and country code recognized by this plugin. The “Scan country code” button derives the country code based on the IP address from multiple geolocation databases. In rare cases, some databases may indicate different country codes. If you found an inconsistent country code, it’s good to select only applicable databases at “Geolocation API settings”.
Also, if your country code is shown as
XX (Private), it means that your server is placed behind a reverse proxy server / a load balancer or inside a LAN. In such a case, please put an appropriate key, corresponding to the HTTP header field wihch is acquired by PHP such as
HTTP_X_FOWARDED_FOR, into “$_SERVER keys to retrieve extra IP addresses” described later so that a public IP address can be retrieved.
Blacklist. With this selection, the titles and text boxe in the next section are changed.
[Whitelist|Blacklist] of country code
Specify the country code according to the selection of “Matching rule” with two letters of the alphabet defined by ISO 3166-1 alpha-2.
Use Autonomous System Number
ASN is the number assigned to the group of IP addresses. For example, Facebook has many IP addresses, and AS32934 is assigned. Activating this will allow you to specify a group of IP addresses all in one piece for a specific organization.
[Whitelist|Blacklist] of extra IP addresses prior to country code
Specify IP addresses or AS number to be blocked or passed, prior to validating the country code. “CIDR calculator forIPv4 / IPv6” can help you to get the range of IP addresses that can be expressed simply as CIDR notation.
$_SERVER keys to retrieve extra IP addresses
In the case of a request via a proxy server, the IP addresses of multiple servers may be passed through in some specific HTTP fields. In order to validate all such IP addresses, you can set up some keys acquired by PHP such as
HTTP_CLIENT_IP and so on.
Bad signatures in query
Specify malicious strings to be scanned from the requested query in order to block a malicious request. This validation excludes the contents of comments and articles.
Prevent malicious file uploading
This configures some rules to prevent uploading of malicious files targeted at plugins and theme vulnerabilities.
Verify file extension and MIME type
Select the white list of MIME type to be permitted.
Verify file extension only
Put the black list of prohibited file extension.
Capabilities to be verified
Put the necessary capabilities for uploading. See Roles and Capabilities for details.
Specify the HTTP status code for response on blocking. Set the followings according to your selection.
For 2XX and 3XX, specify the destination URL to be redirected (default is blackhole.webpagetest.org).
For 4XX and 5XX, specify a message displayed on a simple interface by
wp_die(). Instead of this message, you can setup a human-friendly error page based on the theme template such as
404.phpcan be configured.
Specify when this plugin will perform the validation.
Normally, the timing when the plugin can safely be initialized may be
init action hook. But since it is after loading the theme and all the activated plugins, it takes unnecessary server load in case of blocking. In order to avoid such waste, you can select it as
This option enables to simulate validation without deployment of blocking on both back-end and front-end. The results can be found on “Logs” tag so that you can check in advance which pages would be blocked or passed.