Normally, a plugin will be loaded at a certain phase during WordPress boot process and will typically do its jobs after init action hook. It means that a plugin will be kept waiting until almost all plugins have finished to be loaded.
But it’s wasteful to give spams and attackers those resources of your server.
The “Validation timing” at “Validation rule settings” can help to drastically reduce load on server especially against brute-force attacks.
“mu-plugins” (ip-location-block-mu.php)
When you select this mode as “Validation timing”, this plugin will install ip-location-block-mu.php into your /wp-content/mu-plugins/ which is for must-use plugins. It means that this plugin will be loaded and execute validation prior to other typical plugins.
Note that in case of multisite, ip-location-block-mu.php will be called on every site but doesn’t affect a site where IP Location Block is not activated.
Restrictions
As you can find the order of execution in action reference, mu-plugins are processed prior to theme setup. Consequently, the following two restrictions would be raised.
-
Custom filter hooks in
functions.phpdoes not work
It is bacause thefunctions.phpin the theme folder would not have been parsed when this plugin do its jobs. In this case, you must put your own code intodrop-in.phpwhich should be placed in the geolocation database folder. You can finddrop-in-sample.phpas a sample in this plugin’s folder, i.e./wp-content/plugins/ip-location-block/wp-content/ip-geo-api/. Please rename it todrop-in.phpand put it into your Geolocation API folder when you use it. -
Human friendly error page is unavailable
It is because the theme setup would not have finished when this plugin do its jobs. It means that when you select404 Not Foundas Response code,404.phpin your theme folder might not work. In this case, you must save your human friendly error page as a static file. If you want to show a human friendly page for blocked visitors, you must configure as follows:- Show your 404 page. (e.g.
http://example.com/wp-content/themes/your-theme/404.php) - Save the HTML contents in the page as a new
404.phpusing your browser (e.g. “View page source” with right click). It means that the file consists of not PHP codes but static HTML codes. - Place it into your theme folder. A child theme is recommended to keep the original file in your parent theme folder.
- In case of
403 Forbidden, it’s almost the same but just save the page as403.phpand change the message as you like.
- Show your 404 page. (e.g.
Performance
The more plugins you have, the lower site speed you get.
You may be interested in the benchmark of the two “Validation timing”. As with the previous report, the test environment and sample plugins are showen blow:
| Category | Description |
|---|---|
| Hardware | MacBook Pro / 2.8GHz Core i7 / Memory 16GB |
| Software | OS X 10.9.5 / MAMP 3.5.2 (Apache 0.2.2.29, PHP 5.6.10) |
| WordPress | 4.6-ja / Site Language: English |
The following tables show comparisons between the two mode of “Validation timing” against the each target using ApacheBench for 60 seconds. As you can see, the number of requests have become to be handled more than twice with "mu-plugins" (ip-location-block-mu.php).
xmlrpc.php
| init action hook | mu-plugins | |
|---|---|---|
| Complete Reqs | 271 | 595 |
| Reqs/sec [#/sec] | 4.51 | 9.89 |
| Time/req [msec] | 221.877 | 101.093 |
xmlrpc.php (sys.multicall)
| init action hook | mu-plugins | |
|---|---|---|
| Complete Reqs | 273 | 593 |
| Reqs/sec [#/sec] | 4.53 | 9.87 |
| Time/req [msec] | 220.988 | 101.315 |
wp-login.php
| init action hook | mu-plugins | |
|---|---|---|
| Complete Reqs | 280 | 619 |
| Reqs/sec [#/sec] | 4.66 | 10.28 |
| Time/req [msec] | 214.395 | 97.247 |
wp-admin/admin-ajax.php
| init action hook | mu-plugins | |
|---|---|---|
| Complete Reqs | 229 | 551 |
| Reqs/sec [#/sec] | 3.81 | 9.17 |
| Time/req [msec] | 262.588 | 109.039 |