IP Geo Block - Version 3.0.1.2

Version Description

  • Bug fix: Fix the blocking issue in some environments when upgrading from 2.2.9.1 to 3.0.0.
  • Bug fix: Fix the blocking issue at opening a new window via context menu on dashboard.
  • Bug fix: Fix the potential issue of 500 Internal error in cron job.
  • Improvement: Revive 410 Gone for response code.
  • Improvement: Prevent the issue of resetting matching rule and country code at upgrading.
Download this release

Release Info

Developer tokkonopapa
Plugin Icon 128x128 IP Geo Block
Version 3.0.1.2
Comparing to
See all releases

Version 3.0.1.2

Files changed (138) hide show
  1. LICENSE.txt +339 -0
  2. README.txt +898 -0
  3. admin/class-ip-geo-block-admin.php +982 -0
  4. admin/css/admin.css +379 -0
  5. admin/css/admin.min.css +2 -0
  6. admin/css/fonts/LICENSE +4 -0
  7. admin/css/fonts/footable.eot +0 -0
  8. admin/css/fonts/footable.svg +78 -0
  9. admin/css/fonts/footable.ttf +0 -0
  10. admin/css/fonts/footable.woff +0 -0
  11. admin/css/footable.core.min.css +10 -0
  12. admin/includes/class-admin-ajax.php +486 -0
  13. admin/includes/class-admin-rewrite.php +340 -0
  14. admin/includes/tab-accesslog.php +150 -0
  15. admin/includes/tab-attribution.php +41 -0
  16. admin/includes/tab-geolocation.php +94 -0
  17. admin/includes/tab-settings.php +1334 -0
  18. admin/includes/tab-statistics.php +290 -0
  19. admin/js/admin.js +949 -0
  20. admin/js/admin.min.js +6 -0
  21. admin/js/authenticate.js +396 -0
  22. admin/js/authenticate.min.js +6 -0
  23. admin/js/footable.min.js +26 -0
  24. admin/js/gmap.js +123 -0
  25. admin/js/gmap.min.js +8 -0
  26. admin/js/whois.js +136 -0
  27. admin/js/whois.min.js +8 -0
  28. classes/class-ip-geo-block-actv.php +90 -0
  29. classes/class-ip-geo-block-apis.php +688 -0
  30. classes/class-ip-geo-block-cron.php +350 -0
  31. classes/class-ip-geo-block-lkup.php +128 -0
  32. classes/class-ip-geo-block-load.php +160 -0
  33. classes/class-ip-geo-block-logs.php +690 -0
  34. classes/class-ip-geo-block-opts.php +425 -0
  35. classes/class-ip-geo-block-util.php +515 -0
  36. classes/class-ip-geo-block.php +880 -0
  37. database/index.php +3 -0
  38. includes/Net/DNS2.php +1427 -0
  39. includes/Net/DNS2/BitMap.php +254 -0
  40. includes/Net/DNS2/Cache.php +305 -0
  41. includes/Net/DNS2/Cache/File.php +242 -0
  42. includes/Net/DNS2/Cache/Shm.php +305 -0
  43. includes/Net/DNS2/Exception.php +142 -0
  44. includes/Net/DNS2/Header.php +282 -0
  45. includes/Net/DNS2/Lookups.php +552 -0
  46. includes/Net/DNS2/Packet.php +449 -0
  47. includes/Net/DNS2/Packet/Request.php +217 -0
  48. includes/Net/DNS2/Packet/Response.php +194 -0
  49. includes/Net/DNS2/PrivateKey.php +424 -0
  50. includes/Net/DNS2/Question.php +244 -0
  51. includes/Net/DNS2/RR.php +641 -0
  52. includes/Net/DNS2/RR/A.php +156 -0
  53. includes/Net/DNS2/RR/AAAA.php +177 -0
  54. includes/Net/DNS2/RR/AFSDB.php +174 -0
  55. includes/Net/DNS2/RR/ANY.php +129 -0
  56. includes/Net/DNS2/RR/APL.php +343 -0
  57. includes/Net/DNS2/RR/ATMA.php +210 -0
  58. includes/Net/DNS2/RR/CAA.php +179 -0
  59. includes/Net/DNS2/RR/CDNSKEY.php +77 -0
  60. includes/Net/DNS2/RR/CDS.php +77 -0
  61. includes/Net/DNS2/RR/CERT.php +292 -0
  62. includes/Net/DNS2/RR/CNAME.php +153 -0
  63. includes/Net/DNS2/RR/CSYNC.php +203 -0
  64. includes/Net/DNS2/RR/DHCID.php +207 -0
  65. includes/Net/DNS2/RR/DLV.php +75 -0
  66. includes/Net/DNS2/RR/DNAME.php +153 -0
  67. includes/Net/DNS2/RR/DNSKEY.php +198 -0
  68. includes/Net/DNS2/RR/DS.php +209 -0
  69. includes/Net/DNS2/RR/EID.php +130 -0
  70. includes/Net/DNS2/RR/EUI48.php +187 -0
  71. includes/Net/DNS2/RR/EUI64.php +188 -0
  72. includes/Net/DNS2/RR/HINFO.php +175 -0
  73. includes/Net/DNS2/RR/HIP.php +287 -0
  74. includes/Net/DNS2/RR/IPSECKEY.php +386 -0
  75. includes/Net/DNS2/RR/ISDN.php +190 -0
  76. includes/Net/DNS2/RR/KEY.php +85 -0
  77. includes/Net/DNS2/RR/KX.php +179 -0
  78. includes/Net/DNS2/RR/L32.php +180 -0
  79. includes/Net/DNS2/RR/L64.php +187 -0
  80. includes/Net/DNS2/RR/LOC.php +440 -0
  81. includes/Net/DNS2/RR/LP.php +177 -0
  82. includes/Net/DNS2/RR/MX.php +175 -0
  83. includes/Net/DNS2/RR/NAPTR.php +231 -0
  84. includes/Net/DNS2/RR/NID.php +187 -0
  85. includes/Net/DNS2/RR/NIMLOC.php +130 -0
  86. includes/Net/DNS2/RR/NS.php +153 -0
  87. includes/Net/DNS2/RR/NSAP.php +262 -0
  88. includes/Net/DNS2/RR/NSEC.php +184 -0
  89. includes/Net/DNS2/RR/NSEC3.php +310 -0
  90. includes/Net/DNS2/RR/NSEC3PARAM.php +220 -0
  91. includes/Net/DNS2/RR/OPENPGPKEY.php +159 -0
  92. includes/Net/DNS2/RR/OPT.php +292 -0
  93. includes/Net/DNS2/RR/PTR.php +152 -0
  94. includes/Net/DNS2/RR/PX.php +186 -0
  95. includes/Net/DNS2/RR/RP.php +167 -0
  96. includes/Net/DNS2/RR/RRSIG.php +329 -0
  97. includes/Net/DNS2/RR/RT.php +175 -0
  98. includes/Net/DNS2/RR/SIG.php +459 -0
  99. includes/Net/DNS2/RR/SOA.php +240 -0
  100. includes/Net/DNS2/RR/SPF.php +75 -0
  101. includes/Net/DNS2/RR/SRV.php +186 -0
  102. includes/Net/DNS2/RR/SSHFP.php +244 -0
  103. includes/Net/DNS2/RR/TA.php +75 -0
  104. includes/Net/DNS2/RR/TALINK.php +171 -0
  105. includes/Net/DNS2/RR/TKEY.php +307 -0
  106. includes/Net/DNS2/RR/TLSA.php +194 -0
  107. includes/Net/DNS2/RR/TSIG.php +504 -0
  108. includes/Net/DNS2/RR/TXT.php +177 -0
  109. includes/Net/DNS2/RR/URI.php +183 -0
  110. includes/Net/DNS2/RR/WKS.php +235 -0
  111. includes/Net/DNS2/RR/X25.php +160 -0
  112. includes/Net/DNS2/Resolver.php +332 -0
  113. includes/Net/DNS2/Socket.php +190 -0
  114. includes/Net/DNS2/Socket/Sockets.php +364 -0
  115. includes/Net/DNS2/Socket/Streams.php +389 -0
  116. includes/Net/DNS2/Updater.php +654 -0
  117. includes/Net/IPv4.php +469 -0
  118. includes/Net/IPv6.php +1098 -0
  119. index.php +3 -0
  120. ip-geo-block.php +106 -0
  121. languages/ip-geo-block-ja.mo +0 -0
  122. languages/ip-geo-block-ja.po +1165 -0
  123. languages/ip-geo-block.mo +0 -0
  124. languages/ip-geo-block.po +1031 -0
  125. languages/ip-geo-block.pot +1031 -0
  126. rewrite.php +228 -0
  127. samples.php +415 -0
  128. uninstall.php +67 -0
  129. wp-content/ip-geo-api/drop-in-sample.php +63 -0
  130. wp-content/ip-geo-api/index.php +3 -0
  131. wp-content/ip-geo-api/ip2location/IP2Location.php +848 -0
  132. wp-content/ip-geo-api/ip2location/bcmath.php +216 -0
  133. wp-content/ip-geo-api/ip2location/class-ip2location.php +214 -0
  134. wp-content/ip-geo-api/maxmind/LICENSE +502 -0
  135. wp-content/ip-geo-api/maxmind/class-maxmind.php +216 -0
  136. wp-content/ip-geo-api/maxmind/geoip.inc +429 -0
  137. wp-content/ip-geo-api/maxmind/geoipcity.inc +171 -0
  138. wp-content/mu-plugins/ip-geo-block-mu.php +59 -0
LICENSE.txt ADDED
@@ -0,0 +1,339 @@
1
+ GNU GENERAL PUBLIC LICENSE
2
+ Version 2, June 1991
3
+
4
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6
+ Everyone is permitted to copy and distribute verbatim copies
7
+ of this license document, but changing it is not allowed.
8
+
9
+ Preamble
10
+
11
+ The licenses for most software are designed to take away your
12
+ freedom to share and change it. By contrast, the GNU General Public
13
+ License is intended to guarantee your freedom to share and change free
14
+ software--to make sure the software is free for all its users. This
15
+ General Public License applies to most of the Free Software
16
+ Foundation's software and to any other program whose authors commit to
17
+ using it. (Some other Free Software Foundation software is covered by
18
+ the GNU Lesser General Public License instead.) You can apply it to
19
+ your programs, too.
20
+
21
+ When we speak of free software, we are referring to freedom, not
22
+ price. Our General Public Licenses are designed to make sure that you
23
+ have the freedom to distribute copies of free software (and charge for
24
+ this service if you wish), that you receive source code or can get it
25
+ if you want it, that you can change the software or use pieces of it
26
+ in new free programs; and that you know you can do these things.
27
+
28
+ To protect your rights, we need to make restrictions that forbid
29
+ anyone to deny you these rights or to ask you to surrender the rights.
30
+ These restrictions translate to certain responsibilities for you if you
31
+ distribute copies of the software, or if you modify it.
32
+
33
+ For example, if you distribute copies of such a program, whether
34
+ gratis or for a fee, you must give the recipients all the rights that
35
+ you have. You must make sure that they, too, receive or can get the
36
+ source code. And you must show them these terms so they know their
37
+ rights.
38
+
39
+ We protect your rights with two steps: (1) copyright the software, and
40
+ (2) offer you this license which gives you legal permission to copy,
41
+ distribute and/or modify the software.
42
+
43
+ Also, for each author's protection and ours, we want to make certain
44
+ that everyone understands that there is no warranty for this free
45
+ software. If the software is modified by someone else and passed on, we
46
+ want its recipients to know that what they have is not the original, so
47
+ that any problems introduced by others will not reflect on the original
48
+ authors' reputations.
49
+
50
+ Finally, any free program is threatened constantly by software
51
+ patents. We wish to avoid the danger that redistributors of a free
52
+ program will individually obtain patent licenses, in effect making the
53
+ program proprietary. To prevent this, we have made it clear that any
54
+ patent must be licensed for everyone's free use or not licensed at all.
55
+
56
+ The precise terms and conditions for copying, distribution and
57
+ modification follow.
58
+
59
+ GNU GENERAL PUBLIC LICENSE
60
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61
+
62
+ 0. This License applies to any program or other work which contains
63
+ a notice placed by the copyright holder saying it may be distributed
64
+ under the terms of this General Public License. The "Program", below,
65
+ refers to any such program or work, and a "work based on the Program"
66
+ means either the Program or any derivative work under copyright law:
67
+ that is to say, a work containing the Program or a portion of it,
68
+ either verbatim or with modifications and/or translated into another
69
+ language. (Hereinafter, translation is included without limitation in
70
+ the term "modification".) Each licensee is addressed as "you".
71
+
72
+ Activities other than copying, distribution and modification are not
73
+ covered by this License; they are outside its scope. The act of
74
+ running the Program is not restricted, and the output from the Program
75
+ is covered only if its contents constitute a work based on the
76
+ Program (independent of having been made by running the Program).
77
+ Whether that is true depends on what the Program does.
78
+
79
+ 1. You may copy and distribute verbatim copies of the Program's
80
+ source code as you receive it, in any medium, provided that you
81
+ conspicuously and appropriately publish on each copy an appropriate
82
+ copyright notice and disclaimer of warranty; keep intact all the
83
+ notices that refer to this License and to the absence of any warranty;
84
+ and give any other recipients of the Program a copy of this License
85
+ along with the Program.
86
+
87
+ You may charge a fee for the physical act of transferring a copy, and
88
+ you may at your option offer warranty protection in exchange for a fee.
89
+
90
+ 2. You may modify your copy or copies of the Program or any portion
91
+ of it, thus forming a work based on the Program, and copy and
92
+ distribute such modifications or work under the terms of Section 1
93
+ above, provided that you also meet all of these conditions:
94
+
95
+ a) You must cause the modified files to carry prominent notices
96
+ stating that you changed the files and the date of any change.
97
+
98
+ b) You must cause any work that you distribute or publish, that in
99
+ whole or in part contains or is derived from the Program or any
100
+ part thereof, to be licensed as a whole at no charge to all third
101
+ parties under the terms of this License.
102
+
103
+ c) If the modified program normally reads commands interactively
104
+ when run, you must cause it, when started running for such
105
+ interactive use in the most ordinary way, to print or display an
106
+ announcement including an appropriate copyright notice and a
107
+ notice that there is no warranty (or else, saying that you provide
108
+ a warranty) and that users may redistribute the program under
109
+ these conditions, and telling the user how to view a copy of this
110
+ License. (Exception: if the Program itself is interactive but
111
+ does not normally print such an announcement, your work based on
112
+ the Program is not required to print an announcement.)
113
+
114
+ These requirements apply to the modified work as a whole. If
115
+ identifiable sections of that work are not derived from the Program,
116
+ and can be reasonably considered independent and separate works in
117
+ themselves, then this License, and its terms, do not apply to those
118
+ sections when you distribute them as separate works. But when you
119
+ distribute the same sections as part of a whole which is a work based
120
+ on the Program, the distribution of the whole must be on the terms of
121
+ this License, whose permissions for other licensees extend to the
122
+ entire whole, and thus to each and every part regardless of who wrote it.
123
+
124
+ Thus, it is not the intent of this section to claim rights or contest
125
+ your rights to work written entirely by you; rather, the intent is to
126
+ exercise the right to control the distribution of derivative or
127
+ collective works based on the Program.
128
+
129
+ In addition, mere aggregation of another work not based on the Program
130
+ with the Program (or with a work based on the Program) on a volume of
131
+ a storage or distribution medium does not bring the other work under
132
+ the scope of this License.
133
+
134
+ 3. You may copy and distribute the Program (or a work based on it,
135
+ under Section 2) in object code or executable form under the terms of
136
+ Sections 1 and 2 above provided that you also do one of the following:
137
+
138
+ a) Accompany it with the complete corresponding machine-readable
139
+ source code, which must be distributed under the terms of Sections
140
+ 1 and 2 above on a medium customarily used for software interchange; or,
141
+
142
+ b) Accompany it with a written offer, valid for at least three
143
+ years, to give any third party, for a charge no more than your
144
+ cost of physically performing source distribution, a complete
145
+ machine-readable copy of the corresponding source code, to be
146
+ distributed under the terms of Sections 1 and 2 above on a medium
147
+ customarily used for software interchange; or,
148
+
149
+ c) Accompany it with the information you received as to the offer
150
+ to distribute corresponding source code. (This alternative is
151
+ allowed only for noncommercial distribution and only if you
152
+ received the program in object code or executable form with such
153
+ an offer, in accord with Subsection b above.)
154
+
155
+ The source code for a work means the preferred form of the work for
156
+ making modifications to it. For an executable work, complete source
157
+ code means all the source code for all modules it contains, plus any
158
+ associated interface definition files, plus the scripts used to
159
+ control compilation and installation of the executable. However, as a
160
+ special exception, the source code distributed need not include
161
+ anything that is normally distributed (in either source or binary
162
+ form) with the major components (compiler, kernel, and so on) of the
163
+ operating system on which the executable runs, unless that component
164
+ itself accompanies the executable.
165
+
166
+ If distribution of executable or object code is made by offering
167
+ access to copy from a designated place, then offering equivalent
168
+ access to copy the source code from the same place counts as
169
+ distribution of the source code, even though third parties are not
170
+ compelled to copy the source along with the object code.
171
+
172
+ 4. You may not copy, modify, sublicense, or distribute the Program
173
+ except as expressly provided under this License. Any attempt
174
+ otherwise to copy, modify, sublicense or distribute the Program is
175
+ void, and will automatically terminate your rights under this License.
176
+ However, parties who have received copies, or rights, from you under
177
+ this License will not have their licenses terminated so long as such
178
+ parties remain in full compliance.
179
+
180
+ 5. You are not required to accept this License, since you have not
181
+ signed it. However, nothing else grants you permission to modify or
182
+ distribute the Program or its derivative works. These actions are
183
+ prohibited by law if you do not accept this License. Therefore, by
184
+ modifying or distributing the Program (or any work based on the
185
+ Program), you indicate your acceptance of this License to do so, and
186
+ all its terms and conditions for copying, distributing or modifying
187
+ the Program or works based on it.
188
+
189
+ 6. Each time you redistribute the Program (or any work based on the
190
+ Program), the recipient automatically receives a license from the
191
+ original licensor to copy, distribute or modify the Program subject to
192
+ these terms and conditions. You may not impose any further
193
+ restrictions on the recipients' exercise of the rights granted herein.
194
+ You are not responsible for enforcing compliance by third parties to
195
+ this License.
196
+
197
+ 7. If, as a consequence of a court judgment or allegation of patent
198
+ infringement or for any other reason (not limited to patent issues),
199
+ conditions are imposed on you (whether by court order, agreement or
200
+ otherwise) that contradict the conditions of this License, they do not
201
+ excuse you from the conditions of this License. If you cannot
202
+ distribute so as to satisfy simultaneously your obligations under this
203
+ License and any other pertinent obligations, then as a consequence you
204
+ may not distribute the Program at all. For example, if a patent
205
+ license would not permit royalty-free redistribution of the Program by
206
+ all those who receive copies directly or indirectly through you, then
207
+ the only way you could satisfy both it and this License would be to
208
+ refrain entirely from distribution of the Program.
209
+
210
+ If any portion of this section is held invalid or unenforceable under
211
+ any particular circumstance, the balance of the section is intended to
212
+ apply and the section as a whole is intended to apply in other
213
+ circumstances.
214
+
215
+ It is not the purpose of this section to induce you to infringe any
216
+ patents or other property right claims or to contest validity of any
217
+ such claims; this section has the sole purpose of protecting the
218
+ integrity of the free software distribution system, which is
219
+ implemented by public license practices. Many people have made
220
+ generous contributions to the wide range of software distributed
221
+ through that system in reliance on consistent application of that
222
+ system; it is up to the author/donor to decide if he or she is willing
223
+ to distribute software through any other system and a licensee cannot
224
+ impose that choice.
225
+
226
+ This section is intended to make thoroughly clear what is believed to
227
+ be a consequence of the rest of this License.
228
+
229
+ 8. If the distribution and/or use of the Program is restricted in
230
+ certain countries either by patents or by copyrighted interfaces, the
231
+ original copyright holder who places the Program under this License
232
+ may add an explicit geographical distribution limitation excluding
233
+ those countries, so that distribution is permitted only in or among
234
+ countries not thus excluded. In such case, this License incorporates
235
+ the limitation as if written in the body of this License.
236
+
237
+ 9. The Free Software Foundation may publish revised and/or new versions
238
+ of the General Public License from time to time. Such new versions will
239
+ be similar in spirit to the present version, but may differ in detail to
240
+ address new problems or concerns.
241
+
242
+ Each version is given a distinguishing version number. If the Program
243
+ specifies a version number of this License which applies to it and "any
244
+ later version", you have the option of following the terms and conditions
245
+ either of that version or of any later version published by the Free
246
+ Software Foundation. If the Program does not specify a version number of
247
+ this License, you may choose any version ever published by the Free Software
248
+ Foundation.
249
+
250
+ 10. If you wish to incorporate parts of the Program into other free
251
+ programs whose distribution conditions are different, write to the author
252
+ to ask for permission. For software which is copyrighted by the Free
253
+ Software Foundation, write to the Free Software Foundation; we sometimes
254
+ make exceptions for this. Our decision will be guided by the two goals
255
+ of preserving the free status of all derivatives of our free software and
256
+ of promoting the sharing and reuse of software generally.
257
+
258
+ NO WARRANTY
259
+
260
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261
+ FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262
+ OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263
+ PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264
+ OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266
+ TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268
+ REPAIR OR CORRECTION.
269
+
270
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272
+ REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273
+ INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274
+ OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275
+ TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276
+ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278
+ POSSIBILITY OF SUCH DAMAGES.
279
+
280
+ END OF TERMS AND CONDITIONS
281
+
282
+ How to Apply These Terms to Your New Programs
283
+
284
+ If you develop a new program, and you want it to be of the greatest
285
+ possible use to the public, the best way to achieve this is to make it
286
+ free software which everyone can redistribute and change under these terms.
287
+
288
+ To do so, attach the following notices to the program. It is safest
289
+ to attach them to the start of each source file to most effectively
290
+ convey the exclusion of warranty; and each file should have at least
291
+ the "copyright" line and a pointer to where the full notice is found.
292
+
293
+ <one line to give the program's name and a brief idea of what it does.>
294
+ Copyright (C) <year> <name of author>
295
+
296
+ This program is free software; you can redistribute it and/or modify
297
+ it under the terms of the GNU General Public License as published by
298
+ the Free Software Foundation; either version 2 of the License, or
299
+ (at your option) any later version.
300
+
301
+ This program is distributed in the hope that it will be useful,
302
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
303
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304
+ GNU General Public License for more details.
305
+
306
+ You should have received a copy of the GNU General Public License along
307
+ with this program; if not, write to the Free Software Foundation, Inc.,
308
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309
+
310
+ Also add information on how to contact you by electronic and paper mail.
311
+
312
+ If the program is interactive, make it output a short notice like this
313
+ when it starts in an interactive mode:
314
+
315
+ Gnomovision version 69, Copyright (C) year name of author
316
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317
+ This is free software, and you are welcome to redistribute it
318
+ under certain conditions; type `show c' for details.
319
+
320
+ The hypothetical commands `show w' and `show c' should show the appropriate
321
+ parts of the General Public License. Of course, the commands you use may
322
+ be called something other than `show w' and `show c'; they could even be
323
+ mouse-clicks or menu items--whatever suits your program.
324
+
325
+ You should also get your employer (if you work as a programmer) or your
326
+ school, if any, to sign a "copyright disclaimer" for the program, if
327
+ necessary. Here is a sample; alter the names:
328
+
329
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
+
332
+ <signature of Ty Coon>, 1 April 1989
333
+ Ty Coon, President of Vice
334
+
335
+ This General Public License does not permit incorporating your program into
336
+ proprietary programs. If your program is a subroutine library, you may
337
+ consider it more useful to permit linking proprietary applications with the
338
+ library. If this is what you want to do, use the GNU Lesser General
339
+ Public License instead of this License.
README.txt ADDED
@@ -0,0 +1,898 @@
1
+ === IP Geo Block ===
2
+ Contributors: tokkonopapa
3
+ Donate link:
4
+ Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5
+ Requires at least: 3.7
6
+ Tested up to: 4.7.2
7
+ Stable tag: 3.0.1.2
8
+ License: GPLv2 or later
9
+ License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
+
11
+ It blocks spam posts, login attempts and malicious access to the back-end
12
+ requested from the specific countries, and also prevents zero-day exploit.
13
+
14
+ == Description ==
15
+
16
+ A considerable number of WordPress vulnerabilities in plugins and themes have
17
+ been disclosed every month. You can easily find them at
18
+ [WPScan Vulnerability Database](https://wpvulndb.com/ "WPScan Vulnerability Database")
19
+ and
20
+ [Exploits Database](https://www.exploit-db.com/ "Exploits Database by Offensive Security")
21
+ for example. It means that many WordPress sites can be always exposed to the
22
+ threats of being exploited caused by those vulnerabilities.
23
+
24
+ This plugin protects your site against such threats of attack to the back-end
25
+ of your site not only by blocking requests from undesired countries but also
26
+ with the original feature 'Zero-day Exploit Prevention' (WP-ZEP).
27
+
28
+ And it also blocks undesired requests to the login form (login attempt),
29
+ comment form (spam and trackback) and XML-RPC (login attempt and pingback).
30
+
31
+ Up to version 2.x, this plugin had been dedicated to protect the back-end of
32
+ your site. From version 3.x, it becomes to be able to block access to your
33
+ public facing pages, aka front-end. See
34
+ [this analysis](http://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html "Analysis of Attack Vectors | IP Geo Block")
35
+ about protection performance against 50 samples of vulnerable plugins.
36
+
37
+ = Features =
38
+
39
+ * **Immigration control:**
40
+ Access to the basic and important entrances into the back-end such as
41
+ `wp-comments-post.php`, `xmlrpc.php`, `wp-login.php`, `wp-signup.php`,
42
+ `wp-admin/admin.php`, `wp-admin/admin-ajax.php`, `wp-admin/admin-post.php`
43
+ will be validated by means of a country code based on IP address. It allows
44
+ you to configure either whitelist or blacklist to specify the countires.
45
+
46
+ * **Zero-day Exploit Prevention:**
47
+ The original feature "**Z**ero-day **E**xploit **P**revention for WP"
48
+ (WP-ZEP) is simple but still smart and strong enough to block any malicious
49
+ accesses to `wp-admin/*.php`, `plugins/*.php` and `themes/*.php` even from
50
+ the permitted countries. It will protect your site against certain types of
51
+ attack such as CSRF, LFI, SQLi, XSS and so on, **even if you have some in
52
+ your site**. Find more details in
53
+ [FAQ](https://wordpress.org/plugins/ip-geo-block/faq/ "IP Geo Block - WordPress Plugins")
54
+ and
55
+ [this plugin's blog](http://www.ipgeoblock.com/article/how-wpzep-works.html "How does WP-ZEP prevent zero-day attack? | IP Geo Block").
56
+
57
+ * **Guard against login attempts:**
58
+ In order to prevent hacking through the login form and XML-RPC by
59
+ brute-force and the reverse-brute-force attacks, the number of login
60
+ attempts will be limited per IP address even from the permitted countries.
61
+
62
+ * **Protection of wp-config.php:**
63
+ A malicious request to try to expose `wp-config.php` via vulnerable plugins
64
+ or themes can be blocked. A numerous such attacks can be found in
65
+ [this article](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php").
66
+
67
+ * **Minimize server load against brute-force attacks:**
68
+ You can configure this plugin as a
69
+ [Must Use Plugins](https://codex.wordpress.org/Must_Use_Plugins "Must Use Plugins &laquo; WordPress Codex")
70
+ which would be loaded prior to regular plugins and can massively
71
+ [reduce the load on server](http://www.ipgeoblock.com/codex/validation-timing.html "Validation timing | IP Geo Block").
72
+ And furthermore, a cache mechanism for the fetched IP addresses and country
73
+ code can help to reduce load on the server against the burst accesses with
74
+ a short period of time.
75
+
76
+ * **Support of BuddyPress and bbPress:**
77
+ You can configure this plugin such that a registered user can login as the
78
+ membership from anywhere, but a request such as a new user registration,
79
+ lost password, creating a new topic, and subscribing comment is blocked by
80
+ the country code. It is suitable for
81
+ [BuddyPress](https://wordpress.org/plugins/buddypress/ "WordPress › BuddyPress « WordPress Plugins")
82
+ and [bbPress](https://wordpress.org/plugins/bbpress/ "WordPress › bbPress « WordPress Plugins")
83
+ to help reducing spams.
84
+
85
+ * **Referrer suppressor for external links:**
86
+ When you click an external hyperlink on admin screen, http referrer will be
87
+ eliminated to hide a footprint of your site.
88
+
89
+ * **Multiple source of IP Geolocation databases:**
90
+ Free IP Geolocation database and REST APIs are installed into this plugin to
91
+ get a country code from an IP address.
92
+ [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention")
93
+ GeoLite free databases and
94
+ [IP2Location](http://www.ip2location.com/ "IP Address Geolocation to Identify Website Visitor's Geographical Location")
95
+ LITE databases can be available in this plugin. Those will be downloaded
96
+ and updated (once a month) automatically.
97
+
98
+ * **Customizing response:**
99
+ HTTP response code can be selectable as `403 Forbidden` to deny access pages,
100
+ `404 Not Found` to hide pages or even `200 OK` to redirect to the top page.
101
+ You can also have the custom error page (for example `403.php`) in your theme
102
+ template directory or child theme directory to fit your theme.
103
+
104
+ * **Validation logs:**
105
+ Logs will be recorded into MySQL data table to audit posting pattern under
106
+ the specified condition.
107
+
108
+ * **Cooperation with full spec security plugin:**
109
+ This plugin is simple and lite enough to be able to cooperate with other
110
+ full spec security plugin such as
111
+ [Wordfence Security](https://wordpress.org/plugins/wordfence/ "WordPress › Wordfence Security « WordPress Plugins")
112
+ (because country bloking is available only for premium users). See
113
+ [this report](http://www.ipgeoblock.com/codex/page-speed-performance.html "Page speed performance | IP Geo Block")
114
+ about page speed performance.
115
+
116
+ * **Extendability:**
117
+ "Settings minimum, Customizability maximum" is the basic concept of this
118
+ plugin. You can customize the behavior of this plugin via `add_filter()`
119
+ with pre-defined filter hook. See various use cases in
120
+ [the documents](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block")
121
+ and
122
+ [samples.php](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/blob/master/ip-geo-block/samples.php "WordPress-IP-Geo-Block/samples.php at master - tokkonopapa/WordPress-IP-Geo-Block - GitHub")
123
+ bundled within this package.
124
+
125
+ * **Self blocking prevention and easy rescue:**
126
+ Most of users do not prefer themselves to be blocked. This plugin prevents
127
+ such a sad thing unless you force it. And futhermore, if such a situation
128
+ occurs, you can
129
+ [rescue yourself](http://www.ipgeoblock.com/codex/what-should-i-do-when-i-m-locked-out.html "What should I do when I'm locked out? | IP Geo Block")
130
+ easily.
131
+
132
+ * **Clean uninstallation:**
133
+ Nothing is left in your precious mySQL database after uninstallation. So you
134
+ can feel free to install and activate to make a trial of this plugin's
135
+ functionality. Several days later, you'll find many undesirable accesses in
136
+ your validation logs if all validation targets are enabled.
137
+
138
+ = Attribution =
139
+
140
+ This package includes GeoLite library distributed by MaxMind, available from
141
+ [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention"),
142
+ and also includes IP2Location open source libraries available from
143
+ [IP2Location](http://www.ip2location.com "IP Address Geolocation to Identify Website Visitor's Geographical Location").
144
+
145
+ Also thanks for providing the following great services and REST APIs for free.
146
+
147
+ * [http://freegeoip.net/](http://freegeoip.net/ "freegeoip.net: FREE IP Geolocation Web Service") (IPv4 / free)
148
+ * [http://ipinfo.io/](http://ipinfo.io/ "ipinfo.io - ip address information including geolocation, hostname and network details") (IPv4, IPv6 / free)
149
+ * [http://geoip.nekudo.com/](http://geoip.nekudo.com/ "Free IP GeoLocation/GeoIp API - geoip.nekudo.com") (IPv4, IPv6 / free)
150
+ * [http://xhanch.com/](http://xhanch.com/xhanch-api-ip-get-detail/ "Xhanch API &#8211; IP Get Detail | Xhanch Studio") (IPv4 / free)
151
+ * [http://geoiplookup.net/](http://geoiplookup.net/ "What Is My IP Address | GeoIP Lookup") (IPv4, IPv6 / free)
152
+ * [http://ip-api.com/](http://ip-api.com/ "IP-API.com - Free Geolocation API") (IPv4, IPv6 / free for non-commercial use)
153
+ * [http://ipinfodb.com/](http://ipinfodb.com/ "IPInfoDB | Free IP Address Geolocation Tools") (IPv4, IPv6 / free for registered user, need API key)
154
+
155
+ = Development =
156
+
157
+ Development of this plugin is promoted at
158
+ [WordPress-IP-Geo-Block](https://github.com/tokkonopapa/WordPress-IP-Geo-Block "tokkonopapa/WordPress-IP-Geo-Block - GitHub")
159
+ and class libraries to handle geo-location database are developed separately
160
+ as "add-in"s at
161
+ [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API "tokkonopapa/WordPress-IP-Geo-API - GitHub").
162
+ All contributions will always be welcome. Or visit my
163
+ [development blog](http://www.ipgeoblock.com/ "IP Geo Block").
164
+
165
+ == Installation ==
166
+
167
+ = Using The WordPress Dashboard =
168
+
169
+ 1. Navigate to the 'Add New' in the plugins dashboard
170
+ 2. Search for 'IP Geo Block'
171
+ 3. Click 'Install Now'
172
+ 4. Activate the plugin on the Plugin dashboard
173
+ 5. Try 'Best settings' button for easy setup at the bottom of this plugin's
174
+ setting page.
175
+
176
+ Please refer to
177
+ [the document](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block")
178
+ or following descriptions for your best setup.
179
+
180
+ = Validation rule settings =
181
+
182
+ * **Matching rule**
183
+ Choose either `White list` (recommended) or `Black list` to specify the
184
+ countries from which you want to pass or block.
185
+
186
+ * **Country code for matching rule**
187
+ Specify the country code with two letters (see
188
+ [ISO 3166-1 alpha-2](http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements "ISO 3166-1 alpha-2 - Wikipedia, the free encyclopedia")
189
+ ). Each of them should be separated by comma.
190
+
191
+ * **White/Black list of extra IPs for prior validation**
192
+ The list of extra IP addresses prior to the validation of country code.
193
+ [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing "Classless Inter-Domain Routing - Wikipedia, the free encyclopedia")
194
+ is acceptable to specify the range.
195
+
196
+ * **$_SERVER keys for extra IPs**
197
+ Additional IP addresses will be validated if some of keys in `$_SERVER`
198
+ variable are specified in this textfield. Typically `HTTP_X_FORWARDED_FOR`.
199
+
200
+ * **Bad signatures in query**
201
+ It validates malicious signatures independently of **Block by country** and
202
+ **Prevent Zero-day Exploit** for the target **Admin area**,
203
+ **Admin ajax/post**, **Plugins area** and **Themes area**.
204
+ Typically, `/wp-config.php` and `/passwd`.
205
+
206
+ * **Response code**
207
+ Choose one of the
208
+ [response code](http://tools.ietf.org/html/rfc2616#section-10 "RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1")
209
+ to be sent when it blocks a comment.
210
+ The 2xx code will lead to your top page, the 3xx code will redirect to
211
+ [Black Hole Server](http://blackhole.webpagetest.org/),
212
+ the 4xx code will lead to WordPress error page, and the 5xx will pretend
213
+ an server error.
214
+
215
+ * **Validation timing**
216
+ Choose **"init" action hook** or **"mu-plugins" (ip-geo-block-mu.php)** to
217
+ specify the timing of validation.
218
+
219
+ = Back-end target settings =
220
+
221
+ * **Comment post**
222
+ Validate post to `wp-comment-post.php`. Comment post and trackback will be
223
+ validated.
224
+
225
+ * **XML-RPC**
226
+ Validate access to `xmlrpc.php`. Pingback and other remote command with
227
+ username and password will be validated.
228
+
229
+ * **Login form**
230
+ Validate access to `wp-login.php` and `wp-signup.php`.
231
+
232
+ * **Admin area**
233
+ Validate access to `wp-admin/*.php`.
234
+
235
+ * **Admin ajax/post**
236
+ Validate access to `wp-admin/admin-(ajax|post)*.php`.
237
+
238
+ * **Plugins area**
239
+ Validate direct access to plugins. Typically `wp-content/plugins/…/*.php`.
240
+
241
+ * **Themes area**
242
+ Validate direct access to themes. Typically `wp-content/themes/…/*.php`.
243
+
244
+ = Front-end target settings =
245
+
246
+ * **Block by country**
247
+ Enables validation of country code on public facing pages.
248
+
249
+ * **Matching rule**
250
+ Same as **Validation target settings** but can be set independently.
251
+
252
+ * **Validation target**
253
+ Specify the single and archive page by post type, category and tag as
254
+ blocking target.
255
+
256
+ * **UA string and qualification**
257
+ Additional rules targeted at SEO which can specify acceptable requests
258
+ based on user agent.
259
+
260
+ * **Simulation mode**
261
+ You can simulate the 'blocking on front-end' functionality before deploying.
262
+
263
+ = Geolocation API settings =
264
+
265
+ * **API selection and key settings**
266
+ If you wish to use `IPInfoDB`, you should register at
267
+ [their site](http://ipinfodb.com/ "IPInfoDB | Free IP Address Geolocation Tools")
268
+ to get a free API key and set it into the textfield. And `ip-api.com` and
269
+ `Smart-IP.net` require non-commercial use.
270
+
271
+ = Local database settings settings =
272
+
273
+ * **Auto updating (once a month)**
274
+ If `Enable`, Maxmind GeoLite database will be downloaded automatically by
275
+ WordPress cron job.
276
+
277
+ = Record settings =
278
+
279
+ * **Record validation statistics**
280
+ If `Enable`, you can see `Statistics of validation` on Statistics tab.
281
+
282
+ * **Record validation logs**
283
+ If you choose anything but `Disable`, you can see `Validation logs` on
284
+ Logs tab.
285
+
286
+ * **$_POST keys in logs**
287
+ Normally, you can see just keys at `$_POST data:` on Logs tab. If you put
288
+ some of interested keys into this textfield, you can see the value of key
289
+ like `key=value`.
290
+
291
+ * **Anonymize IP address**
292
+ It will mask the last three digits of IP address when it is recorded into
293
+ the log.
294
+
295
+ = Cache settings =
296
+
297
+ * **Expiration time [sec]**
298
+ Maximum time in sec to keep cache.
299
+
300
+ * **Garbage collection period [sec]**
301
+ Period of garbage collection to clean cache.
302
+
303
+ = Submission settings =
304
+
305
+ * **Text position on comment form**
306
+ If you want to put some text message on your comment form, please choose
307
+ `Top` or `Bottom` and put text with some tags into the **Text message on
308
+ comment form** textfield.
309
+
310
+ = Plugin settings =
311
+
312
+ * **Remove settings at uninstallation**
313
+ If you checked this option, all settings will be removed when this plugin
314
+ is uninstalled for clean uninstalling.
315
+
316
+ == Frequently Asked Questions ==
317
+
318
+ = Does it support multisite? =
319
+
320
+ It works on multisite, but there's no network setting at this moment.
321
+
322
+ = I was locked down. What shall I do? =
323
+
324
+ Activate the following codes at the bottom of `ip-geo-block.php` and upload
325
+ it via FTP.
326
+
327
+ `/**
328
+ * Invalidate blocking behavior in case yourself is locked out.
329
+ *
330
+ * How to use: Activate the following code and upload this file via FTP.
331
+ */
332
+ /* -- EDIT THIS LINE AND ACTIVATE THE FOLLOWING FUNCTION -- */
333
+ function ip_geo_block_emergency( $validate ) {
334
+ $validate['result'] = 'passed';
335
+ return $validate;
336
+ }
337
+ add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
338
+ add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
339
+ // */`
340
+
341
+ Then "**Clear cache**" at "**Statistics**" tab on your dashborad. Remember
342
+ that you should upload the original one to deactivate above feature.
343
+
344
+ [This document](http://www.ipgeoblock.com/codex/what-should-i-do-when-i-m-locked-out.html "What should I do when I'm locked out? | IP Geo Block")
345
+ can also help you.
346
+
347
+ = How to resolve "Sorry, your request cannot be accepted."? =
348
+
349
+ If you encounter this message, please refer to
350
+ [this document](http://www.ipgeoblock.com/codex/you-are-not-allowed-to-access.html "Why &ldquo;You are not allowed to access this page&rdquo; ? | IP Geo Block")
351
+ to resolve your blocking issue.
352
+
353
+ = Some admin function doesn't work. How to solve it? =
354
+
355
+ This could be happened because of the same reason as the previous FAQ. Please
356
+ follow the steps in
357
+ [this document](http://www.ipgeoblock.com/codex/you-are-not-allowed-to-access.html "Why &ldquo;You are not allowed to access this page&rdquo; ? | IP Geo Block").
358
+
359
+ If you can't solve your issue, please let me know about it on the
360
+ [support forum](https://wordpress.org/support/plugin/ip-geo-block/ "View: Plugin Support &laquo; WordPress.org Forums").
361
+ Your logs in this plugin and "**Installation information**" at "**Plugin
362
+ settings**" will be a great help to resolve the issue.
363
+
364
+ = How can I fix "Unable to write" error? =
365
+
366
+ When you enable "**Force to load WP core**" options, this plugin will try to
367
+ configure `.htaccess` in your `/wp-content/plugins/` and `/wp-content/themes/`
368
+ directory in order to protect your site against the malicous attacks to the
369
+ [OMG plugins and shemes](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php | IP Geo Block").
370
+
371
+ But some servers doesn't give reading / writing permission against `.htaccess`
372
+ to WordPress. In this case, you can configure these `.htaccess` files by your
373
+ own hand instead of enabling "**Force to load WP core**" options.
374
+
375
+ Please refer to
376
+ "[How can I fix permission troubles?](http://www.ipgeoblock.com/codex/how-can-i-fix-permission-troubles.html 'How can I fix permission troubles? | IP Geo Block')"
377
+ in order to fix this error.
378
+
379
+ = Does this plugin works well with caching? =
380
+
381
+ For the back-end protection, the answer is YES if you disable caching on
382
+ back-end. But for the front-end, the answer depends on the caching method
383
+ you are employing.
384
+
385
+ Currently, the following cache plugins and configurations can be supported:
386
+
387
+ - [WP Super Cache](https://wordpress.org/plugins/wp-super-cache/ "WP Super Cache &mdash; WordPress Plugins")
388
+ Select "**Use PHP to serve cache files**" and enable "**Late init**".
389
+
390
+ - [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/ "W3 Total Cache &mdash; WordPress Plugins")
391
+ Select "**Disk: Basic**" and enable "**Late initialization**" for page cache.
392
+ "**Disk: Enhanced**" (where "**Late initialization**" is not available) in
393
+ W3TC 0.9.5.1 seems to work good without any imcompatibility with this plugin.
394
+
395
+ - [Vendi Cache](https://wordpress.org/plugins/vendi-cache/ "Vendi Cache &mdash; WordPress Plugins")
396
+ This was formerly built in Wordfence. Select "**basic caching**" for
397
+ Vendi Cache and **"mu-plugin" (ip-geo-block-mu.php)** for IP Geo Block.
398
+
399
+ If your plugin serves page caching by `mod_rewrite` via `.htaccess`
400
+ (e.g. WP Fastest Cache) or caching by `advanced-cache.php` drop-in
401
+ (e.g. Comet Cache) or your hosting provider serves page caching at
402
+ server side, "**Blocking on front-end**" might lead to generate
403
+ inconsistent pages.
404
+
405
+ For more details, please refer to some documents at
406
+ "[Blocking on front-end](http://www.ipgeoblock.com/codex/#blocking-on-front-end 'Codex | IP Geo Block')".
407
+
408
+ = How can I test this plugin works? =
409
+
410
+ The easiest way is to use
411
+ [free proxy browser addon](https://www.google.com/search?q=free+proxy+browser+addon "free proxy browser addon - Google Search").
412
+ Another one is to use
413
+ [http header browser addon](https://www.google.com/search?q=browser+add+on+modify+http+header "browser add on modify http header - Google Search").
414
+ You can add an IP address to the `X-Forwarded-For` header to emulate the
415
+ access behind the proxy. In this case, you should add `HTTP_X_FORWARDED_FOR`
416
+ into the "**$_SERVER keys for extra IPs**" on "**Settings**" tab.
417
+
418
+ See more details at
419
+ "[How to test prevention of attacks](http://www.ipgeoblock.com/codex/#how-to-test-prevention-of-attacks 'Codex | IP Geo Block')".
420
+
421
+ = Do I have to turn on all the selection to enhance security? =
422
+
423
+ Yes. Roughly speaking, the strategy of this plugin has been constructed as
424
+ follows:
425
+
426
+ - **Block by country**
427
+ It blocks malicious requests from outside your country.
428
+
429
+ - **Prevent Zero-day Exploit**
430
+ It blocks malicious requests from your country.
431
+
432
+ - **Force to load WP core**
433
+ It blocks the request which has not been covered in the above two.
434
+
435
+ - **Bad signatures in query**
436
+ It blocks the request which has not been covered in the above three.
437
+
438
+ Please try "**Best settings**" button at the bottom of this plugin's setting
439
+ page for easy setup. And also see more details in
440
+ "[The best practice of target settings](http://www.ipgeoblock.com/codex/the-best-practice-for-target-settings.html 'The best practice of target settings | IP Geo Block')".
441
+
442
+ = Does this plugin validate all the requests? =
443
+
444
+ Unfortunately, no. This plugin can't handle the requests that are not
445
+ parsed by WordPress. In other words, a standalone file (PHP, CGI or
446
+ something excutable) that is unrelated to WordPress can't be validated
447
+ by this plugin even if it is in the WordPress install directory.
448
+
449
+ But there're exceptions: When you enable "**Force to load WP core**" for
450
+ **Plugins area** or **Themes area**, a standalone PHP file becomes to be
451
+ able to be blocked. Sometimes this kind of file has some vulnerabilities.
452
+ This function protects your site against such a case.
453
+
454
+ == Other Notes ==
455
+
456
+ = Known issues =
457
+
458
+ * No image is shown after drag & drop a image in grid view at "Media Library".
459
+ For more details, please refer to
460
+ [this ticket at Github](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/issues/2 "No image is shown after drag & drop a image in grid view at "Media Library". - Issue #2 - tokkonopapa/WordPress-IP-Geo-Block - GitHub").
461
+
462
+ * From [WordPress 4.5](https://make.wordpress.org/core/2016/03/09/comment-changes-in-wordpress-4-5/ "Comment Changes in WordPress 4.5 &#8211; Make WordPress Core"),
463
+ `rel=nofollow` attribute and value pair had no longer be added to relative
464
+ or same domain links within `comment_content`. This change prevents to block
465
+ "Server Side Request Forgeries" (not Cross Site but a malicious link in the
466
+ comment field of own site).
467
+
468
+ == Screenshots ==
469
+
470
+ 1. **IP Geo Plugin** - Settings.
471
+ 2. **IP Geo Plugin** - Statistics.
472
+ 3. **IP Geo Plugin** - Logs.
473
+ 4. **IP Geo Plugin** - Search.
474
+ 5. **IP Geo Plugin** - Attribution.
475
+
476
+ == Changelog ==
477
+
478
+ = 3.0.1.2 =
479
+ * **Bug fix:** Fix the blocking issue in some environments when upgrading from
480
+ 2.2.9.1 to 3.0.0.
481
+ * **Bug fix:** Fix the blocking issue at opening a new window via context menu
482
+ on dashboard.
483
+ * **Bug fix:** Fix the potential issue of 500 Internal error in cron job.
484
+ * **Improvement:** Revive 410 Gone for response code.
485
+ * **Improvement:** Prevent the issue of resetting matching rule and country
486
+ code at upgrading.
487
+
488
+ = 3.0.1.1 =
489
+ * **Bug fix:** Fix the issue where **Login form** could not be disabled on
490
+ **Back-end target settings**.
491
+ * **Bug fix:** Fix the issue where trackback and pingback could not be blocked
492
+ since 2.2.4.
493
+ * **Improved:** Apply the action hook 'pre_trackback_post' that was introduced
494
+ in WP 4.7.0.
495
+ * **Improved:** Use 'safe_redirect()' instead of 'redirect()' for secured
496
+ internal redirection. If you set an external url for **Redirect URL**, please
497
+ use the filter hook 'allowed_redirect_hosts'.
498
+ * **Improved:** Better compatibility with the plugin "Anti-Malware Security
499
+ and Brute-Force Firewall".
500
+
501
+ = 3.0.1 =
502
+ * **Bug fix:** Add lock mechanism for local geolocation DBs to avoid potential
503
+ fatal error.
504
+ * **Improvement:** Add self blocking prevention potentially caused by login
505
+ attempts with the same IP address of logged in user.
506
+ * **New feature:** Add "**Installation information**" button to make it easy
507
+ to submit an issue at support forum.
508
+
509
+ = 3.0.0 =
510
+ * **New feature:** Add the function of blocking on front-end.
511
+ * **New filter hook:** Add `ip-geo-block-public` to extend validation on
512
+ front-end.
513
+ * **Improvement:** Avoid conflict with "Open external links in a new window"
514
+ plugin and some other reason to prevent duplicated window open. For more
515
+ detail, see
516
+ [this discussion at support forum](https://wordpress.org/support/topic/ip-geoblock-opens-2-windows-on-link-clicks-when-user-is-logged-in/ "Topic: IP Geoblock opens 2 windows on link clicks when user is logged in &laquo; WordPress.org Forums").
517
+ * **Improvement:** Better compatibility with some plugins, themes and widgets.
518
+ * **Improvement:** Deferred execution of SQL command to improve the response.
519
+ * **Improvement:** Make the response compatible with WP original when it is
520
+ requested by GET method.
521
+ * See some details at
522
+ [release 3.0.0](http://www.ipgeoblock.com/changelog/release-3.0.0.html "3.0.0 Release Note | IP Geo Block").
523
+
524
+ = 2.2.9.1 =
525
+ * **Bug fix:** Blocking Wordfence scanning.
526
+ ([@](https://wordpress.org/support/topic/wordfence-conflict-2/ "WordFence Conflict"))
527
+ * **Bug fix:** Illegal elimination of colon in text field for IP address.
528
+ ([@](https://wordpress.org/support/topic/adding-ipv6-to-white-list/ "Adding IPv6 to white list"))
529
+ * **Improved:** Compatibility with PHP 7 that cause to feel relaxed.
530
+ ([@](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Plans for PHP 7 compatiblity?"))
531
+ * **Improved:** Avoid resetting whitelist on update by InfiniteWP.
532
+ ([@](https://wordpress.org/support/topic/whitelist-resets-on-update/ "[Resolved] Whitelist resets on update"))
533
+ * **Trial feature:** `X-Robots-Tag` HTTP header with `noindex, nofollow`
534
+ for login page.
535
+ ([@](https://wordpress.org/support/topic/ip-geo-block-and-searchmachines/ "IP GEo-block and searchmachines"))
536
+
537
+ = 2.2.9 =
538
+ * **New feature:** A new option that makes this plugin configured as a
539
+ "Must-use plugin". It can massively reduce the server load especially
540
+ against brute-force attacks because it initiates this plugin prior to
541
+ other typical plugins.
542
+ * **Improvement:** Validation of a certain signature against XSS is internally
543
+ added to "Bad signature in query" by default.
544
+ * **Improvement:** Improved compatibility with PHP 7
545
+ (Thanks to [FireMyst](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Topic: Plans for PHP 7 compatiblity? &laquo; WordPress.org Forums").
546
+ * Find details in [2.2.9 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.9.html "2.2.9 Release Note").
547
+
548
+ = 2.2.8.2 =
549
+ * **Bug fix:** Fixed the mismatched internal version number.
550
+
551
+ = 2.2.8.1 =
552
+ * **Bug fix:** Fixed the issue of undefined function `wp_get_raw_referer()`
553
+ error that happened under certain condition. See
554
+ [the issue](https://wordpress.org/support/topic/since-php-update-fatal-error-everytime-i-want-to-edit-a-post/ "Since PHP update Fatal error everytime I want to edit a post")
555
+ at forum.
556
+ * **Improved:** Avoid resetting country code on update. See
557
+ [the issue](https://wordpress.org/support/topic/whitelist-resets-on-update/ "Whitelist resets on update")
558
+ at forum.
559
+
560
+ = 2.2.8 =
561
+ * **Bug fix:** Fixed the issue of stripping some required characters for Google
562
+ maps API key.
563
+ * **New feature:** Whois database Lookup for IP address on search tab.
564
+ * **Update:** Updated geolocation API libraries and services.
565
+ * Find more details in [2.2.8 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.8.html "2.2.8 Release Note").
566
+
567
+ = 2.2.7 =
568
+ * **Bug fix:** Fix inadequate validation of "**Bad signatures in query**".
569
+ * **Improvement:** Add fallback for Google Maps API key
570
+ ([@](https://wordpress.org/support/topic/226-problem-with-search-resp-google-maps "WordPress &#8250; Support &raquo; [2.2.6] Problem with SEARCH resp. Google Maps"))
571
+ and corruption of "Bad signatures"
572
+ ([@](https://wordpress.org/support/topic/226-problem-with-bad-signatures-in-query "WordPress &#8250; Support &raquo; [2.2.6] Problem with &quot;Bad signatures in query&quot;")).
573
+ * **Update:** Update geolocation service api.
574
+ * Find details about Google Maps API in [2.2.7 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.7.html "2.2.7 Release Note").
575
+
576
+ = 2.2.6 =
577
+ * **New feature:** Add saving csv file of logs in "Logs" tab.
578
+ * **New feature:** Add filter hook `ip-geo-block-record-log` to control over
579
+ the conditions of recording in more detail.
580
+ * **Bug fix:** Fixed the issue that "Exceptions" for Plugins/Themes area does
581
+ not work properly. Please confirm your settings again.
582
+ * See details at [release 2.2.6](http://www.ipgeoblock.com/changelog/release-2.2.6.html "2.2.6 Release Note").
583
+
584
+ = 2.2.5 =
585
+ * **New feature:** On the settings page, you can specify the pliugin or theme
586
+ which would cause undesired blocking in order to exclude it from the
587
+ validation target without embedding any codes into `functions.php`.
588
+ * **Improvement:** Optimize resource loading on admin dashboard.
589
+ * **Improvement:** Support clean uninstall for network / multisite.
590
+ * **Improvement:** Improve the compatibility of downloading IP address
591
+ databases for Microsoft IIS.
592
+ * **Bug fix:** Support `FORCE_SSL_ADMIN`.
593
+ * **Bug fix:** Fix the issue of
594
+ [@](https://wordpress.org/support/topic/compatibility-with-ag-custom-admin "WordPress › Support » Compatibility with AG Custom Admin")
595
+ and change the option name
596
+ "**Important files**" to "**Bad signatures in query**" to avoid misuse.
597
+ * **Bug fix:** Fix the issue of
598
+ [@](https://wordpress.org/support/topic/gb-added-to-whitelist "WordPress › Support » GB added to whitelist")
599
+ which might be caused by some race condition.
600
+ * **Bug fix:** Fix the issue of restoring post revisions which was blocked.
601
+
602
+ = 2.2.4.1 =
603
+ Sorry for frequent updating.
604
+
605
+ * **Bug fix:** Fixed the issue of `Warning: strpos(): Empty needle in...` that
606
+ was reported in
607
+ [@](https://wordpress.org/support/topic/version-224-produces-warning-message "WordPress › Support » Version 2.2.4 Produces Warning Message")
608
+ and
609
+ [@](https://wordpress.org/support/topic/error-after-update-to-newest-version "WordPress › Support » Error after Update to newest version").
610
+
611
+ = 2.2.4 =
612
+ * **Bug fix:** Fixed the issue that some links on network admin of multisite
613
+ were blocked when WP-ZEP for `admin area` or `admin ajax/post` was enabled.
614
+ * **New feature:** Added configure of `.htaccess` for the plugins/themes area.
615
+ * **Enhancement:** Added `wp-signup.php` to the list of validation target.
616
+ * **Enhancement:** Added exporting and importing the setting parameters.
617
+ * **Improvement:** Made the logout url compatible with
618
+ [Rename wp-login.php](https://wordpress.org/plugins/rename-wp-login/).
619
+ * **Improvement:** Made condition of validation more strictly at admin
620
+ diagnosis to prevent unnecessary notice of self blocking.
621
+ ([@](https://wordpress.org/support/topic/youll-be-blocked-after-you-log-out-notice-doesnt-disappear "[resolved] &quot;You'll be blocked after you log out&quot; notice doesn't disappear"))
622
+ * **Improvement:** Improved some of UI.
623
+ ([@](https://wordpress.org/support/topic/possible-to-select-which-countries-are-blocked "[resolved] Possible to select which countries are blocked?"),
624
+ [@](https://wordpress.org/support/topic/ip-geo-block-black-list "IP Geo Block Black List"))
625
+ * See some details at [release 2.2.4](http://www.ipgeoblock.com/changelog/release-2.2.4.html "2.2.4 Release Note").
626
+
627
+ = 2.2.3.1 =
628
+ * **Bug fix:** Fixed the issue that disabled validation target was still
629
+ blocked by country.
630
+ ([@](https://wordpress.org/support/topic/logs-whitelist-comments-still-blocked "[resolved] logs whitelist comments still blocked?"))
631
+ * **Improvement:** Better handling of charset and errors for MySQL.
632
+ ([@](https://wordpress.org/support/topic/whitelist-log "[resolved] Whitelist + Log"))
633
+
634
+ = 2.2.3 =
635
+ * **Improvement:** Since WordPress 4.4, XML-RPC system.multicall is disabled
636
+ when the authentication fails, but still processed all the methods to the
637
+ end. Now this plugin immediately blocks the request when the authentication
638
+ fails without processing the rest of the methods.
639
+ * **Improvement:** Add UI to change the maximum number of login attempts.
640
+ * **Improvement:** Add a fallback process of setting up the directory where
641
+ the geo location database APIs should be installed. It will be set as
642
+ `wp-content/uploads/` instead of `wp-content/plugins/ip-geo-block/` or
643
+ `wp-content/` in case of being unable to obtain proper permission.
644
+ ([@](https://wordpress.org/support/topic/deactivated-after-updte-why "[resolved] Deactivated after update - why?"),
645
+ [@](https://wordpress.org/support/topic/the-plugin-caused-an-error-message "[resolved] The plugin caused an error message"))
646
+ * **Improvement:** Moderate the conditions of redirection after logout.
647
+ ([@](https://wordpress.org/support/topic/logout-redirect-doesnt-work-when-plugin-is-active "[resolved] Logout redirect doesn't work when plugin is active"))
648
+ * **Improvement:** Prevent self blocking caused by irrelevant signature.
649
+ ([@](https://wordpress.org/support/topic/works-too-well-blocked-my-wp-admin-myself "[resolved] Works too well - Blocked my wp-admin myself"))
650
+ * **Bug fix:** Fixed the issue of conflicting with certain plugins due to the
651
+ irrelevant handling of js event.
652
+ ([@](https://wordpress.org/support/topic/cannot-edit-pages-when-ip-geo-block-is-enabled "[resolved] Cannot edit pages when ip-geo-block is enabled."))
653
+ * **New feature:** Add "Blocked per day" graph for the daily statistics.
654
+ * See some details at [2.2.3 release note](http://www.ipgeoblock.com/changelog/release-2.2.3.html "2.2.3 Release Note").
655
+
656
+ = 2.2.2.3 =
657
+ Sorry for frequent update again but the following obvious bugs should be fixed.
658
+
659
+ * **Bug fix:** Fixed the issue of not initializing country code at activation.
660
+ * **Bug fix:** Fixed the issue that scheme less notation like '//example.com'
661
+ could not be handled correctly.
662
+
663
+ = 2.2.2.2 =
664
+ Sorry for frequent update.
665
+
666
+ * **Bug fix:** Fixed the issue of race condition at activation. This fix is
667
+ related to the urgent security update at **2.2.2.1 which was not actually
668
+ the security issue but a bug**.
669
+ See [this thread](https://wordpress.org/support/topic/white-list-hack "white list hack")
670
+ about little more details.
671
+ * **Improvement:** Improved the compatibility with Jetpack.
672
+
673
+ = 2.2.2.1 =
674
+ * **Urgent security update:** Killed the possibility of the options being
675
+ altered.
676
+
677
+ = 2.2.2 =
678
+ * **Enhancement:** Refactored some codes and components. The number of attacks
679
+ that can be proccessed per second has been improved by 25% at the maximum.
680
+ * **Improvement:** In the previous version, the statistical data was recorded
681
+ into `wp_options`. It caused the uncertainty of recording especially in case
682
+ of burst attacks. Now the data will be recorded in an independent table to
683
+ improve this issue.
684
+ * **Bug fix:** Fixed conflict with NextGEN Gallary Pro.
685
+ Thanks to [bodowewer](https://wordpress.org/support/profile/bodowewer).
686
+ * **Bug fix:** Fixed some filter hooks that did not work as intended.
687
+ * See more details at [2.2.2 release note](http://www.ipgeoblock.com/changelog/release-2.2.2.html "2.2.2 Release Note").
688
+
689
+ = 2.2.1.1 =
690
+ * **Bug fix:** Fixed "open_basedir restriction" issue caused by `file_exists()`.
691
+
692
+ = 2.2.1 =
693
+ * **Enhancement:** In previous version, local geolocation databases will always
694
+ be removed and downloaded again at every upgrading. Now, the class library
695
+ for Maxmind and IP2Location have become independent of this plugin and you
696
+ can put them outside this plugin in order to cut the above useless process.
697
+ The library can be available from
698
+ [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API).
699
+ * **Deprecated:** Cooperation with IP2Location plugins such as
700
+ [IP2Location Tags](http://wordpress.org/plugins/ip2location-tags/ "WordPress - IP2Location Tags - WordPress Plugins"),
701
+ [IP2Location Variables](http://wordpress.org/plugins/ip2location-variables/ "WordPress - IP2Location Variables - WordPress Plugins"),
702
+ [IP2Location Country Blocker](http://wordpress.org/plugins/ip2location-country-blocker/ "WordPress - IP2Location Country Blocker - WordPress Plugins")
703
+ is out of use. Instead of it, free [IP2Location LITE databases for IPv4 and
704
+ IPv6](http://lite.ip2location.com/ "Free IP Geolocation Database") will be
705
+ downloaded.
706
+ * **Improvement:** Improved connectivity with Jetpack.
707
+ * **Improvement:** Improved immediacy of downloading databases at upgrading.
708
+ * **Improvement:** Replaced a terminated RESTful API service with a new stuff.
709
+ * **Bug fix:** Fixed issue that clicking a link tag without href always
710
+ refreshed the page. Thanks to
711
+ [wyclef](https://wordpress.org/support/topic/conflict-with-menu-editor-plugin "WordPress › Support » Conflict with Menu Editor plugin?").
712
+ * **Bug fix:** Fixed issue that deactivating and activating repeatedly caused
713
+ to show the welcome message.
714
+ * **Bug fix:** Fixed issue that a misaligned argument in the function caused
715
+ 500 internal server error when a request to the php files in plugins/themes
716
+ area was rewrited to `rewrite.php`.
717
+
718
+ = 2.2.0.1 =
719
+ Sorry for frequent update.
720
+
721
+ * **Fix:** Fixed the issue that some actions of other plugins were blocked.
722
+
723
+ = 2.2.0 =
724
+ * **Important:** Now **Block by country** and **Prevent Zero-day Exploit**
725
+ become to work independently on **Admin area**, **Admin ajax/post** at
726
+ **Validation target settings**. Please reconfirm them.
727
+ * **Important:** Previously, a request whose country code can't be available
728
+ was always blocked. But from this release, such a request is considered as
729
+ comming from the country whose code is `ZZ`. It means that you can put `ZZ`
730
+ into the white list and black list.
731
+ * **New feature:** White list and Black list of extra IP addresses prior to
732
+ the validation of country code. Thanks to Fabiano for good suggestions at
733
+ [support forum](https://wordpress.org/support/topic/white-list-of-ip-addresses-or-ranges "WordPress › Support » White list of IP addresses or ranges?")
734
+ * **New feature:** Malicious signatures to prevent disclosing the important
735
+ files via vulnerable plugins or themes. A malicious request to try to expose
736
+ `wp-config.php` or `passwd` can be blocked.
737
+ * **New feature:** Add privacy considerations related to IP address. Add
738
+ **Anonymize IP address** at **Record settings**.
739
+ * **Bug fix:** Fix the issue that spaces in **Text message on comment form**
740
+ are deleted.
741
+ * See details at [2.2.0 release note](http://www.ipgeoblock.com/changelog/release-2.2.0.html "2.2.0 Release Note").
742
+
743
+ = 2.1.5.1 =
744
+ * **Bug fix:** Fixed the issue that the Blacklist did not work properly. Thanks
745
+ to TJayYay for reporting this issue at
746
+ [support forum](https://wordpress.org/support/topic/hackers-from-country-in-blocked-list-of-countries-trying-to-login "WordPress › Support » Hackers from country in Blocked List of Countries trying to login").
747
+
748
+ = 2.1.5 =
749
+ * **Enhancement:** Enforce preventing self blocking at the first installation.
750
+ And add the scan button to get all the country code using selected API.
751
+ Thanks to **Nils** for a nice idea at
752
+ [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country").
753
+ * **New feature:** Add pie chart to display statistics of "Blocked by country".
754
+ * **Enhancement:** WP-ZEP is reinforced against CSRF.
755
+ * **Bug fix:** Fix illegal handling of the fragment in a link.
756
+ * See details at [2.1.5 release note](http://www.ipgeoblock.com/changelog/release-2.1.5.html "2.1.5 Release Note").
757
+
758
+ = 2.1.4 =
759
+ * **Bug fix:** Fix the issue that this plugin broke functionality of a certain
760
+ plugin. Thanks to **opsec** for reporting this issue at
761
+ [support forum](https://wordpress.org/support/topic/blocks-saves-in-types-or-any-plugins-from-wp-typescom "WordPress › Support » Blocks saves in Types or any plugins from wp-types.com").
762
+ * **Improvement:** Add checking process for validation rule to prevent being
763
+ blocked itself. Thanks to **internationals** for proposing at
764
+ [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country")
765
+ * **Improvement:** Arrage the order of setting sections to focus the goal of
766
+ this plugin.
767
+ * See details at [2.1.4 release note](http://www.ipgeoblock.com/changelog/release-2.1.4.html "2.1.4 Release Note").
768
+
769
+ = 2.1.3 =
770
+ * **New feature:** Add "show" / "hide" at each section on the "Settings" tab.
771
+ * **New feature:** Add an emergency function that invalidate blocking behavior
772
+ in case yourself is locked out. This feature is commented out by default at
773
+ the bottom of `ip-geo-block.php`.
774
+ * **Improvement:** Prevent adding query strings to the static resources when
775
+ users logged in.
776
+ * **Improvement:** Improved the compatibility with Autoptimize.
777
+ * **Bug fix:** Fix the issue related to showing featured themes on dashboard.
778
+ * **Bug fix:** Fix minor bug in `rewrite.php` for the advanced use case.
779
+ * See details at [2.1.3 release note](http://www.ipgeoblock.com/changelog/release-2.1.3.html "2.1.3 Release Note").
780
+
781
+ = 2.1.2 =
782
+ This is a maintenance release.
783
+
784
+ * **Bug fix:** Fix the issue that the login-fail-counter didn't work when the
785
+ validation at `Login form` was `block by country (register, lost password)`.
786
+ In this release, the login-fail-counter works correctly.
787
+ * **Bug fix:** Fix the issue that the validation settings of `Admin area` and
788
+ `Admin ajax/post` were influential with each other. Now each of those works
789
+ individually.
790
+ * **Bug fix:** "Site Stats" of Jetpack is now shown on the admin bar which
791
+ issue was reported on [support forum](https://wordpress.org/support/topic/admin-area-prevent-zero-day-exploit-incompatible-with-jetpack-site-stats-in-a "WordPress › Support » Admin area - Prevent zero-day exploit: Incompatible with Jetpack Site Stats in A").
792
+ * **Improvement:** Hide checking the existence of log db behind the symbol
793
+ `IP_GEO_BLOCK_DEBUG` to reduce 1 query on admin screen.
794
+ * **Improvement:** Add alternative functions of BCMath extension to avoid
795
+ `PHP Fatal error: Call to undefined function` in `IP2Location.php` when
796
+ IPv6 is specified.
797
+ * **Improvement:** Use MaxMind database at the activating process not to be
798
+ locked out by means of inconsistency of database at the activation and after.
799
+ * See more details at [2.1.2 release note](http://www.ipgeoblock.com/changelog/release-2.1.2.html "2.1.2 Release Note").
800
+
801
+ = 2.1.1 =
802
+ * **New feature:** Added `Block by country (register, lost password)` at
803
+ `Login form` on `Settings` tab in order to accept the registered users as
804
+ membership from anywhere but block the request of new user ragistration and
805
+ lost password by the country code. Is't suitable for BuddyPress and bbPress.
806
+ * **Improvement:** Added showing the custom error page for http response code
807
+ 4xx and 5xx. For example the `403.php` in the theme template directory or in
808
+ the child theme directory is used if it exists. And new filter hooks
809
+ `ip-geo-block-(comment|xmlrpc|login|admin)-(status|reason)` are available
810
+ to customize the response code and reason for human.
811
+ * **Obsoleted:** Obsoleted the filter hooks
812
+ `ip-geo-block-(admin-actions|admin-pages|wp-content)`. Alternatively new
813
+ filter hooks `ip-geo-block-bypass-(admins|plugins|themes)` are added to
814
+ bypass WP-ZEP.
815
+ * Find out more details in the [2.1.1 release note](http://www.ipgeoblock.com/changelog/release-2.1.1.html "2.1.1 Release Note").
816
+
817
+ = 2.1.0 =
818
+ * **New feature:** Expanded the operating range of ZP-ZEP, that includes admin
819
+ area, plugins area, themes area. Now it can prevent a direct malicios attack
820
+ to the file in plugins and themes area. Please go to the "Validation Settings"
821
+ on "Settings" tab and check it. Also check my article in
822
+ "[Analysis of Attack Vector against WP Plugins](http://www.ipgeoblock.com/article/analysis-attack-vector.html)".
823
+ * **Bug fix:** Fixed the issue that action hook `ip-geo-block-backup-dir` did
824
+ not work correctly because the order of argument was mismatched.
825
+ * **Bug fix:** Fixed the issue that a record including utf8 4 bytes character
826
+ in its columns was not logged into DB in WordPress 4.2.
827
+ * **Improvement:** Fixed the issue that Referrer Suppressor do nothing with a
828
+ new element which is added into DOM after DOM ready. The event handler is
829
+ now delegated at the `body`.
830
+
831
+ = 2.0.8 =
832
+ * Fixed an issue that a certain type of attack vector to the admin area (
833
+ [example](https://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html "Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin")
834
+ ) could not be blocked by the reason that some plugins accept it on earlier
835
+ hook (ie `init`) than this plugin (previously `admin_init`).
836
+ * Added re-creating DB table for validation logs in case of accidentally
837
+ failed at activation process.
838
+ * The time of day is shown with local time by adding GMT offset based on
839
+ the time zone setting.
840
+ * Optimized resource loading and settings to avoid redundancy.
841
+ * See details at [this plugin's blog](http://www.ipgeoblock.com/changelog/release-2.0.8.html "2.0.8 Release Note").
842
+
843
+ = 2.0.7 =
844
+ * Avoid JavaScript error which occurs if an anchor link has no `href`.
845
+ * Improved UI on admin screen.
846
+ * Added a diagnosis for creation of database table.
847
+
848
+ = 2.0.6 =
849
+ * Sorry for urgent update but avoid an javascript error.
850
+
851
+ = 2.0.4 =
852
+ * Sorry for frequent update but added a function of showing admin notice
853
+ when none of the IP geolocation providers is selected. Because the user
854
+ will be locked out from admin screen when the cache expires.
855
+ * **Bug fix:** Fixed an issue of `get_geolocation()` method at a time of
856
+ when the cache of IP address is cleared.
857
+ * Referrer suppressor now supports [meta referrer](https://wiki.whatwg.org/wiki/Meta_referrer "Meta referrer - WHATWG Wiki")
858
+
859
+ = 2.0.3 =
860
+ * **Bug fix:** Fixed an issue that empty black list doesn't work correctly
861
+ when matching rule is black list.
862
+ * **New feature:** Added 'Zero-day Exploit Prevention for wp-admin'.
863
+ Because it is an experimental feature, please open a new issue at
864
+ [support forum](https://wordpress.org/support/plugin/ip-geo-block "WordPress &#8250; Support &raquo; IP Geo Block")
865
+ if you have any troubles with it.
866
+ * **New feature:** Referrer suppressor for external link. When you click an
867
+ external hyperlink on admin screen, http referrer will be suppressed to
868
+ hide a footprint of your site.
869
+ * Also added the filter hook `ip-geo-block-admin-actions` for safe actions
870
+ on back-end.
871
+
872
+ = 2.0.2 =
873
+ * **New feature:** Include `wp-admin/admin-post.php` as a validation target
874
+ in the `Admin area`. This feature is to protect against a vulnerability
875
+ such as
876
+ [Analysis of the Fancybox-For-WordPress Vulnerability](http://blog.sucuri.net/2015/02/analysis-of-the-fancybox-for-wordpress-vulnerability.html)
877
+ on Sucuri Blog.
878
+ * Added a sample code snippet as a use case for 'Give ajax permission in
879
+ case of safe actions on front facing page'. See Example 10 in `sample.php`.
880
+
881
+ = 2.0.1 =
882
+ * Fixed the issue of improper scheme from the HTTPS site when loading js
883
+ for google map.
884
+ * In order to prevent accidental disclosure of the length of password,
885
+ changed the length of `*` (masked password) which is logged into the
886
+ database.
887
+
888
+ = 2.0.0 =
889
+ * **New feature:** Protection against brute-force and reverse-brute-force
890
+ attacks to `wp-login.php`, `xmlrpc.php` and admin area.
891
+ This is an experimental function and can be enabled on `Settings` tab.
892
+ Malicious access can try to login only 5 times per IP address. This retry
893
+ counter can be reset to zero by `Clear statistics` on `Statistics` tab.
894
+
895
+ = 1.0.0 =
896
+ * Ready to release.
897
+
898
+ == Upgrade Notice ==
admin/class-ip-geo-block-admin.php ADDED
@@ -0,0 +1,982 @@
1
+ <?php
2
+ /**
3
+ * IP Geo Block - Admin class
4
+ *
5
+ * @package IP_Geo_Block
6
+ * @author tokkonopapa <tokkonopapa@yahoo.com>
7
+ * @license GPL-2.0+
8
+ * @link http://www.ipgeoblock.com/
9
+ * @copyright 2013-2016 tokkonopapa
10
+ */
11
+
12
+ class IP_Geo_Block_Admin {
13
+
14
+ /**
15
+ * Instance of this class.
16
+ *
17
+ */
18
+ protected static $instance = null;
19
+
20
+ /**
21
+ * Tab of the admin page.
22
+ *
23
+ */
24
+ private $admin_tab = 0;
25
+
26
+ /**
27
+ * Initialize the plugin by loading admin scripts & styles
28
+ * and adding a settings page and menu.
29
+ */
30
+ private function __construct() {
31
+ // Load plugin text domain.
32
+ add_action( 'init', array( $this, 'load_plugin_textdomain' ) );
33
+
34
+ // Setup a nonce to validate authentication.
35
+ add_filter( 'wp_redirect', array( $this, 'add_admin_nonce' ), 10, 2 );
36
+
37
+ // Add the options page and menu item.
38
+ add_action( 'admin_menu', array( $this, 'setup_admin_page' ) );
39
+ add_action( 'wp_ajax_ip_geo_block', array( $this, 'admin_ajax_callback' ) );
40
+ add_action( 'admin_post_ip_geo_block', array( $this, 'admin_ajax_callback' ) );
41
+ add_filter( 'wp_prepare_revision_for_js', array( $this, 'add_revision_nonce' ), 10, 3 );
42
+
43
+ // If multisite, then enque the authentication script for network admin
44
+ if ( is_multisite() ) {
45
+ add_action( 'network_admin_menu', 'IP_Geo_Block::enqueue_nonce' );
46
+ }
47
+ }
48
+
49
+ /**
50
+ * Return an instance of this class.
51
+ *
52
+ */
53
+ public static function get_instance() {
54
+ return self::$instance ? self::$instance : ( self::$instance = new self );
55
+ }
56
+
57
+ /**
58
+ * Load the plugin text domain for translation.
59
+ *
60
+ */
61
+ public function load_plugin_textdomain() {
62
+ load_plugin_textdomain( IP_Geo_Block::PLUGIN_NAME, FALSE, dirname( IP_GEO_BLOCK_BASE ) . '/languages/' );
63
+ }
64
+
65
+ /**
66
+ * Add nonce when redirect into wp-admin area.
67
+ *
68
+ */
69
+ public function add_admin_nonce( $location, $status ) {
70
+ return IP_Geo_Block_Util::rebuild_nonce( $location, $status );
71
+ }
72
+
73
+ /**
74
+ * Get the action name of ajax for nonce
75
+ *
76
+ */
77
+ private function get_ajax_action() {
78
+ return IP_Geo_Block::PLUGIN_NAME . '-ajax-action';
79
+ }
80
+
81
+ /**
82
+ * Register and enqueue plugin-specific style sheet and JavaScript.
83
+ *
84
+ */
85
+ public function enqueue_admin_assets() {
86
+ $footer = TRUE;
87
+ $dependency = array( 'jquery' );
88
+
89
+ // css for option page
90
+ wp_enqueue_style( IP_Geo_Block::PLUGIN_NAME . '-admin-styles',
91
+ plugins_url( ! defined( 'IP_GEO_BLOCK_DEBUG' ) || ! IP_GEO_BLOCK_DEBUG ?
92
+ 'css/admin.min.css' : 'css/admin.css', __FILE__
93
+ ),
94
+ array(), IP_Geo_Block::VERSION
95
+ );
96
+
97
+ switch ( $this->admin_tab ) {
98
+ case 1:
99
+ // js for google chart
100
+ wp_register_script(
101
+ $addon = IP_Geo_Block::PLUGIN_NAME . '-google-chart',
102
+ 'https://www.google.com/jsapi', array(), NULL, $footer
103
+ );
104
+ wp_enqueue_script( $addon );
105
+ break;
106
+
107
+ case 2:
108
+ // js for google map
109
+ $settings = IP_Geo_Block::get_option();
110
+ if ( $key = $settings['api_key']['GoogleMap'] ) {
111
+ wp_enqueue_script( IP_Geo_Block::PLUGIN_NAME . '-gmap-js',
112
+ plugins_url( ! defined( 'IP_GEO_BLOCK_DEBUG' ) || ! IP_GEO_BLOCK_DEBUG ?
113
+ 'js/gmap.min.js' : 'js/gmap.js', __FILE__
114
+ ),
115
+ $dependency, IP_Geo_Block::VERSION, $footer
116
+ );
117
+ wp_enqueue_script( IP_Geo_Block::PLUGIN_NAME . '-google-map',
118
+ '//maps.googleapis.com/maps/api/js' . ( 'default' !== $key ? "?key=$key" : '' ),
119
+ $dependency, IP_Geo_Block::VERSION, $footer
120
+ );
121
+ }
122
+ wp_enqueue_script( IP_Geo_Block::PLUGIN_NAME . '-whois-js',
123
+ plugins_url( ! defined( 'IP_GEO_BLOCK_DEBUG' ) || ! IP_GEO_BLOCK_DEBUG ?
124
+ 'js/whois.min.js' : 'js/whois.js', __FILE__
125
+ ),
126
+ $dependency, IP_Geo_Block::VERSION, $footer
127
+ );
128
+ break;
129
+
130
+ case 4:
131
+ // footable https://github.com/bradvin/FooTable
132
+ wp_enqueue_style( IP_Geo_Block::PLUGIN_NAME . '-footable-css',
133
+ plugins_url( 'css/footable.core.min.css', __FILE__ ),
134
+ array(), IP_Geo_Block::VERSION
135
+ );
136
+ wp_enqueue_script( IP_Geo_Block::PLUGIN_NAME . '-footable-js',
137
+ plugins_url( 'js/footable.min.js', __FILE__ ),
138
+ $dependency, IP_Geo_Block::VERSION, $footer
139
+ );
140
+ }
141
+
142
+ // js for IP Geo Block admin page
143
+ wp_register_script(
144
+ $handle = IP_Geo_Block::PLUGIN_NAME . '-admin-script',
145
+ plugins_url( ! defined( 'IP_GEO_BLOCK_DEBUG' ) || ! IP_GEO_BLOCK_DEBUG ?
146
+ 'js/admin.min.js' : 'js/admin.js', __FILE__
147
+ ),
148
+ $dependency + ( isset( $addon ) ? array( $addon ) : array() ),
149
+ IP_Geo_Block::VERSION,
150
+ $footer
151
+ );
152
+ wp_localize_script( $handle,
153
+ 'IP_GEO_BLOCK',
154
+ array(
155
+ 'action' => 'ip_geo_block',
156
+ 'tab' => $this->admin_tab,
157
+ 'url' => admin_url( 'admin-ajax.php' ),
158
+ 'nonce' => IP_Geo_Block_Util::create_nonce( $this->get_ajax_action() ),
159
+ 'msg' => array(
160
+ __( 'Import settings ?', 'ip-geo-block' ),
161
+ __( 'Create table ?', 'ip-geo-block' ),
162
+ __( 'Delete table ?', 'ip-geo-block' ),
163
+ __( 'Clear statistics ?', 'ip-geo-block' ),
164
+ __( 'Clear cache ?', 'ip-geo-block' ),
165
+ __( 'Clear logs ?', 'ip-geo-block' ),
166
+ __( 'This feature is available with HTML5 compliant browsers.', 'ip-geo-block' ),
167
+ ),
168
+ )
169
+ );
170
+ wp_enqueue_script( $handle );
171
+ }
172
+
173
+ /**
174
+ * Add nonce to revision @since 4.4.0
175
+ *
176
+ */
177
+ public function add_revision_nonce( $revisions_data, $revision, $post ) {
178
+ $revisions_data['restoreUrl'] = add_query_arg(
179
+ $nonce = IP_Geo_Block::PLUGIN_NAME . '-auth-nonce',
180
+ IP_Geo_Block_Util::create_nonce( $nonce ),
181
+ $revisions_data['restoreUrl']
182
+ );
183
+
184
+ return $revisions_data;
185
+ }
186
+
187
+ /**
188
+ * Add plugin meta links
189
+ *
190
+ */
191
+ public function add_plugin_meta_links( $links, $file ) {
192
+ if ( $file === IP_GEO_BLOCK_BASE ) {
193
+ $title = __( 'Contribute at GitHub', 'ip-geo-block' );
194
+ array_push(
195
+ $links,
196
+ "<a href=\"http://www.ipgeoblock.com\" title=\"$title\" target=_blank>$title</a>"
197
+ );
198
+ }
199
+
200
+ return $links;
201
+ }
202
+
203
+ /**
204
+ * Add settings action link to the plugins page.
205
+ *
206
+ */
207
+ public function add_action_links( $links ) {
208
+ return array_merge(
209
+ array(
210
+ 'settings' => '<a href="' . esc_url( admin_url( 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME ) ) . '">' . __( 'Settings' ) . '</a>'
211
+ ),
212
+ $links
213
+ );
214
+ }
215
+
216
+ /**
217
+ * Show global notice.
218
+ *
219
+ */
220
+ public function show_admin_notices() {
221
+ $key = IP_Geo_Block::PLUGIN_NAME . '-notice';
222
+
223
+ if ( FALSE !== ( $notices = get_transient( $key ) ) ) {
224
+ foreach ( $notices as $msg => $type ) {
225
+ echo "\n", '<div class="notice is-dismissible ', esc_attr( $type ), '"><p>';
226
+ if ( 'updated' === $type )
227
+ echo '<strong>', IP_Geo_Block_Util::kses( $msg ), '</strong>';
228
+ else
229
+ echo '<strong>IP Geo Block:</strong> ', IP_Geo_Block_Util::kses( $msg );
230
+ echo '</p></div>', "\n";
231
+ }
232
+ }
233
+
234
+ // delete all admin noties
235
+ delete_transient( $key );
236
+ }
237
+
238
+ /**
239
+ * Add global notice.
240
+ *
241
+ */
242
+ public static function add_admin_notice( $type, $msg ) {
243
+ $key = IP_Geo_Block::PLUGIN_NAME . '-notice';
244
+ if ( FALSE === ( $notices = get_transient( $key ) ) )
245
+ $notices = array();
246
+
247
+ // can't overwrite the existent notice
248
+ if ( ! isset( $notices[ $msg ] ) ) {
249
+ $notices[ $msg ] = $type;
250
+ set_transient( $key, $notices, MINUTE_IN_SECONDS );
251
+ }
252
+ }
253
+
254
+ /**
255
+ * Register the administration menu into the WordPress Dashboard menu.
256
+ *
257
+ */
258
+ private function add_plugin_admin_menu() {
259
+ // Setup the tab number
260
+ $this->admin_tab = isset( $_GET['tab'] ) ? (int)$_GET['tab'] : 0;
261
+ $this->admin_tab = min( 4, max( 0, $this->admin_tab ) );
262
+
263
+ // Add a settings page for this plugin to the Settings menu.
264
+ $hook = add_options_page(
265
+ __( 'IP Geo Block', 'ip-geo-block' ),
266
+ __( 'IP Geo Block', 'ip-geo-block' ),
267
+ 'manage_options',
268
+ IP_Geo_Block::PLUGIN_NAME,
269
+ array( $this, 'display_plugin_admin_page' )
270
+ );
271
+
272
+ // If successful, load admin assets only on this page.
273
+ if ( $hook )
274
+ add_action( "load-$hook", array( $this, 'enqueue_admin_assets' ) );
275
+ }
276
+
277
+ /**
278
+ * Diagnosis of admin settings.
279
+ *
280
+ */
281
+ private function diagnose_admin_screen() {
282
+ // Check version and compatibility
283
+ if ( version_compare( get_bloginfo( 'version' ), '3.7.0' ) < 0 )
284
+ self::add_admin_notice( 'error', __( 'You need WordPress 3.7+.', 'ip-geo-block' ) );
285
+
286
+ $settings = IP_Geo_Block::get_option();
287
+ $adminurl = 'options-general.php';
288
+
289
+ // Check consistency of matching rule
290
+ if ( -1 === (int)$settings['matching_rule'] ) {
291
+ if ( FALSE !== get_transient( IP_Geo_Block::CRON_NAME ) ) {
292
+ self::add_admin_notice( 'notice-warning', sprintf(
293
+ __( 'Now downloading geolocation databases in background. After a little while, please check your country code and &#8220;<strong>Matching rule</strong>&#8221; at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
294
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME ), $adminurl ) )
295
+ ) );
296
+ }
297
+ else {
298
+ self::add_admin_notice( 'error', sprintf(
299
+ __( 'The &#8220;<strong>Matching rule</strong>&#8221; is not set properly. Please confirm it at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
300
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME ), $adminurl ) )
301
+ ) );
302
+ }
303
+ }
304
+
305
+ // Check to finish updating matching rule
306
+ elseif ( 'done' === get_transient( IP_Geo_Block::CRON_NAME ) ) {
307
+ delete_transient( IP_Geo_Block::CRON_NAME );
308
+ self::add_admin_notice( 'updated ', __( 'Local database and matching rule have been updated.', 'ip-geo-block' ) );
309
+ }
310
+
311
+ // Check self blocking
312
+ if ( 1 === (int)$settings['validation']['login'] ) {
313
+ $instance = IP_Geo_Block::get_instance();
314
+ $validate = $instance->validate_ip( 'login', $settings, TRUE, FALSE, FALSE ); // skip authentication check
315
+
316
+ switch( $validate['result'] ) {
317
+ case 'limited':
318
+ self::add_admin_notice( 'error',
319
+ __( 'Once you logout, you will be unable to login again because the number of login attempts reaches the limit.', 'ip-geo-block' ) . ' ' .
320
+ sprintf(
321
+ __( 'Please execute "<strong>Clear cache</strong>" on <a href="%s">Statistics tab</a> to prevent locking yourself out.', 'ip-geo-block' ),
322
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME, 'tab' => 1 ), $adminurl ) )
323
+ )
324
+ );
325
+ break;
326
+
327
+ case 'blocked':
328
+ case 'extra':
329
+ self::add_admin_notice( 'error',
330
+ ( $settings['matching_rule'] ?
331
+ __( 'Once you logout, you will be unable to login again because your country code or IP address is in the blacklist.', 'ip-geo-block' ) :
332
+ __( 'Once you logout, you will be unable to login again because your country code or IP address is not in the w