Validation timing

Posted on May 11, 2021

Normally, a plugin will be loaded at a certain phase during WordPress boot process and will typically do its jobs after init action hook. It means that a plugin will be kept waiting until almost all plugins have finished to be loaded.

But it’s wasteful to give spams and attackers those resources of your server.

The “Validation timing” at “Validation rule settings” can help to drastically reduce load on server especially against brute-force attacks.

“mu-plugins” (ip-location-block-mu.php)

Validation timing

When you select this mode as “Validation timing”, this plugin will install ip-location-block-mu.php into your /wp-content/mu-plugins/ which is for must-use plugins. It means that this plugin will be loaded and execute validation prior to other typical plugins.

Note that in case of multisite, ip-location-block-mu.php will be called on every site but doesn’t affect a site where IP Location Block is not activated.

Restrictions

As you can find the order of execution in action reference, mu-plugins are processed prior to theme setup. Consequently, the following two restrictions would be raised.

  1. Custom filter hooks in functions.php does not work
    It is bacause the functions.php in the theme folder would not have been parsed when this plugin do its jobs. In this case, you must put your own code into drop-in.php which should be placed in the geolocation database folder. You can find drop-in-sample.php as a sample in this plugin’s folder, i.e. /wp-content/plugins/ip-location-block/wp-content/ip-geo-api/. Please rename it to drop-in.php and put it into your Geolocation API folder when you use it.

  2. Human friendly error page is unavailable
    It is because the theme setup would not have finished when this plugin do its jobs. It means that when you select 404 Not Found as Response code, 404.php in your theme folder might not work. In this case, you must save your human friendly error page as a static file. If you want to show a human friendly page for blocked visitors, you must configure as follows:

    • Show your 404 page. (e.g. http://example.com/wp-content/themes/your-theme/404.php)
    • Save the HTML contents in the page as a new 404.php using your browser (e.g. “View page source” with right click). It means that the file consists of not PHP codes but static HTML codes.
    • Place it into your theme folder. A child theme is recommended to keep the original file in your parent theme folder.
    • In case of 403 Forbidden, it’s almost the same but just save the page as 403.php and change the message as you like.

Human friendly error page

Performance

The more plugins you have, the lower site speed you get.

You may be interested in the benchmark of the two “Validation timing”. As with the previous report, the test environment and sample plugins are showen blow:

Category Description
Hardware MacBook Pro / 2.8GHz Core i7 / Memory 16GB
Software OS X 10.9.5 / MAMP 3.5.2 (Apache 0.2.2.29, PHP 5.6.10)
WordPress 4.6-ja / Site Language: English

Plugins Dashboard

The following tables show comparisons between the two mode of “Validation timing” against the each target using ApacheBench for 60 seconds. As you can see, the number of requests have become to be handled more than twice with "mu-plugins" (ip-location-block-mu.php).

xmlrpc.php
  init action hook mu-plugins
Complete Reqs 271 595
Reqs/sec [#/sec] 4.51 9.89
Time/req [msec] 221.877 101.093
xmlrpc.php (sys.multicall)
  init action hook mu-plugins
Complete Reqs 273 593
Reqs/sec [#/sec] 4.53 9.87
Time/req [msec] 220.988 101.315
wp-login.php
  init action hook mu-plugins
Complete Reqs 280 619
Reqs/sec [#/sec] 4.66 10.28
Time/req [msec] 214.395 97.247
wp-admin/admin-ajax.php
  init action hook mu-plugins
Complete Reqs 229 551
Reqs/sec [#/sec] 3.81 9.17
Time/req [msec] 262.588 109.039