IP Geo Block - Version 3.0.2.2

Version Description

  • Improvement: Change the behavior of "Referrer Suppressor" not to open a new window on public facing pages.
  • Improvement: Improve some of the descriptions of help text.
  • Bug fix: Fix the bug of undefined symbol in admin class related to the Google Map API.
  • Bug fix: Fix the bug of incompatible function arguments when the number of login fails reaches the limit.
  • Bug fix: Fix the issue of not working blocking by country on specific pages correctly as the validation target.
Download this release

Release Info

Developer tokkonopapa
Plugin Icon 128x128 IP Geo Block
Version 3.0.2.2
Comparing to
See all releases

Code changes from version 2.2.9.1 to 3.0.2.2

Files changed (61) hide show
  1. README.md +58 -0
  2. README.txt +282 -583
  3. admin/class-ip-geo-block-admin.php +129 -83
  4. admin/css/admin.css +33 -2
  5. admin/css/admin.min.css +1 -1
  6. admin/css/fonts/LICENSE +4 -0
  7. admin/css/footable.core.min.css +9 -0
  8. admin/includes/class-admin-ajax.php +114 -10
  9. admin/includes/tab-accesslog.php +24 -6
  10. admin/includes/tab-settings.php +387 -33
  11. admin/includes/tab-statistics.php +15 -17
  12. admin/js/admin.js +207 -77
  13. admin/js/admin.min.js +6 -6
  14. admin/js/authenticate.js +59 -29
  15. admin/js/authenticate.min.js +6 -6
  16. admin/js/footable.min.js +4 -2
  17. admin/js/gmap.js +2 -2
  18. admin/js/gmap.min.js +7 -7
  19. admin/js/whois.min.js +7 -7
  20. classes/class-ip-geo-block-actv.php +13 -9
  21. classes/class-ip-geo-block-apis.php +32 -55
  22. classes/class-ip-geo-block-cron.php +225 -4
  23. classes/class-ip-geo-block-lkup.php +42 -33
  24. classes/class-ip-geo-block-load.php +17 -17
  25. classes/class-ip-geo-block-logs.php +184 -56
  26. classes/class-ip-geo-block-opts.php +60 -9
  27. classes/class-ip-geo-block-util.php +145 -230
  28. classes/class-ip-geo-block.php +352 -162
  29. includes/Net/DNS2.php +76 -76
  30. includes/Net/DNS2/Cache.php +6 -0
  31. includes/Net/DNS2/Cache/File.php +7 -2
  32. includes/Net/DNS2/Cache/Shm.php +13 -0
  33. includes/Net/DNS2/Header.php +4 -9
  34. includes/Net/DNS2/Lookups.php +30 -4
  35. includes/Net/DNS2/Packet.php +0 -15
  36. includes/Net/DNS2/Question.php +2 -2
  37. includes/Net/DNS2/RR.php +6 -3
  38. includes/Net/DNS2/RR/AVC.php +75 -0
  39. includes/Net/DNS2/RR/NSAP.php +3 -3
  40. includes/Net/DNS2/RR/OPENPGPKEY.php +1 -1
  41. includes/Net/DNS2/RR/SMIMEA.php +75 -0
  42. includes/Net/DNS2/RR/SSHFP.php +13 -7
  43. includes/Net/DNS2/Resolver.php +3 -3
  44. includes/Net/IPv4.php +9 -462
  45. includes/Net/IPv6.php +22 -7
  46. includes/Net/LICENSE +33 -0
  47. ip-geo-block.php +14 -8
  48. languages/ip-geo-block-ja.mo +0 -0
  49. languages/ip-geo-block-ja.po +545 -222
  50. languages/ip-geo-block.mo +0 -0
  51. languages/ip-geo-block.po +464 -195
  52. languages/ip-geo-block.pot +464 -195
  53. rewrite.php +22 -16
  54. samples.php +8 -13
  55. uninstall.php +6 -6
  56. wp-content/ip-geo-api/drop-in-sample.php +34 -3
  57. wp-content/ip-geo-api/ip2location/IP2Location.php +17 -0
  58. wp-content/ip-geo-api/ip2location/class-ip2location.php +17 -5
  59. wp-content/ip-geo-api/maxmind/class-maxmind.php +26 -4
  60. wp-content/ip-geo-api/maxmind/geoip.inc +52 -2
  61. wp-content/mu-plugins/ip-geo-block-mu.php +32 -12
README.md ADDED
@@ -0,0 +1,58 @@
1
+ IP Geo Block
2
+ ==============
3
+
4
+ ### Description:
5
+
6
+ It blocks any spams, login attempts and malicious access to the admin area
7
+ posted from the specific countries, and also prevents zero-day exploit.
8
+
9
+ See more detail at [WordPress.org][IPGB].
10
+
11
+ ### Dependency:
12
+
13
+ [IP Geo API 1.1.6][IPGeoAPI]
14
+
15
+ ### Requirement:
16
+
17
+ - WordPress 3.7+
18
+
19
+ ### Attribution:
20
+
21
+ This package includes GeoLite data created by MaxMind, available from
22
+ [MaxMind][MaxMind],
23
+ and also includes IP2Location open source libraries available from
24
+ [IP2Location][IP2Loc].
25
+
26
+ Also thanks for providing the following great services and REST APIs for free.
27
+
28
+ Provider | Supported type | Licence
29
+ ---------------------------------------|----------------|--------
30
+ [http://freegeoip.net/] [freegeoip] | IPv4, IPv6 | free
31
+ [http://ipinfo.io/] [ipinfo] | IPv4, IPv6 | free
32
+ [http://geoip.nekudo.com/] [Nekudo] | IPv4, IPv6 | free
33
+ [http://xhanch.com/] [Xhanch] | IPv4 | free
34
+ [http://www.geoplugin.com/][geoplugin] | IPv4, IPv6 | free, need an attribution link
35
+ [http://geoiplookup.net/] [geoiplkup] | IPv4, IPv6 | free
36
+ [http://ip-api.com/] [ipapi] | IPv4, IPv6 | free for non-commercial use
37
+ [http://ipinfodb.com/] [IPInfoDB] | IPv4, IPv6 | free for registered user
38
+
39
+ ### License:
40
+
41
+ This plugin is licensed under the GPL v2 or later.
42
+
43
+ [IPGB]: https://wordpress.org/plugins/ip-geo-block/ "IP Geo Block — WordPress Plugins"
44
+ [freegeoip]: http://freegeoip.net/ "freegeoip.net: FREE IP Geolocation Web Service"
45
+ [ipinfo]: http://ipinfo.io/ "ipinfo.io - ip address information including geolocation, hostname and network details"
46
+ [Telize]: http://www.telize.com/ "Telize - JSON IP and GeoIP REST API"
47
+ [IPJson]: http://ip-json.rhcloud.com/ "Free IP Geolocation Web Service"
48
+ [Pycox]: http://ip.pycox.com/ "Free IP Geolocation Web Service"
49
+ [Nekudo]: http://geoip.nekudo.com/ "eoip.nekudo.com | Free IP geolocation API"
50
+ [Xhanch]: http://xhanch.com/xhanch-api-ip-get-detail/ "Xhanch API - IP Get Detail | Xhanch Studio"
51
+ [geoplugin]: http://www.geoplugin.com/ "geoPlugin to geolocate your visitors"
52
+ [ipapi]: http://ip-api.com/ "IP-API.com - Free Geolocation API"
53
+ [IPInfoDB]: http://ipinfodb.com/ "IPInfoDB | Free IP Address Geolocation Tools"
54
+ [MaxMind]: http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention"
55
+ [IP2Loc]: http://www.ip2location.com "IP Address Geolocation to Identify Website Visitor's Geographical Location"
56
+ [Cache]: http://www.designbombs.com/top-wordpress-caching-plugins-compared/ "Top 6 Fastest WordPress Caching Plugins Compared (2016 Edition)"
57
+ [IPGeoAPI]: https://github.com/tokkonopapa/WordPress-IP-Geo-API "GitHub - tokkonopapa/WordPress-IP-Geo-API: A class library combined with WordPress plugin IP Geo Block to handle geo-location database of Maxmind and IP2Location."
58
+ [geoiplkup]: http://geoiplookup.net/ "What Is My IP Address | GeoIP Lookup"
README.txt CHANGED
@@ -1,158 +1,74 @@
1
=== IP Geo Block ===
2
Contributors: tokkonopapa
3
Donate link:
4
- Tags: buddypress, bbPress, comment, pingback, trackback, spam, IP address, geo, geolocation, xmlrpc, login, wp-admin, admin, ajax, security, brute force, firewall, vulnerability
5
Requires at least: 3.7
6
- Tested up to: 4.6.1
7
- Stable tag: 2.2.9.1
8
License: GPLv2 or later
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
11
- It blocks any spams, login attempts and malicious access to the admin area
12
- posted from the specific countries, and also prevents zero-day exploit.
13
14
== Description ==
15
16
- There're some cases of a site being infected. The first one is the case that
17
- contaminated files are uploaded via FTP or something. In this case, scaning
18
- and verifing integrity of files in the site is needed to detect the infection.
19
20
- The second one is cracking of the login username and password. In this case,
21
- the rule of right is to strengthen the password.
22
23
- The third one may be caused by malicious accesses to the core files. The major
24
- issue in this case is that a plugin or theme in your site can potentially has
25
- some vulnerability such as XSS, CSRF, SQLi, LFI and so on. For example, if a
26
- plugin has Local File Inclusion (LFI) vulnerability, the attackers can easily
27
- download the `wp-config.php` by simply hitting
28
- [wp-admin/admin-ajax.php?action=show&file=../wp-config.php](http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html "Slider Revolution Plugin Critical Vulnerability Being Exploited | Sucuri Blog")
29
- on their browser instead of cracking username and password.
30
31
- For these cases, the protection based on the IP address is not a perfect
32
- solution for everyone. But for some site owners or some certain cases such
33
- as 'zero-day attack', combination with the original feature 'Zero-day Exploit
34
- Prevention' can reduce the risk of infection against the specific attacks.
35
-
36
- That's why this plugin is here.
37
38
= Features =
39
40
- This plugin will examine a country code based on the IP address. If a
41
- comment, pingback or trackback comes from the specific country, it can be
42
- blocked before Akismet validate it.
43
-
44
- With the same mechanism, it fights against burst accesses by brute-force
45
- and reverse-brute-force attacks to the login form and XML-RPC.
46
-
47
* **Immigration control:**
48
- Access to the basic and important entrances into the back-end such as
49
- `wp-comments-post.php`, `xmlrpc.php`, `wp-login.php`, `wp-signup.php`,
50
- `wp-admin/admin.php`, `wp-admin/admin-ajax.php`, `wp-admin/admin-post.php`
51
- will be validated by means of a country code based on IP address. It allows
52
- you to configure either whitelist or blacklist to specify the countires.
53
54
* **Zero-day Exploit Prevention:**
55
- The original feature "**Z**ero-day **E**xploit **P**revention for WP"
56
- (WP-ZEP) is simple but still smart and strong enough to block any malicious
57
- accesses to `wp-admin/*.php`, `plugins/*.php` and `themes/*.php` even from
58
- the permitted countries. It will protect your site against certain types of
59
- attack such as CSRF, LFI, SQLi, XSS and so on, **even if you have some
60
- [vulnerable plugins or themes](https://wpvulndb.com/ "WPScan Vulnerability Database")
61
- in your site**. Find more details in
62
- [FAQ](https://wordpress.org/plugins/ip-geo-block/faq/ "IP Geo Block - WordPress Plugins")
63
- and
64
- [this plugin's blog](http://www.ipgeoblock.com/article/how-wpzep-works.html "How does WP-ZEP prevent zero-day attack? | IP Geo Block").
65
66
* **Guard against login attempts:**
67
- In order to prevent the invasion through the login form and XML-RPC by
68
- the brute-force and the reverse-brute-force attacks, the number of login
69
- attempts will be limited per IP address even from the permitted countries.
70
71
* **Protection of wp-config.php:**
72
- A malicious request to try to expose `wp-config.php` via vulnerable plugins
73
- or themes can be blocked. A numerous such attacks can be found in
74
- [this article](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php").
75
-
76
- * ** Minimize server load against brute-force attacks:**
77
- You can configure this plugin as a
78
- [Must Use Plugins](https://codex.wordpress.org/Must_Use_Plugins "Must Use Plugins « WordPress Codex")
79
- which would be loaded prior to regular plugins and can massively
80
- [reduce the load on server](http://www.ipgeoblock.com/codex/validation-timing.html "Validation timing | IP Geo Block")
81
- especially against brute-force attacks.
82
- And furthermore, a cache mechanism for the fetched IP addresses and country
83
- code can help to reduce load on the server against the burst accesses with
84
- a short period of time.
85
86
* **Support of BuddyPress and bbPress:**
87
- You can configure this plugin such that a registered user can login as the
88
- membership from anywhere, but a request such as a new user registration,
89
- lost password, creating a new topic, and subscribing comment is blocked by
90
- the country code. It is suitable for
91
- [BuddyPress](https://wordpress.org/plugins/buddypress/ "WordPress › BuddyPress « WordPress Plugins")
92
- and [bbPress](https://wordpress.org/plugins/bbpress/ "WordPress › bbPress « WordPress Plugins")
93
- to help reducing spams.
94
95
* **Referrer suppressor for external links:**
96
- When you click an external hyperlink on admin screen, http referrer will be
97
- eliminated to hide a footprint of your site.
98
99
* **Multiple source of IP Geolocation databases:**
100
- Free IP Geolocation database and REST APIs are installed into this plugin to
101
- get a country code from an IP address. There are two types of API which
102
- support only IPv4 or both IPv4 and IPv6. This plugin will automatically
103
- choose an appropriate API.
104
-
105
- * **Database auto updater:**
106
- [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention")
107
- GeoLite free databases and
108
- [IP2Location](http://www.ip2location.com/ "IP Address Geolocation to Identify Website Visitor's Geographical Location")
109
- LITE databases can be incorporated with this plugin. Those will be downloaded
110
- and updated (once a month) automatically.
111
112
* **Customizing response:**
113
- HTTP response code can be selectable as `403 Forbidden` to deny access pages,
114
- `404 Not Found` to hide pages or even `200 OK` to redirect to the top page.
115
- You can also have the custom error page (for example `403.php`) in your theme
116
- template directory or child theme directory to fit your theme.
117
118
* **Validation logs:**
119
- Logs will be recorded into MySQL data table to audit posting pattern under
120
- the specified condition.
121
122
* **Cooperation with full spec security plugin:**
123
- This plugin is simple and lite enough to be able to cooperate with other
124
- full spec security plugin such as
125
- [Wordfence Security](https://wordpress.org/plugins/wordfence/ "WordPress › Wordfence Security « WordPress Plugins")
126
- (because the function of country bloking is available only for premium users).
127
128
* **Extendability:**
129
- "Settings minimum, Customizability maximum" is the basic concept of this
130
- plugin. You can customize the behavior of this plugin via `add_filter()`
131
- with pre-defined filter hook. See various use cases in
132
- [the documents](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block")
133
- and
134
- [samples.php](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/blob/master/ip-geo-block/samples.php "WordPress-IP-Geo-Block/samples.php at master - tokkonopapa/WordPress-IP-Geo-Block - GitHub")
135
- bundled within this package.
136
137
* **Self blocking prevention and easy rescue:**
138
- Most of users do not prefer themselves to be blocked. This plugin prevents
139
- such a sad thing unless you force it.
140
- ([release 2.1.4](http://www.ipgeoblock.com/changelog/release-2.1.4.html "2.1.4 Release Note"))
141
- And futhermore, if such a situation occurs, you can rescue yourself easily.
142
- ([release 2.1.3](http://www.ipgeoblock.com/changelog/release-2.1.3.html "2.1.3 Release Note"))
143
144
* **Clean uninstallation:**
145
- Nothing is left in your precious mySQL database after uninstallation. So you
146
- can feel free to install and activate to make a trial of this plugin's
147
- functionality. Several days later, you'll find many undesirable accesses in
148
- your validation logs if all validation targets are enabled.
149
150
= Attribution =
151
152
- This package includes GeoLite library distributed by MaxMind, available from
153
- [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention"),
154
- and also includes IP2Location open source libraries available from
155
- [IP2Location](http://www.ip2location.com "IP Address Geolocation to Identify Website Visitor's Geographical Location").
156
157
Also thanks for providing the following great services and REST APIs for free.
158
@@ -166,13 +82,9 @@ Also thanks for providing the following great services and REST APIs for free.
166
167
= Development =
168
169
- Development of this plugin is promoted at
170
- [WordPress-IP-Geo-Block](https://github.com/tokkonopapa/WordPress-IP-Geo-Block "tokkonopapa/WordPress-IP-Geo-Block - GitHub")
171
- and class libraries to handle geo-location database for Maxmind and IP2Location
172
- are developed separately as "add-in"s at
173
- [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API "tokkonopapa/WordPress-IP-Geo-API - GitHub").
174
- All contributions will always be welcome. Or visit my
175
- [development blog](http://www.ipgeoblock.com/ "IP Geo Block").
176
177
== Installation ==
178
@@ -182,55 +94,42 @@ All contributions will always be welcome. Or visit my
182
2. Search for 'IP Geo Block'
183
3. Click 'Install Now'
184
4. Activate the plugin on the Plugin dashboard
185
186
= Validation rule settings =
187
188
* **Matching rule**
189
- Choose either `White list` (recommended) or `Black list` to specify the
190
- countries from which you want to pass or block.
191
192
* **Country code for matching rule**
193
- Specify the country code with two letters (see
194
- [ISO 3166-1 alpha-2](http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements "ISO 3166-1 alpha-2 - Wikipedia, the free encyclopedia")
195
- ). Each of them should be separated by comma.
196
197
* **White/Black list of extra IPs for prior validation**
198
- The list of extra IP addresses prior to the validation of country code.
199
- [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing "Classless Inter-Domain Routing - Wikipedia, the free encyclopedia")
200
- is acceptable to specify the range.
201
202
* **$_SERVER keys for extra IPs**
203
- Additional IP addresses will be validated if some of keys in `$_SERVER`
204
- variable are specified in this textfield. Typically `HTTP_X_FORWARDED_FOR`.
205
206
* **Bad signatures in query**
207
- It validates malicious signatures independently of **Block by country** and
208
- **Prevent Zero-day Exploit** for the target **Admin area**,
209
- **Admin ajax/post**, **Plugins area** and **Themes area**.
210
- Typically, `/wp-config.php` and `/passwd`.
211
212
* **Response code**
213
- Choose one of the
214
- [response code](http://tools.ietf.org/html/rfc2616#section-10 "RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1")
215
- to be sent when it blocks a comment.
216
- The 2xx code will lead to your top page, the 3xx code will redirect to
217
- [Black Hole Server](http://blackhole.webpagetest.org/),
218
- the 4xx code will lead to WordPress error page, and the 5xx will pretend
219
- an server error.
220
221
* **Validation timing**
222
- Choose **"init" action hook** or **"mu-plugins" (ip-geo-block-mu.php)** to
223
- specify the timing of validation.
224
225
- = Validation target settings =
226
227
* **Comment post**
228
- Validate post to `wp-comment-post.php`. Comment post and trackback will be
229
- validated.
230
231
* **XML-RPC**
232
- Validate access to `xmlrpc.php`. Pingback and other remote command with
233
- username and password will be validated.
234
235
* **Login form**
236
Validate access to `wp-login.php` and `wp-signup.php`.
@@ -247,19 +146,32 @@ All contributions will always be welcome. Or visit my
247
* **Themes area**
248
Validate direct access to themes. Typically `wp-content/themes/…/*.php`.
249
250
= Geolocation API settings =
251
252
* **API selection and key settings**
253
- If you wish to use `IPInfoDB`, you should register at
254
- [their site](http://ipinfodb.com/ "IPInfoDB | Free IP Address Geolocation Tools")
255
- to get a free API key and set it into the textfield. And `ip-api.com` and
256
- `Smart-IP.net` require non-commercial use.
257
258
= Local database settings settings =
259
260
* **Auto updating (once a month)**
261
- If `Enable`, Maxmind GeoLite database will be downloaded automatically by
262
- WordPress cron job.
263
264
= Record settings =
265
@@ -267,50 +179,48 @@ All contributions will always be welcome. Or visit my
267
If `Enable`, you can see `Statistics of validation` on Statistics tab.
268
269
* **Record validation logs**
270
- If you choose anything but `Disable`, you can see `Validation logs` on
271
- Logs tab.
272
273
* **$_POST keys in logs**
274
- Normally, you can see just keys at `$_POST data:` on Logs tab. If you put
275
- some of interested keys into this textfield, you can see the value of key
276
- like `key=value`.
277
278
* **Anonymize IP address**
279
- It will mask the last three digits of IP address when it is recorded into
280
- the log.
281
282
= Cache settings =
283
284
- * **Number of entries**
285
- Maximum number of IPs to be cached.
286
-
287
* **Expiration time [sec]**
288
Maximum time in sec to keep cache.
289
290
= Submission settings =
291
292
* **Text position on comment form**
293
- If you want to put some text message on your comment form, please choose
294
- `Top` or `Bottom` and put text with some tags into the **Text message on
295
- comment form** textfield.
296
297
= Plugin settings =
298
299
* **Remove settings at uninstallation**
300
- If you checked this option, all settings will be removed when this plugin
301
- is uninstalled for clean uninstalling.
302
303
== Frequently Asked Questions ==
304
305
= I was locked down. What shall I do? =
306
307
- Activate the following codes at the bottom of `ip-geo-block.php` and upload
308
- it via FTP.
309
310
`/**
311
* Invalidate blocking behavior in case yourself is locked out.
312
- * @note: activate the following code and upload this file via FTP.
313
- */ /* -- EDIT THIS LINE AND ACTIVATE THE FOLLOWING FUNCTION -- */
314
function ip_geo_block_emergency( $validate ) {
315
$validate['result'] = 'passed';
316
return $validate;
@@ -319,31 +229,66 @@ add_filter( 'ip-geo-block-login', 'ip_geo_block_emergency' );
319
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
320
// */`
321
322
- Then "**Clear cache**" at "**Statistics**" tab on your dashborad. Remember
323
- that you should upload the original one to deactivate above feature.
324
325
- [This release note](http://www.ipgeoblock.com/changelog/release-2.1.3.html "2.1.3 Release Note")
326
- can also help you.
327
328
= How can I fix "Unable to write" error? =
329
330
- When you enable "**Force to load WP core**" options, this plugin will try to
331
- configure `.htaccess` in your `/wp-content/plugins/` and `/wp-content/themes/`
332
- directory in order to protect your site against the malicous attacks to the
333
- [OMG plugins and shemes](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php | IP Geo Block").
334
335
- But some servers doesn't give reading / writing permission against `.htaccess`
336
- to WordPress. In this case, you can configure these `.htaccess` files by your
337
- own hand instead of enabling "**Force to load WP core**" options.
338
339
- Please refer to
340
- "[How can I fix permission troubles?](http://www.ipgeoblock.com/codex/how-can-i-fix-permission-troubles.html 'How can I fix permission troubles? | IP Geo Block')"
341
- in order to fix this error.
342
343
= Do I have to turn on all the selection to enhance security? =
344
345
- Yes. Roughly speaking, the strategy of this plugin has been constructed as
346
- follows:
347
348
- **Block by country**
349
It blocks malicious requests from outside your country.
@@ -357,242 +302,163 @@ follows:
357
- **Bad signatures in query**
358
It blocks the request which has not been covered in the above three.
359
360
- See more details in
361
- "[The best practice of target settings](http://www.ipgeoblock.com/codex/the-best-practice-of-target-settings.html 'The best practice of target settings | IP Geo Block')".
362
363
- = Does this plugin validate all the requests to the server? =
364
365
- Unfortunately, no. This plugin can't handle the requests that are not
366
- parsed by WordPress. In other words, a standalone file (PHP, CGI or
367
- something excutable) that is unrelated to WordPress can't be validated
368
- by this plugin even if it is is in the WordPress install directory.
369
370
- But there're exceptions: When you enable "**Force to load WP core**" for
371
- **Plugins area** or **Themes area**, a standalone PHP file becomes to be
372
- able to be blocked. Sometimes this kind of file in a plugin or theme has
373
- vulnerability. This function is provided against such a case.
374
-
375
- = How can I test this plugin works? =
376
-
377
- The easiest way is to use
378
- [free proxy browser addon](https://www.google.com/search?q=free+proxy+browser+addon "free proxy browser addon - Google Search").
379
- Another one is to use
380
- [http header browser addon](https://www.google.com/search?q=browser+add+on+modify+http+header "browser add on modify http header - Google Search").
381
- You can add an IP address to the `X-Forwarded-For` header to emulate the
382
- access behind the proxy. In this case, you should add `HTTP_X_FORWARDED_FOR`
383
- into the "**$_SERVER keys for extra IPs**" on "**Settings**" tab.
384
-
385
- See more details in
386
- "[Using VPN browser addon](http://www.ipgeoblock.com/codex/using-vpn-browser-addon.html 'Using VPN browser addon | IP Geo Block')"
387
- and
388
- "[Using WordPress post simulator](http://www.ipgeoblock.com/codex/using-post-simulator.html 'Using WordPress post simulator | IP Geo Block')".
389
-
390
- = Some admin function doesn't work when WP-ZEP is enabled. =
391
-
392
- There are a few cases that WP-ZEP would not work. One is redirection at server
393
- side (caused by PHP or `.htaccess`) and client side (caused by JavaScript
394
- location object or meta tag for refresh).
395
-
396
- Another is the case related to the content type. This plugin will only support
397
- `application/x-www-form-urlencoded` and `multipart/form-data`.
398
-
399
- The other case is that a ajax/post request comes from not jQuery but flash or
400
- something.
401
-
402
- In those cases, this plugin should bypass WP-ZEP. So please find the unique
403
- strings in the requested queries and add it into the safe query list via the
404
- filter hook `ip-geo-block-bypass-admins`.
405
-
406
- If you can not figure out your troubles, please let me know about the plugin
407
- you are using at the support forum.
408
-
409
- = Are there any other useful filter hooks? =
410
-
411
- Yes, here is the list of all hooks to extend the feature of this plugin.
412
-
413
- * `ip-geo-block-ip-addr` : IP address of accessor.
414
- * `ip-geo-block-headers` : compose http request headers.
415
- * `ip-geo-block-comment` : validate IP address at `wp-comments-post.php`.
416
- * `ip-geo-block-xmlrpc` : validate IP address at `xmlrpc.php`.
417
- * `ip-geo-block-login` : validate IP address at `wp-login.php`.
418
- * `ip-geo-block-admin` : validate IP address at `wp-admin/*.php`.
419
- * `ip-geo-block-extra-ips` : white/black list of extra IPs for prior validation.
420
- * `ip-geo-block-xxxxxx-status` : http response status code for comment|xmlrpc|login|admin.
421
- * `ip-geo-block-xxxxxx-reason` : http response reason for comment|xmlrpc|login|admin.
422
- * `ip-geo-block-bypass-admins` : array of admin queries which should bypass WP-ZEP.
423
- * `ip-geo-block-bypass-plugins` : array of plugin name which should bypass WP-ZEP.
424
- * `ip-geo-block-bypass-themes` : array of theme name which should bypass WP-ZEP.
425
- * `ip-geo-block-backup-dir` : full path where log files should be saved.
426
- * `ip-geo-block-api-dir` : full path to the API class libraries and local DB files.
427
- * `ip-geo-block-maxmind-dir` : full path where Maxmind GeoLite DB files should be saved.
428
- * `ip-geo-block-maxmind-zip-ipv4` : url to Maxmind GeoLite DB zip file for IPv4.
429
- * `ip-geo-block-maxmind-zip-ipv6` : url to Maxmind GeoLite DB zip file for IPv6.
430
- * `ip-geo-block-ip2location-dir` : full path where IP2Location LITE DB files should be saved.
431
- * `ip-geo-block-ip2location-path` : full path to IP2Location LITE DB file (IPv4).
432
- * `ip-geo-block-record-logs` : change the condition of recording logs
433
-
434
- For more details, see
435
- [the documents](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block").
436
437
== Other Notes ==
438
439
= Known issues =
440
441
- * No image is shown after drag & drop a image in grid view at "Media Library".
442
- For more details, please refer to
443
- [this ticket at Github](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/issues/2 "No image is shown after drag & drop a image in grid view at "Media Library". - Issue #2 - tokkonopapa/WordPress-IP-Geo-Block - GitHub").
444
-
445
- * From [WordPress 4.5](https://make.wordpress.org/core/2016/03/09/comment-changes-in-wordpress-4-5/ "Comment Changes in WordPress 4.5 – Make WordPress Core"),
446
- `rel=nofollow` attribute and value pair had no longer be added to relative
447
- or same domain links within `comment_content`. This change prevents to block
448
- "Self Site Request Forgeries" (not Cross Site but a malicious link in the
449
- comment field of own site).
450
-
451
- * Wordfence makes an ajax request whose action is `wordfence_testAjax` using
452
- `wp_remote_post()` and would receive 403 forbidden (it depends on your
453
- configuration) when you enable "**Prevent Zero-day Exploit**" at "**Admin
454
- ajax/post**". It does't affect its functionality because the response code
455
- never be verified.
456
457
== Screenshots ==
458
459
- 1. **IP Geo Plugin** - Settings.
460
- 2. **IP Geo Plugin** - Statistics.
461
- 3. **IP Geo Plugin** - Logs.
462
- 4. **IP Geo Plugin** - Search.
463
- 5. **IP Geo Plugin** - Attribution.
464
465
== Changelog ==
466
467
= 2.2.9.1 =
468
- * **Bug fix:** Blocking Wordfence scanning.
469
- ([@](https://wordpress.org/support/topic/wordfence-conflict-2/ "WordFence Conflict"))
470
- * **Bug fix:** Illegal elimination of colon in text field for IP address.
471
- ([@](https://wordpress.org/support/topic/adding-ipv6-to-white-list/ "Adding IPv6 to white list"))
472
- * **Improved:** Compatibility with PHP 7 that cause to feel relaxed.
473
- ([@](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Plans for PHP 7 compatiblity?"))
474
- * **Improved:** Avoid resetting whitelist on update by InfiniteWP.
475
- ([@](https://wordpress.org/support/topic/whitelist-resets-on-update/ "[Resolved] Whitelist resets on update"))
476
- * **Trial feature:** `X-Robots-Tag` HTTP header with `noindex, nofollow`
477
- for login page.
478
- ([@](https://wordpress.org/support/topic/ip-geo-block-and-searchmachines/ "IP GEo-block and searchmachines"))
479
480
= 2.2.9 =
481
- * **New feature:** A new option that makes this plugin configured as a
482
- "Must-use plugin". It can massively reduce the server load especially
483
- against brute-force attacks because it initiates this plugin prior to
484
- other typical plugins.
485
- * **Improvement:** Validation of a certain signature against XSS is internally
486
- added to "Bad signature in query" by default.
487
- * **Improvement:** Improved compatibility with PHP 7
488
- (Thanks to [FireMyst](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Topic: Plans for PHP 7 compatiblity? « WordPress.org Forums").
489
* Find details in [2.2.9 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.9.html "2.2.9 Release Note").
490
491
= 2.2.8.2 =
492
* **Bug fix:** Fixed the mismatched internal version number.
493
494
= 2.2.8.1 =
495
- * **Bug fix:** Fixed the issue of undefined function `wp_get_raw_referer()`
496
- error that happened under certain condition. See
497
- [the issue](https://wordpress.org/support/topic/since-php-update-fatal-error-everytime-i-want-to-edit-a-post/ "Since PHP update Fatal error everytime I want to edit a post")
498
- at forum.
499
- * **Improved:** Avoid resetting country code on update. See
500
- [the issue](https://wordpress.org/support/topic/whitelist-resets-on-update/ "Whitelist resets on update")
501
- at forum.
502
503
= 2.2.8 =
504
- * **Bug fix:** Fixed the issue of stripping some required characters for Google
505
- maps API key.
506
* **New feature:** Whois database Lookup for IP address on search tab.
507
* **Update:** Updated geolocation API libraries and services.
508
* Find more details in [2.2.8 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.8.html "2.2.8 Release Note").
509
510
= 2.2.7 =
511
* **Bug fix:** Fix inadequate validation of "**Bad signatures in query**".
512
- * **Improvement:** Add fallback for Google Maps API key
513
- ([@](https://wordpress.org/support/topic/226-problem-with-search-resp-google-maps "WordPress › Support » [2.2.6] Problem with SEARCH resp. Google Maps"))
514
- and corruption of "Bad signatures"
515
- ([@](https://wordpress.org/support/topic/226-problem-with-bad-signatures-in-query "WordPress › Support » [2.2.6] Problem with "Bad signatures in query"")).
516
* **Update:** Update geolocation service api.
517
* Find details about Google Maps API in [2.2.7 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.7.html "2.2.7 Release Note").
518
519
= 2.2.6 =
520
* **New feature:** Add saving csv file of logs in "Logs" tab.
521
- * **New feature:** Add filter hook `ip-geo-block-record-log` to control over
522
- the conditions of recording in more detail.
523
- * **Bug fix:** Fixed the issue that "Exceptions" for Plugins/Themes area does
524
- not work properly. Please confirm your settings again.
525
* See details at [release 2.2.6](http://www.ipgeoblock.com/changelog/release-2.2.6.html "2.2.6 Release Note").
526
527
= 2.2.5 =
528
- * **New feature:** On the settings page, you can specify the pliugin or theme
529
- which would cause undesired blocking in order to exclude it from the
530
- validation target without embedding any codes into `functions.php`.
531
* **Improvement:** Optimize resource loading on admin dashboard.
532
* **Improvement:** Support clean uninstall for network / multisite.
533
- * **Improvement:** Improve the compatibility of downloading IP address
534
- databases for Microsoft IIS.
535
* **Bug fix:** Support `FORCE_SSL_ADMIN`.
536
- * **Bug fix:** Fix the issue of
537
- [@](https://wordpress.org/support/topic/compatibility-with-ag-custom-admin "WordPress › Support » Compatibility with AG Custom Admin")
538
- and change the option name
539
- "**Important files**" to "**Bad signatures in query**" to avoid misuse.
540
- * **Bug fix:** Fix the issue of
541
- [@](https://wordpress.org/support/topic/gb-added-to-whitelist "WordPress › Support » GB added to whitelist")
542
- which might be caused by some race condition.
543
* **Bug fix:** Fix the issue of restoring post revisions which was blocked.
544
545
= 2.2.4.1 =
546
Sorry for frequent updating.
547
548
- * **Bug fix:** Fixed the issue of `Warning: strpos(): Empty needle in...` that
549
- was reported in
550
- [@](https://wordpress.org/support/topic/version-224-produces-warning-message "WordPress › Support » Version 2.2.4 Produces Warning Message")
551
- and
552
- [@](https://wordpress.org/support/topic/error-after-update-to-newest-version "WordPress › Support » Error after Update to newest version").
553
554
= 2.2.4 =
555
- * **Bug fix:** Fixed the issue that some links on network admin of multisite
556
- were blocked when WP-ZEP for `admin area` or `admin ajax/post` was enabled.
557
* **New feature:** Added configure of `.htaccess` for the plugins/themes area.
558
* **Enhancement:** Added `wp-signup.php` to the list of validation target.
559
* **Enhancement:** Added exporting and importing the setting parameters.
560
- * **Improvement:** Made the logout url compatible with
561
- [Rename wp-login.php](https://wordpress.org/plugins/rename-wp-login/).
562
- * **Improvement:** Made condition of validation more strictly at admin
563
- diagnosis to prevent unnecessary notice of self blocking.
564
- ([@](https://wordpress.org/support/topic/youll-be-blocked-after-you-log-out-notice-doesnt-disappear "[resolved] "You'll be blocked after you log out" notice doesn't disappear"))
565
- * **Improvement:** Improved some of UI.
566
- ([@](https://wordpress.org/support/topic/possible-to-select-which-countries-are-blocked "[resolved] Possible to select which countries are blocked?"),
567
- [@](https://wordpress.org/support/topic/ip-geo-block-black-list "IP Geo Block Black List"))
568
* See some details at [release 2.2.4](http://www.ipgeoblock.com/changelog/release-2.2.4.html "2.2.4 Release Note").
569
570
= 2.2.3.1 =
571
- * **Bug fix:** Fixed the issue that disabled validation target was still
572
- blocked by country.
573
- ([@](https://wordpress.org/support/topic/logs-whitelist-comments-still-blocked "[resolved] logs whitelist comments still blocked?"))
574
- * **Improvement:** Better handling of charset and errors for MySQL.
575
- ([@](https://wordpress.org/support/topic/whitelist-log "[resolved] Whitelist + Log"))
576
577
= 2.2.3 =
578
- * **Improvement:** Since WordPress 4.4, XML-RPC system.multicall is disabled
579
- when the authentication fails, but still processed all the methods to the
580
- end. Now this plugin immediately blocks the request when the authentication
581
- fails without processing the rest of the methods.
582
* **Improvement:** Add UI to change the maximum number of login attempts.
583
- * **Improvement:** Add a fallback process of setting up the directory where
584
- the geo location database APIs should be installed. It will be set as
585
- `wp-content/uploads/` instead of `wp-content/plugins/ip-geo-block/` or
586
- `wp-content/` in case of being unable to obtain proper permission.
587
- ([@](https://wordpress.org/support/topic/deactivated-after-updte-why "[resolved] Deactivated after update - why?"),
588
- [@](https://wordpress.org/support/topic/the-plugin-caused-an-error-message "[resolved] The plugin caused an error message"))
589
- * **Improvement:** Moderate the conditions of redirection after logout.
590
- ([@](https://wordpress.org/support/topic/logout-redirect-doesnt-work-when-plugin-is-active "[resolved] Logout redirect doesn't work when plugin is active"))
591
- * **Improvement:** Prevent self blocking caused by irrelevant signature.
592
- ([@](https://wordpress.org/support/topic/works-too-well-blocked-my-wp-admin-myself "[resolved] Works too well - Blocked my wp-admin myself"))
593
- * **Bug fix:** Fixed the issue of conflicting with certain plugins due to the
594
- irrelevant handling of js event.
595
- ([@](https://wordpress.org/support/topic/cannot-edit-pages-when-ip-geo-block-is-enabled "[resolved] Cannot edit pages when ip-geo-block is enabled."))
596
* **New feature:** Add "Blocked per day" graph for the daily statistics.
597
* See some details at [2.2.3 release note](http://www.ipgeoblock.com/changelog/release-2.2.3.html "2.2.3 Release Note").
598
@@ -600,32 +466,21 @@ Sorry for frequent updating.
600
Sorry for frequent update again but the following obvious bugs should be fixed.
601
602
* **Bug fix:** Fixed the issue of not initializing country code at activation.
603
- * **Bug fix:** Fixed the issue that scheme less notation like '//example.com'
604
- could not be handled correctly.
605
606
= 2.2.2.2 =
607
Sorry for frequent update.
608
609
- * **Bug fix:** Fixed the issue of race condition at activation. This fix is
610
- related to the urgent security update at **2.2.2.1 which was not actually
611
- the security issue but a bug**.
612
- See [this thread](https://wordpress.org/support/topic/white-list-hack "white list hack")
613
- about little more details.
614
* **Improvement:** Improved the compatibility with Jetpack.
615
616
= 2.2.2.1 =
617
- * **Urgent security update:** Killed the possibility of the options being
618
- altered.
619
620
= 2.2.2 =
621
- * **Enhancement:** Refactored some codes and components. The number of attacks
622
- that can be proccessed per second has been improved by 25% at the maximum.
623
- * **Improvement:** In the previous version, the statistical data was recorded
624
- into `wp_options`. It caused the uncertainty of recording especially in case
625
- of burst attacks. Now the data will be recorded in an independent table to
626
- improve this issue.
627
- * **Bug fix:** Fixed conflict with NextGEN Gallary Pro.
628
- Thanks to [bodowewer](https://wordpress.org/support/profile/bodowewer).
629
* **Bug fix:** Fixed some filter hooks that did not work as intended.
630
* See more details at [2.2.2 release note](http://www.ipgeoblock.com/changelog/release-2.2.2.html "2.2.2 Release Note").
631
@@ -633,30 +488,14 @@ Sorry for frequent update.
633
* **Bug fix:** Fixed "open_basedir restriction" issue caused by `file_exists()`.
634
635
= 2.2.1 =
636
- * **Enhancement:** In previous version, local geolocation databases will always
637
- be removed and downloaded again at every upgrading. Now, the class library
638
- for Maxmind and IP2Location have become independent of this plugin and you
639
- can put them outside this plugin in order to cut the above useless process.
640
- The library can be available from
641
- [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API).
642
- * **Deprecated:** Cooperation with IP2Location plugins such as
643
- [IP2Location Tags](http://wordpress.org/plugins/ip2location-tags/ "WordPress - IP2Location Tags - WordPress Plugins"),
644
- [IP2Location Variables](http://wordpress.org/plugins/ip2location-variables/ "WordPress - IP2Location Variables - WordPress Plugins"),
645
- [IP2Location Country Blocker](http://wordpress.org/plugins/ip2location-country-blocker/ "WordPress - IP2Location Country Blocker - WordPress Plugins")
646
- is out of use. Instead of it, free [IP2Location LITE databases for IPv4 and
647
- IPv6](http://lite.ip2location.com/ "Free IP Geolocation Database") will be
648
- downloaded.
649
* **Improvement:** Improved connectivity with Jetpack.
650
* **Improvement:** Improved immediacy of downloading databases at upgrading.
651
* **Improvement:** Replaced a terminated RESTful API service with a new stuff.
652
- * **Bug fix:** Fixed issue that clicking a link tag without href always
653
- refreshed the page. Thanks to
654
- [wyclef](https://wordpress.org/support/topic/conflict-with-menu-editor-plugin "WordPress Support » Conflict with Menu Editor plugin?").
655
- * **Bug fix:** Fixed issue that deactivating and activating repeatedly caused
656
- to show the welcome message.
657
- * **Bug fix:** Fixed issue that a misaligned argument in the function caused
658
- 500 internal server error when a request to the php files in plugins/themes
659
- area was rewrited to `rewrite.php`.
660
661
= 2.2.0.1 =
662
Sorry for frequent update.
@@ -664,58 +503,34 @@ Sorry for frequent update.
664
* **Fix:** Fixed the issue that some actions of other plugins were blocked.
665
666
= 2.2.0 =
667
- * **Important:** Now **Block by country** and **Prevent Zero-day Exploit**
668
- become to work independently on **Admin area**, **Admin ajax/post** at
669
- **Validation target settings**. Please reconfirm them.
670
- * **Important:** Previously, a request whose country code can't be available
671
- was always blocked. But from this release, such a request is considered as
672
- comming from the country whose code is `ZZ`. It means that you can put `ZZ`
673
- into the white list and black list.
674
- * **New feature:** White list and Black list of extra IP addresses prior to
675
- the validation of country code. Thanks to Fabiano for good suggestions at
676
- [support forum](https://wordpress.org/support/topic/white-list-of-ip-addresses-or-ranges "WordPress › Support » White list of IP addresses or ranges?")
677
- * **New feature:** Malicious signatures to prevent disclosing the important
678
- files via vulnerable plugins or themes. A malicious request to try to expose
679
- `wp-config.php` or `passwd` can be blocked.
680
- * **New feature:** Add privacy considerations related to IP address. Add
681
- **Anonymize IP address** at **Record settings**.
682
- * **Bug fix:** Fix the issue that spaces in **Text message on comment form**
683
- are deleted.
684
* See details at [2.2.0 release note](http://www.ipgeoblock.com/changelog/release-2.2.0.html "2.2.0 Release Note").
685
686
= 2.1.5.1 =
687
- * **Bug fix:** Fixed the issue that the Blacklist did not work properly. Thanks
688
- to TJayYay for reporting this issue at
689
- [support forum](https://wordpress.org/support/topic/hackers-from-country-in-blocked-list-of-countries-trying-to-login "WordPress › Support » Hackers from country in Blocked List of Countries trying to login").
690
691
= 2.1.5 =
692
- * **Enhancement:** Enforce preventing self blocking at the first installation.
693
- And add the scan button to get all the country code using selected API.
694
- Thanks to **Nils** for a nice idea at
695
- [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country").
696
* **New feature:** Add pie chart to display statistics of "Blocked by country".
697
* **Enhancement:** WP-ZEP is reinforced against CSRF.
698
* **Bug fix:** Fix illegal handling of the fragment in a link.
699
* See details at [2.1.5 release note](http://www.ipgeoblock.com/changelog/release-2.1.5.html "2.1.5 Release Note").
700
701
= 2.1.4 =
702
- * **Bug fix:** Fix the issue that this plugin broke functionality of a certain
703
- plugin. Thanks to **opsec** for reporting this issue at
704
- [support forum](https://wordpress.org/support/topic/blocks-saves-in-types-or-any-plugins-from-wp-typescom "WordPress Support » Blocks saves in Types or any plugins from wp-types.com").
705
- * **Improvement:** Add checking process for validation rule to prevent being
706
- blocked itself. Thanks to **internationals** for proposing at
707
- [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country")
708
- * **Improvement:** Arrage the order of setting sections to focus the goal of
709
- this plugin.
710
* See details at [2.1.4 release note](http://www.ipgeoblock.com/changelog/release-2.1.4.html "2.1.4 Release Note").
711
712
= 2.1.3 =
713
* **New feature:** Add "show" / "hide" at each section on the "Settings" tab.
714
- * **New feature:** Add an emergency function that invalidate blocking behavior
715
- in case yourself is locked out. This feature is commented out by default at
716
- the bottom of `ip-geo-block.php`.
717
- * **Improvement:** Prevent adding query strings to the static resources when
718
- users logged in.
719
* **Improvement:** Improved the compatibility with Autoptimize.
720
* **Bug fix:** Fix the issue related to showing featured themes on dashboard.
721
* **Bug fix:** Fix minor bug in `rewrite.php` for the advanced use case.
@@ -724,62 +539,30 @@ Sorry for frequent update.
724
= 2.1.2 =
725
This is a maintenance release.
726
727
- * **Bug fix:** Fix the issue that the login-fail-counter didn't work when the
728
- validation at `Login form` was `block by country (register, lost password)`.
729
- In this release, the login-fail-counter works correctly.
730
- * **Bug fix:** Fix the issue that the validation settings of `Admin area` and
731
- `Admin ajax/post` were influential with each other. Now each of those works
732
- individually.
733
- * **Bug fix:** "Site Stats" of Jetpack is now shown on the admin bar which
734
- issue was reported on [support forum](https://wordpress.org/support/topic/admin-area-prevent-zero-day-exploit-incompatible-with-jetpack-site-stats-in-a "WordPress › Support » Admin area - Prevent zero-day exploit: Incompatible with Jetpack Site Stats in A").
735
- * **Improvement:** Hide checking the existence of log db behind the symbol
736
- `IP_GEO_BLOCK_DEBUG` to reduce 1 query on admin screen.
737
- * **Improvement:** Add alternative functions of BCMath extension to avoid
738
- `PHP Fatal error: Call to undefined function` in `IP2Location.php` when
739
- IPv6 is specified.
740
- * **Improvement:** Use MaxMind database at the activating process not to be
741
- locked out by means of inconsistency of database at the activation and after.
742
* See more details at [2.1.2 release note](http://www.ipgeoblock.com/changelog/release-2.1.2.html "2.1.2 Release Note").
743
744
= 2.1.1 =
745
- * **New feature:** Added `Block by country (register, lost password)` at
746
- `Login form` on `Settings` tab in order to accept the registered users as
747
- membership from anywhere but block the request of new user ragistration and
748
- lost password by the country code. Is't suitable for BuddyPress and bbPress.
749
- * **Improvement:** Added showing the custom error page for http response code
750
- 4xx and 5xx. For example the `403.php` in the theme template directory or in
751
- the child theme directory is used if it exists. And new filter hooks
752
- `ip-geo-block-(comment|xmlrpc|login|admin)-(status|reason)` are available
753
- to customize the response code and reason for human.
754
- * **Obsoleted:** Obsoleted the filter hooks
755
- `ip-geo-block-(admin-actions|admin-pages|wp-content)`. Alternatively new
756
- filter hooks `ip-geo-block-bypass-(admins|plugins|themes)` are added to
757
- bypass WP-ZEP.
758
* Find out more details in the [2.1.1 release note](http://www.ipgeoblock.com/changelog/release-2.1.1.html "2.1.1 Release Note").
759
760
= 2.1.0 =
761
- * **New feature:** Expanded the operating range of ZP-ZEP, that includes admin
762
- area, plugins area, themes area. Now it can prevent a direct malicios attack
763
- to the file in plugins and themes area. Please go to the "Validation Settings"
764
- on "Settings" tab and check it. Also check my article in
765
- "[Analysis of Attack Vector against WP Plugins](http://www.ipgeoblock.com/article/analysis-attack-vector.html)".
766
- * **Bug fix:** Fixed the issue that action hook `ip-geo-block-backup-dir` did
767
- not work correctly because the order of argument was mismatched.
768
- * **Bug fix:** Fixed the issue that a record including utf8 4 bytes character
769
- in its columns was not logged into DB in WordPress 4.2.
770
- * **Improvement:** Fixed the issue that Referrer Suppressor do nothing with a
771
- new element which is added into DOM after DOM ready. The event handler is
772
- now delegated at the `body`.
773
774
= 2.0.8 =
775
- * Fixed an issue that a certain type of attack vector to the admin area (
776
- [example](https://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html "Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin")
777
- ) could not be blocked by the reason that some plugins accept it on earlier
778
- hook (ie `init`) than this plugin (previously `admin_init`).
779
- * Added re-creating DB table for validation logs in case of accidentally
780
- failed at activation process.
781
- * The time of day is shown with local time by adding GMT offset based on
782
- the time zone setting.
783
* Optimized resource loading and settings to avoid redundancy.
784
* See details at [this plugin's blog](http://www.ipgeoblock.com/changelog/release-2.0.8.html "2.0.8 Release Note").
785
@@ -792,110 +575,26 @@ This is a maintenance release.
792
* Sorry for urgent update but avoid an javascript error.
793
794
= 2.0.4 =
795
- * Sorry for frequent update but added a function of showing admin notice
796
- when none of the IP geolocation providers is selected. Because the user
797
- will be locked out from admin screen when the cache expires.
798
- * **Bug fix:** Fixed an issue of `get_geolocation()` method at a time of
799
- when the cache of IP address is cleared.
800
* Referrer suppressor now supports [meta referrer](https://wiki.whatwg.org/wiki/Meta_referrer "Meta referrer - WHATWG Wiki")
801
802
= 2.0.3 =
803
- * **Bug fix:** Fixed an issue that empty black list doesn't work correctly
804
- when matching rule is black list.
805
- * **New feature:** Added 'Zero-day Exploit Prevention for wp-admin'.
806
- Because it is an experimental feature, please open a new issue at
807
- [support forum](https://wordpress.org/support/plugin/ip-geo-block "WordPress › Support » IP Geo Block")
808
- if you have any troubles with it.
809
- * **New feature:** Referrer suppressor for external link. When you click an
810
- external hyperlink on admin screen, http referrer will be suppressed to
811
- hide a footprint of your site.
812
- * Also added the filter hook `ip-geo-block-admin-actions` for safe actions
813
- on back-end.
814
815
= 2.0.2 =
816
- * **New feature:** Include `wp-admin/admin-post.php` as a validation target
817
- in the `Admin area`. This feature is to protect against a vulnerability
818
- such as
819
- [Analysis of the Fancybox-For-WordPress Vulnerability](http://blog.sucuri.net/2015/02/analysis-of-the-fancybox-for-wordpress-vulnerability.html)
820
- on Sucuri Blog.
821
- * Added a sample code snippet as a use case for 'Give ajax permission in
822
- case of safe actions on front facing page'. See Example 10 in `sample.php`.
823
824
= 2.0.1 =
825
- * Fixed the issue of improper scheme from the HTTPS site when loading js
826
- for google map.
827
- * In order to prevent accidental disclosure of the length of password,
828
- changed the length of `*` (masked password) which is logged into the
829
- database.
830
831
= 2.0.0 =
832
- * **New feature:** Protection against brute-force and reverse-brute-force
833
- attacks to `wp-login.php`, `xmlrpc.php` and admin area.
834
- This is an experimental function and can be enabled on `Settings` tab.
835
- Malicious access can try to login only 5 times per IP address. This retry
836
- counter can be reset to zero by `Clear statistics` on `Statistics` tab.
837
-
838
- = 1.4.0 =
839
- * **New feature:** Added a new class for recording the validation logs to
840
- analyze posting pattern.
841
- * Fixed an issue of not being set the own country code at first installation.
842
- * Fixed an error which occurs when ip address is unknown.
843
-
844
- = 1.3.1 =
845
- * **New feature:** Added validation of trackback spam.
846
- * Added `$_SERVER keys for extra IPs` into options to validate additional
847
- IP addresses.
848
- * Removed some redundant codes and corrected all PHP notices and warnings
849
- which had been suppressed by WordPress.
850
-
851
- = 1.3.0 =
852
- * **New feature:** Added validation of pingback.ping through `xmlrpc.php` and
853
- new option to validate all the IP addresses in HTTP_X_FORWARDED_FOR.
854
- * **Fixed an issue:** Maxmind database file may be downloaded automatically
855
- without deactivate/re-activate when upgrade is finished.
856
- * This is the final version on 1.x. On next release, accesses to `login.php`
857
- and admin area will be also validated for security purpose.
858
-
859
- = 1.2.1 =
860
- * **Fixed an issue:** Option table will be updated automatically without
861
- deactivate/re-activate when this plugin is upgraded.
862
- * **A little bit performance improvement:**
863
- Less memory footprint at the time of downloading Maxmind database file.
864
- Less sql queries when `Save statistics` is enabled.
865
-
866
- = 1.2.0 =
867
- * **New feature:** Added Maxmind GeoLite database auto downloader and updater.
868
- * The filter hook `ip-geo-block-validate` was discontinued.
869
- Instead of it, the new filter hook `ip-geo-block-comment` is introduced.
870
- * **Performance improvement:** IP address is verified at an earlier stage
871
- than before.
872
- * **Others:** Fix a bug of handling cache, update status of some REST APIs.
873
-
874
- = 1.1.1 =
875
- * Fixed issue of default country code.
876
- When activating this plugin for the first time, get the country code
877
- from admin's IP address and set it into white list.
878
- * Add number of calls in cache of IP address.
879
-
880
- = 1.1.0 =
881
- * Implement the cache mechanism to reduce load on the server.
882
- * Better handling of errors on the search tab so as to facilitate the
883
- analysis of the service problems.
884
- * Fixed a bug of setting user agent strings in 1.0.2.
885
- Now the user agent strings (`WordPress/3.9.2; http://example.com/`)
886
- becomes to its own (`WordPress/3.9.2; ip-geo-block 1.1.0`).
887
-
888
- = 1.0.3 =
889
- * Temporarily stop setting user agent strings to supress a bug in 1.0.2.
890
-
891
- = 1.0.2 =
892
- * Update provider settings. Smart-IP.net was terminated, ipinfo.io is now
893
- available for IPv6.
894
- * Set the own user agent strings for `WP_Http`.
895
-
896
- = 1.0.1 =
897
- * Modify Plugin URL.
898
- * Add `apply_filters()` to be able to change headers.
899
900
= 1.0.0 =
901
* Ready to release.
1
=== IP Geo Block ===
2
Contributors: tokkonopapa
3
Donate link:
4
+ Tags: security, firewall, brute force, vulnerability, login, wp-admin, admin, ajax, xmlrpc, comment, pingback, trackback, spam, IP address, geo, geolocation, buddypress, bbPress
5
Requires at least: 3.7
6
+ Tested up to: 4.7.3
7
+ Stable tag: 3.0.2.2
8
License: GPLv2 or later
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
11
+ It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.
12
13
== Description ==
14
15
+ A considerable number of WordPress vulnerabilities in plugins and themes have been disclosed every month. You can easily find them at [WPScan Vulnerability Database](https://wpvulndb.com/ "WPScan Vulnerability Database") and [Exploits Database](https://www.exploit-db.com/ "Exploits Database by Offensive Security") for example. It means that many WordPress sites can be always exposed to the threats of being exploited caused by those vulnerabilities.
16
17
+ This plugin protects your site against such threats of attack to the back-end of your site not only by blocking requests from undesired countries but also with the original feature 'Zero-day Exploit Prevention' (WP-ZEP).
18
19
+ And it also blocks undesired requests to the login form (login attempt), comment form (spam and trackback) and XML-RPC (login attempt and pingback).
20
21
+ Up to version 2.x, this plugin had been dedicated to protect the back-end of your site. From version 3.x, it becomes to be able to block access to your public facing pages, aka front-end. See [this analysis](http://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html "Analysis of Attack Vectors | IP Geo Block") about protection performance against 50 samples of vulnerable plugins.
22
23
= Features =
24
25
* **Immigration control:**
26
+ Access to the basic and important entrances into the back-end such as `wp-comments-post.php`, `xmlrpc.php`, `wp-login.php`, `wp-signup.php`, `wp-admin/admin.php`, `wp-admin/admin-ajax.php`, `wp-admin/admin-post.php` will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to specify the countires.
27
28
* **Zero-day Exploit Prevention:**
29
+ The original feature "**Z**ero-day **E**xploit **P**revention for WP" (WP-ZEP) is simple but still smart and strong enough to block any malicious accesses to `wp-admin/*.php`, `plugins/*.php` and `themes/*.php` even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, **even if you have some in your site**. Find more details in [FAQ](https://wordpress.org/plugins/ip-geo-block/faq/ "IP Geo Block - WordPress Plugins") and [this plugin's blog](http://www.ipgeoblock.com/article/how-wpzep-works.html "How does WP-ZEP prevent zero-day attack? | IP Geo Block").
30
31
* **Guard against login attempts:**
32
+ In order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.
33
34
* **Protection of wp-config.php:**
35
+ A malicious request to try to expose `wp-config.php` via vulnerable plugins or themes can be blocked. A numerous such attacks can be found in [this article](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php").
36
+
37
+ * **Minimize server load against brute-force attacks:**
38
+ You can configure this plugin as a [Must Use Plugins](https://codex.wordpress.org/Must_Use_Plugins "Must Use Plugins « WordPress Codex") which would be loaded prior to regular plugins and can massively [reduce the load on server](http://www.ipgeoblock.com/codex/validation-timing.html "Validation timing | IP Geo Block").
39
+ And furthermore, a cache mechanism for the fetched IP addresses and country code can help to reduce load on the server against the burst accesses with a short period of time.
40
41
* **Support of BuddyPress and bbPress:**
42
+ You can configure this plugin such that a registered user can login as the membership from anywhere, but a request such as a new user registration, lost password, creating a new topic, and subscribing comment is blocked by the country code. It is suitable for [BuddyPress](https://wordpress.org/plugins/buddypress/ "WordPress › BuddyPress « WordPress Plugins") and [bbPress](https://wordpress.org/plugins/bbpress/ "WordPress › bbPress « WordPress Plugins") to help reducing spams.
43
44
* **Referrer suppressor for external links:**
45
+ When you click an external hyperlink on admin screen, http referrer will be liminated to hide a footprint of your site.
46
47
* **Multiple source of IP Geolocation databases:**
48
+ Free IP Geolocation database and REST APIs are installed into this plugin to get a country code from an IP address. [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention") GeoLite free databases and [IP2Location](http://www.ip2location.com/ "IP Address Geolocation to Identify Website Visitor's Geographical Location") LITE databases can be available in this plugin. Those will be downloaded and updated (once a month) automatically.
49
50
* **Customizing response:**
51
+ HTTP response code can be selectable as `403 Forbidden` to deny access pages, `404 Not Found` to hide pages or even `200 OK` to redirect to the top page.
52
+ You can also have the custom error page (for example `403.php`) in your theme template directory or child theme directory to fit your theme.
53
54
* **Validation logs:**
55
+ Logs will be recorded into MySQL data table to audit posting pattern under the specified condition.
56
57
* **Cooperation with full spec security plugin:**
58
+ This plugin is simple and lite enough to be able to cooperate with other full spec security plugin such as [Wordfence Security](https://wordpress.org/plugins/wordfence/ "WordPress › Wordfence Security « WordPress Plugins") (because country bloking is available only for premium users). See [this report](http://www.ipgeoblock.com/codex/page-speed-performance.html "Page speed performance | IP Geo Block") about page speed performance.
59
60
* **Extendability:**
61
+ "Settings minimum, Customizability maximum" is the basic concept of this plugin. You can customize the behavior of this plugin via `add_filter()` with pre-defined filter hook. See various use cases in [the documents](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block") and [samples.php](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/blob/master/ip-geo-block/samples.php "WordPress-IP-Geo-Block/samples.php at master - tokkonopapa/WordPress-IP-Geo-Block - GitHub") bundled within this package.
62
63
* **Self blocking prevention and easy rescue:**
64
+ Most of users do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can [rescue yourself](http://www.ipgeoblock.com/codex/what-should-i-do-when-i-m-locked-out.html "What should I do when I'm locked out? | IP Geo Block") easily.
65
66
* **Clean uninstallation:**
67
+ Nothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin's functionality. Several days later, you'll find many undesirable accesses in your validation logs if all validation targets are enabled.
68
69
= Attribution =
70
71
+ This package includes GeoLite library distributed by MaxMind, available from [MaxMind](http://www.maxmind.com "MaxMind - IP Geolocation and Online Fraud Prevention"), and also includes IP2Location open source libraries available from [IP2Location](http://www.ip2location.com "IP Address Geolocation to Identify Website Visitor's Geographical Location").
72
73
Also thanks for providing the following great services and REST APIs for free.
74
82
83
= Development =
84
85
+ Development of this plugin is promoted at [WordPress-IP-Geo-Block](https://github.com/tokkonopapa/WordPress-IP-Geo-Block "tokkonopapa/WordPress-IP-Geo-Block - GitHub") and class libraries to handle geo-location database are developed separately as "add-in"s at [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API "tokkonopapa/WordPress-IP-Geo-API - GitHub").
86
+
87
+ All contributions will always be welcome. Or visit my [development blog](http://www.ipgeoblock.com/ "IP Geo Block").
88
89
== Installation ==
90
94
2. Search for 'IP Geo Block'
95
3. Click 'Install Now'
96
4. Activate the plugin on the Plugin dashboard
97
+ 5. Try 'Best settings' button for easy setup at the bottom of this plugin's setting page.
98
+
99
+ Please refer to [the document](http://www.ipgeoblock.com/codex/ "Codex | IP Geo Block")
100
+ or following descriptions for your best setup.
101
102
= Validation rule settings =
103
104
* **Matching rule**
105
+ Choose either `White list` (recommended) or `Black list` to specify the countries from which you want to pass or block.
106
107
* **Country code for matching rule**
108
+ Specify the country code with two letters (see [ISO 3166-1 alpha-2](http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements "ISO 3166-1 alpha-2 - Wikipedia, the free encyclopedia")). Each of them should be separated by comma.
109
110
* **White/Black list of extra IPs for prior validation**
111
+ The list of extra IP addresses prior to the validation of country code. [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing "Classless Inter-Domain Routing - Wikipedia, the free encyclopedia") is acceptable to specify the range.
112
113
* **$_SERVER keys for extra IPs**
114
+ Additional IP addresses will be validated if some of keys in `$_SERVER` variable are specified in this textfield. Typically `HTTP_X_FORWARDED_FOR`.
115
116
* **Bad signatures in query**
117
+ It validates malicious signatures independently of **Block by country** and **Prevent Zero-day Exploit** for the target **Admin area**, **Admin ajax/post**, **Plugins area** and **Themes area**. Typically, `/wp-config.php` and `/passwd`.
118
119
* **Response code**
120
+ Choose one of the [response code](http://tools.ietf.org/html/rfc2616#section-10 "RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1") to be sent when it blocks a comment.
121
+ The 2xx code will lead to your top page, the 3xx code will redirect to [Black Hole Server](http://blackhole.webpagetest.org/), the 4xx code will lead to WordPress error page, and the 5xx will pretend an server error.
122
123
* **Validation timing**
124
+ Choose **"init" action hook** or **"mu-plugins" (ip-geo-block-mu.php)** to specify the timing of validation.
125
126
+ = Back-end target settings =
127
128
* **Comment post**
129
+ Validate post to `wp-comment-post.php`. Comment post and trackback will be validated.
130
131
* **XML-RPC**
132
+ Validate access to `xmlrpc.php`. Pingback and other remote command with username and password will be validated.
133
134
* **Login form**
135
Validate access to `wp-login.php` and `wp-signup.php`.
146
* **Themes area**
147
Validate direct access to themes. Typically `wp-content/themes/…/*.php`.
148
149
+ = Front-end target settings =
150
+
151
+ * **Block by country**
152
+ Enables validation of country code on public facing pages.
153
+
154
+ * **Matching rule**
155
+ Same as **Validation target settings** but can be set independently.
156
+
157
+ * **Validation target**
158
+ Specify the single and archive page by post type, category and tag as blocking target.
159
+
160
+ * **UA string and qualification**
161
+ Additional rules targeted at SEO which can specify acceptable requests based on user agent.
162
+
163
+ * **Simulation mode**
164
+ You can simulate the 'blocking on front-end' functionality before deploying.
165
+
166
= Geolocation API settings =
167
168
* **API selection and key settings**
169
+ If you wish to use `IPInfoDB`, you should register at [their site](http://ipinfodb.com/ "IPInfoDB | Free IP Address Geolocation Tools") to get a free API key and set it into the textfield. And `ip-api.com` and `Smart-IP.net` require non-commercial use.
170
171
= Local database settings settings =
172
173
* **Auto updating (once a month)**
174
+ If `Enable`, Maxmind GeoLite database will be downloaded automatically by WordPress cron job.
175
176
= Record settings =
177
179
If `Enable`, you can see `Statistics of validation` on Statistics tab.
180
181
* **Record validation logs**
182
+ If you choose anything but `Disable`, you can see `Validation logs` on Logs tab.
183
184
* **$_POST keys in logs**
185
+ Normally, you can see just keys at `$_POST data:` on Logs tab. If you put some of interested keys into this textfield, you can see the value of key like `key=value`.
186
187
* **Anonymize IP address**
188
+ It will mask the last three digits of IP address when it is recorded into the log.
189
190
= Cache settings =
191
192
* **Expiration time [sec]**
193
Maximum time in sec to keep cache.
194
195
+ * **Garbage collection period [sec]**
196
+ Period of garbage collection to clean cache.
197
+
198
= Submission settings =
199
200
* **Text position on comment form**
201
+ If you want to put some text message on your comment form, please choose `Top` or `Bottom` and put text with some tags into the **Text message on comment form** textfield.
202
203
= Plugin settings =
204
205
* **Remove settings at uninstallation**
206
+ If you checked this option, all settings will be removed when this plugin is uninstalled for clean uninstalling.
207
208
== Frequently Asked Questions ==
209
210
+ = Does it support multisite? =
211
+
212
+ It works on multisite, but there's no network setting at this moment.
213
+
214
= I was locked down. What shall I do? =
215
216
+ You can find the "**Emergent Functionality**" code section near the bottom of `ip-geo-block.php`. This code block can be activated by replacing `/*` (opening multi-line comment) at the top of the line to `//` (single line comment), or `*` at the end of the line to `*/` (closing multi-line comment).
217
218
`/**
219
* Invalidate blocking behavior in case yourself is locked out.
220
+ *
221
+ * How to use: Activate the following code and upload this file via FTP.
222
+ */
223
+ /* -- ADD `/` TO THE TOP OR END OF THIS LINE TO ACTIVATE THE FOLLOWINGS -- */
224
function ip_geo_block_emergency( $validate ) {
225
$validate['result'] = 'passed';
226
return $validate;
229
add_filter( 'ip-geo-block-admin', 'ip_geo_block_emergency' );
230
// */`
231
232
+ Please not that you have to use an [appropriate editor](https://codex.wordpress.org/Editing_Files#Using_Text_Editors "Editing Files « WordPress Codex").
233
+
234
+ After saving and uploading it to `/wp-content/plugins/ip-geo-block/` on your server via FTP, you become to be able to login again as an admin.
235
236
+ Remember that you should upload the original one after re-configuration to deactivate this feature.
237
+
238
+ [This document](http://www.ipgeoblock.com/codex/what-should-i-do-when-i-m-locked-out.html "What should I do when I'm locked out? | IP Geo Block") can also help you.
239
+
240
+ = How to resolve "Sorry, your request cannot be accepted."? =
241
+
242
+ If you encounter this message, please refer to [this document](http://www.ipgeoblock.com/codex/you-are-not-allowed-to-access.html "Why “Sorry, your request cannot be accepted” ? | IP Geo Block") to resolve your blocking issue.
243
+
244
+ If you can't solve your issue, please let me know about it on the [support forum](https://wordpress.org/support/plugin/ip-geo-block/ "View: Plugin Support « WordPress.org Forums"). Your logs in this plugin and "**Installation information**" at "**Plugin settings**" will be a great help to resolve the issue.
245
246
= How can I fix "Unable to write" error? =
247
248
+ When you enable "**Force to load WP core**" options, this plugin will try to configure `.htaccess` in your `/wp-content/plugins/` and `/wp-content/themes/` directory in order to protect your site against the malicous attacks to the [OMG plugins and shemes](http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html "Prevent exposure of wp-config.php | IP Geo Block").
249
+
250
+ But some servers doesn't give reading / writing permission against `.htaccess` to WordPress. In this case, you can configure these `.htaccess` files by your own hand instead of enabling "**Force to load WP core**" options.
251
252
+ Please refer to "[How can I fix permission troubles?](http://www.ipgeoblock.com/codex/how-can-i-fix-permission-troubles.html 'How can I fix permission troubles? | IP Geo Block')" in order to fix this error.
253
254
+ = I still have access from blacklisted country. Does it work correctly? =
255
+
256
+ Absolutely, YES. But unfortunately, accuracy of country code depends on the geolocation databases. Actually, there is a case that a same IP address has different country code.
257
+
258
+ For more detail, please refer to "[I still have access from blacklisted country.](http://www.ipgeoblock.com/codex/access-from-blacklisted-country.html 'I still have access from blacklisted country. | IP Geo Block')".
259
+
260
+ = How can I test this plugin works? =
261
+
262
+ The easiest way is to use [free proxy browser addon](https://www.google.com/search?q=free+proxy+browser+addon "free proxy browser addon - Google Search").
263
+
264
+ Another one is to use [http header browser addon](https://www.google.com/search?q=browser+add+on+modify+http+header "browser add on modify http header - Google Search").
265
+
266
+ You can add an IP address to the `X-Forwarded-For` header to emulate the access behind the proxy. In this case, you should add `HTTP_X_FORWARDED_FOR` into the "**$_SERVER keys for extra IPs**" on "**Settings**" tab.
267
+
268
+ See more details at "[How to test prevention of attacks](http://www.ipgeoblock.com/codex/#how-to-test-prevention-of-attacks 'Codex | IP Geo Block')".
269
+
270
+ = Does this plugin works well with caching? =
271
+
272
+ For the back-end protection, the answer is YES if you disable caching on back-end. But for the front-end, the answer depends on the caching method you are employing.
273
+
274
+ Currently, the following cache plugins and configurations can be supported:
275
+
276
+ - [WP Super Cache](https://wordpress.org/plugins/wp-super-cache/ "WP Super Cache — WordPress Plugins")
277
+ Select "**Use PHP to serve cache files**" and enable "**Late init**".
278
+
279
+ - [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/ "W3 Total Cache — WordPress Plugins")
280
+ Select "**Disk: Basic**" and enable "**Late initialization**" for page cache. "**Disk: Enhanced**" (where "**Late initialization**" is not available) in W3TC 0.9.5.1 seems to work good without any imcompatibility with this plugin.
281
+
282
+ - [Vendi Cache](https://wordpress.org/plugins/vendi-cache/ "Vendi Cache — WordPress Plugins")
283
+ This was formerly built in Wordfence. Select "**basic caching**" for Vendi Cache and **"mu-plugin" (ip-geo-block-mu.php)** for IP Geo Block.
284
+
285
+ If your plugin serves page caching by `mod_rewrite` via `.htaccess` (e.g. WP Fastest Cache) or caching by `advanced-cache.php` drop-in (e.g. Comet Cache) or your hosting provider serves page caching at server side, "**Blocking on front-end**" might lead to generate inconsistent pages.
286
+
287
+ For more details, please refer to some documents at "[Blocking on front-end](http://www.ipgeoblock.com/codex/#blocking-on-front-end 'Codex | IP Geo Block')".
288
289
= Do I have to turn on all the selection to enhance security? =
290
291
+ Yes. Roughly speaking, the strategy of this plugin has been constructed as follows:
292
293
- **Block by country**
294
It blocks malicious requests from outside your country.
302
- **Bad signatures in query**
303
It blocks the request which has not been covered in the above three.
304
305
+ Please try "**Best settings**" button at the bottom of this plugin's setting page for easy setup. And also see more details in "[The best practice of target settings](http://www.ipgeoblock.com/codex/the-best-practice-for-target-settings.html 'The best practice of target settings | IP Geo Block')".
306
307
+ = Does this plugin validate all the requests? =
308
309
+ Unfortunately, no. This plugin can't handle the requests that are not parsed by WordPress. In other words, a standalone file (PHP, CGI or something excutable) that is unrelated to WordPress can't be validated by this plugin even if it is in the WordPress install directory.
310
311
+ But there're exceptions: When you enable "**Force to load WP core**" for **Plugins area** or **Themes area**, a standalone PHP file becomes to be able to be blocked. Sometimes this kind of file has some vulnerabilities. This function protects your site against such a case.
312
313
== Other Notes ==
314
315
= Known issues =
316
317
+ * No image is shown after drag & drop a image in grid view at "Media Library". For more details, please refer to [this ticket at Github](https://github.com/tokkonopapa/WordPress-IP-Geo-Block/issues/2 "No image is shown after drag & drop a image in grid view at "Media Library". - Issue #2 - tokkonopapa/WordPress-IP-Geo-Block - GitHub").
318
+ * From [WordPress 4.5](https://make.wordpress.org/core/2016/03/09/comment-changes-in-wordpress-4-5/ "Comment Changes in WordPress 4.5 – Make WordPress Core"), `rel=nofollow` attribute and value pair had no longer be added to relative or same domain links within `comment_content`. This change prevents to block "Server Side Request Forgeries" (not Cross Site but a malicious link in the comment field of own site).
319
320
== Screenshots ==
321
322
+ 1. **IP Geo Plugin** - Settings tab
323
+ 2. **IP Geo Plugin** - Validation rule settings
324
+ 3. **IP Geo Plugin** - Back-end target settings
325
+ 4. **IP Geo Plugin** - Front-end target settings
326
+ 5. **IP Geo Plugin** - Geolocation API settings
327
+ 6. **IP Geo Plugin** - IP address cache settings
328
+ 7. **IP Geo Plugin** - Statistics tab
329
+ 8. **IP Geo Plugin** - Logs tab
330
+ 9. **IP Geo Plugin** - Search tab
331
+ 10. **IP Geo Plugin** - Attribution tab
332
333
== Changelog ==
334
335
+ = 3.0.2.2 =
336
+ * **Improvement:** Change the behavior of "Referrer Suppressor" not to open a new window on public facing pages.
337
+ * **Improvement:** Improve some of the descriptions of help text.
338
+ * **Bug fix:** Fix the bug of undefined symbol in admin class related to the Google Map API.
339
+ * **Bug fix:** Fix the bug of incompatible function arguments when the number of login fails reaches the limit.
340
+ * **Bug fix:** Fix the issue of not working blocking by country on specific pages correctly as the validation target.
341
+
342
+ = 3.0.2.1 =
343
+ This is a maintenance release addressing some issues.
344
+
345
+ * **Update:** Net_DNS2, Net_IPv6, Net_IPv4 to the newest.
346
+ * **Update:** Geolocation database API for Maxmind and IP2Location to 1.1.8.
347
+ * **Update:** Bring back the priority of validation for wp-zep and badsig as same as 3.0.2 and before.
348
+ * **Improvement:** Handle some of loop back and private IP addresses for localhost and host inside load balancer.
349
+ * **Improvement:** Update instructions when the geolocation API libraries fails to install.
350
+ * **Bug fix:** Fix the blocking issue of admin ajax/post on front-end.
351
+ * **Bug fix:** Fix the issue of improper IPv6 handling on setting page.
352
+
353
+ = 3.0.2 =
354
+ * **New feature:** Add "Exceptions" for "Admin ajax/post" to specify the name of action which causes undesired blocking (typically on the public facing pages).
355
+ * **Improvement:** Add "Disable" to "Max number of failed login attempts per IP address" to avoid conflict with other similar plugin.
356
+ * **Improvement:** Update geolocation database libraries to 1.1.7 for better compatibility on some platform.
357
+ * **Trial feature:** Add custom action hook `ip-geo-block-send-response`. This is useful to control firewall via [fail2ban](http://www.fail2ban.org/ "Fail2ban") like [WP fail2ban](https://wordpress.org/plugins/wp-fail2ban/ "WP fail2ban - WordPress Plugins").
358
+ * See some details at [release 3.0.2](http://www.ipgeoblock.com/changelog/release-3.0.2.html "3.0.2 Release Note | IP Geo Block").
359
+
360
+ = 3.0.1.2 =
361
+ * **Bug fix:** Fix the blocking issue in some environments when upgrading from 2.2.9.1 to 3.0.0.
362
+ * **Bug fix:** Fix the blocking issue at opening a new window via context menu on dashboard.
363
+ * **Bug fix:** Fix the potential issue of 500 Internal error in cron job.
364
+ * **Improvement:** Revive 410 Gone for response code.
365
+ * **Improvement:** Prevent the issue of resetting matching rule and country code at upgrading.
366
+
367
+ = 3.0.1.1 =
368
+ * **Bug fix:** Fix the issue where **Login form** could not be disabled on **Back-end target settings**.
369
+ * **Bug fix:** Fix the issue where trackback and pingback could not be blocked since 2.2.4.
370
+ * **Improved:** Apply the action hook 'pre_trackback_post' that was introduced in WP 4.7.0.
371
+ * **Improved:** Use 'safe_redirect()' instead of 'redirect()' for secured internal redirection. If you set an external url for **Redirect URL**, please use the filter hook 'allowed_redirect_hosts'.
372
+ * **Improved:** Better compatibility with the plugin "Anti-Malware Security and Brute-Force Firewall".
373
+
374
+ = 3.0.1 =
375
+ * **Bug fix:** Add lock mechanism for local geolocation DBs to avoid potential fatal error.
376
+ * **Improvement:** Add self blocking prevention potentially caused by login attempts with the same IP address of logged in user.
377
+ * **New feature:** Add "**Installation information**" button to make it easy to submit an issue at support forum.
378
+
379
+ = 3.0.0 =
380
+ * **New feature:** Add the function of blocking on front-end.
381
+ * **New filter hook:** Add `ip-geo-block-public` to extend validation on front-end.
382
+ * **Improvement:** Avoid conflict with "Open external links in a new window" plugin and some other reason to prevent duplicated window open. For more detail, see [this discussion at support forum](https://wordpress.org/support/topic/ip-geoblock-opens-2-windows-on-link-clicks-when-user-is-logged-in/ "Topic: IP Geoblock opens 2 windows on link clicks when user is logged in « WordPress.org Forums").
383
+ * **Improvement:** Better compatibility with some plugins, themes and widgets.
384
+ * **Improvement:** Deferred execution of SQL command to improve the response.
385
+ * **Improvement:** Make the response compatible with WP original when it is requested by GET method.
386
+ * See some details at [release 3.0.0](http://www.ipgeoblock.com/changelog/release-3.0.0.html "3.0.0 Release Note | IP Geo Block").
387
+
388
= 2.2.9.1 =
389
+ * **Bug fix:** Blocking Wordfence scanning. ([@](https://wordpress.org/support/topic/wordfence-conflict-2/ "WordFence Conflict"))
390
+ * **Bug fix:** Illegal elimination of colon in text field for IP address. ([@](https://wordpress.org/support/topic/adding-ipv6-to-white-list/ "Adding IPv6 to white list"))
391
+ * **Improved:** Compatibility with PHP 7 that cause to feel relaxed. ([@](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Plans for PHP 7 compatiblity?"))
392
+ * **Improved:** Avoid resetting whitelist on update by InfiniteWP. ([@](https://wordpress.org/support/topic/whitelist-resets-on-update/ "[Resolved] Whitelist resets on update"))
393
+ * **Trial feature:** `X-Robots-Tag` HTTP header with `noindex, nofollow` for login page. ([@](https://wordpress.org/support/topic/ip-geo-block-and-searchmachines/ "IP GEo-block and searchmachines"))
394
395
= 2.2.9 =
396
+ * **New feature:** A new option that makes this plugin configured as a "Must-use plugin". It can massively reduce the server load especially against brute-force attacks because it initiates this plugin prior to other typical plugins.
397
+ * **Improvement:** Validation of a certain signature against XSS is internally added to "Bad signature in query" by default.
398
+ * **Improvement:** Improved compatibility with PHP 7 (Thanks to [FireMyst](https://wordpress.org/support/topic/plans-for-php-7-compatiblity/ "Topic: Plans for PHP 7 compatiblity? « WordPress.org Forums")).
399
* Find details in [2.2.9 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.9.html "2.2.9 Release Note").
400
401
= 2.2.8.2 =
402
* **Bug fix:** Fixed the mismatched internal version number.
403
404
= 2.2.8.1 =
405
+ * **Bug fix:** Fixed the issue of undefined function `wp_get_raw_referer()` error that happened under certain condition. See [the issue](https://wordpress.org/support/topic/since-php-update-fatal-error-everytime-i-want-to-edit-a-post/ "Since PHP update Fatal error everytime I want to edit a post") at forum.
406
+ * **Improved:** Avoid resetting country code on update. See [the issue](https://wordpress.org/support/topic/whitelist-resets-on-update/ "Whitelist resets on update") at forum.
407
408
= 2.2.8 =
409
+ * **Bug fix:** Fixed the issue of stripping some required characters for Google maps API key.
410
* **New feature:** Whois database Lookup for IP address on search tab.
411
* **Update:** Updated geolocation API libraries and services.
412
* Find more details in [2.2.8 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.8.html "2.2.8 Release Note").
413
414
= 2.2.7 =
415
* **Bug fix:** Fix inadequate validation of "**Bad signatures in query**".
416
+ * **Improvement:** Add fallback for Google Maps API key ([@](https://wordpress.org/support/topic/226-problem-with-search-resp-google-maps "WordPress › Support » [2.2.6] Problem with SEARCH resp. Google Maps")) and corruption of "Bad signatures" ([@](https://wordpress.org/support/topic/226-problem-with-bad-signatures-in-query "WordPress › Support » [2.2.6] Problem with "Bad signatures in query"")).
417
* **Update:** Update geolocation service api.
418
* Find details about Google Maps API in [2.2.7 Release Note](http://www.ipgeoblock.com/changelog/release-2.2.7.html "2.2.7 Release Note").
419
420
= 2.2.6 =
421
* **New feature:** Add saving csv file of logs in "Logs" tab.
422
+ * **New feature:** Add filter hook `ip-geo-block-record-log` to control over the conditions of recording in more detail.
423
+ * **Bug fix:** Fixed the issue that "Exceptions" for Plugins/Themes area does not work properly. Please confirm your settings again.
424
* See details at [release 2.2.6](http://www.ipgeoblock.com/changelog/release-2.2.6.html "2.2.6 Release Note").
425
426
= 2.2.5 =
427
+ * **New feature:** On the settings page, you can specify the pliugin or theme which would cause undesired blocking in order to exclude it from the validation target without embedding any codes into `functions.php`.
428
* **Improvement:** Optimize resource loading on admin dashboard.
429
* **Improvement:** Support clean uninstall for network / multisite.
430
+ * **Improvement:** Improve the compatibility of downloading IP address databases for Microsoft IIS.
431
* **Bug fix:** Support `FORCE_SSL_ADMIN`.
432
+ * **Bug fix:** Fix the issue of [@](https://wordpress.org/support/topic/compatibility-with-ag-custom-admin "WordPress › Support » Compatibility with AG Custom Admin") and change the option name "**Important files**" to "**Bad signatures in query**" to avoid misuse.
433
+ * **Bug fix:** Fix the issue of [@](https://wordpress.org/support/topic/gb-added-to-whitelist "WordPress › Support » GB added to whitelist") which might be caused by some race condition.
434
* **Bug fix:** Fix the issue of restoring post revisions which was blocked.
435
436
= 2.2.4.1 =
437
Sorry for frequent updating.
438
439
+ * **Bug fix:** Fixed the issue of `Warning: strpos(): Empty needle in...` that was reported in [@](https://wordpress.org/support/topic/version-224-produces-warning-message "WordPress › Support » Version 2.2.4 Produces Warning Message") and [@](https://wordpress.org/support/topic/error-after-update-to-newest-version "WordPress › Support » Error after Update to newest version").
440
441
= 2.2.4 =
442
+ * **Bug fix:** Fixed the issue that some links on network admin of multisite were blocked when WP-ZEP for `admin area` or `admin ajax/post` was enabled.
443
* **New feature:** Added configure of `.htaccess` for the plugins/themes area.
444
* **Enhancement:** Added `wp-signup.php` to the list of validation target.
445
* **Enhancement:** Added exporting and importing the setting parameters.
446
+ * **Improvement:** Made the logout url compatible with [Rename wp-login.php](https://wordpress.org/plugins/rename-wp-login/).
447
+ * **Improvement:** Made condition of validation more strictly at admin diagnosis to prevent unnecessary notice of self blocking. ([@](https://wordpress.org/support/topic/youll-be-blocked-after-you-log-out-notice-doesnt-disappear "[resolved] "You'll be blocked after you log out" notice doesn't disappear"))
448
+ * **Improvement:** Improved some of UI. ([@](https://wordpress.org/support/topic/possible-to-select-which-countries-are-blocked "[resolved] Possible to select which countries are blocked?"), [@](https://wordpress.org/support/topic/ip-geo-block-black-list "IP Geo Block Black List"))
449
* See some details at [release 2.2.4](http://www.ipgeoblock.com/changelog/release-2.2.4.html "2.2.4 Release Note").
450
451
= 2.2.3.1 =
452
+ * **Bug fix:** Fixed the issue that disabled validation target was still blocked by country. ([@](https://wordpress.org/support/topic/logs-whitelist-comments-still-blocked "[resolved] logs whitelist comments still blocked?"))
453
+ * **Improvement:** Better handling of charset and errors for MySQL. ([@](https://wordpress.org/support/topic/whitelist-log "[resolved] Whitelist + Log"))
454
455
= 2.2.3 =
456
+ * **Improvement:** Since WordPress 4.4, XML-RPC system.multicall is disabled when the authentication fails, but still processed all the methods to the end. Now this plugin immediately blocks the request when the authentication fails without processing the rest of the methods.
457
* **Improvement:** Add UI to change the maximum number of login attempts.
458
+ * **Improvement:** Add a fallback process of setting up the directory where the geo location database APIs should be installed. It will be set as `wp-content/uploads/` instead of `wp-content/plugins/ip-geo-block/` or `wp-content/` in case of being unable to obtain proper permission. ([@](https://wordpress.org/support/topic/deactivated-after-updte-why "[resolved] Deactivated after update - why?"), [@](https://wordpress.org/support/topic/the-plugin-caused-an-error-message "[resolved] The plugin caused an error message"))
459
+ * **Improvement:** Moderate the conditions of redirection after logout. ([@](https://wordpress.org/support/topic/logout-redirect-doesnt-work-when-plugin-is-active "[resolved] Logout redirect doesn't work when plugin is active"))
460
+ * **Improvement:** Prevent self blocking caused by irrelevant signature. ([@](https://wordpress.org/support/topic/works-too-well-blocked-my-wp-admin-myself "[resolved] Works too well - Blocked my wp-admin myself"))
461
+ * **Bug fix:** Fixed the issue of conflicting with certain plugins due to the irrelevant handling of js event. ([@](https://wordpress.org/support/topic/cannot-edit-pages-when-ip-geo-block-is-enabled "[resolved] Cannot edit pages when ip-geo-block is enabled."))
462
* **New feature:** Add "Blocked per day" graph for the daily statistics.
463
* See some details at [2.2.3 release note](http://www.ipgeoblock.com/changelog/release-2.2.3.html "2.2.3 Release Note").
464
466
Sorry for frequent update again but the following obvious bugs should be fixed.
467
468
* **Bug fix:** Fixed the issue of not initializing country code at activation.
469
+ * **Bug fix:** Fixed the issue that scheme less notation like '//example.com' could not be handled correctly.
470
471
= 2.2.2.2 =
472
Sorry for frequent update.
473
474
+ * **Bug fix:** Fixed the issue of race condition at activation. This fix is related to the urgent security update at **2.2.2.1 which was not actually the security issue but a bug**. See [this thread](https://wordpress.org/support/topic/white-list-hack "white list hack") about little more details.
475
* **Improvement:** Improved the compatibility with Jetpack.
476
477
= 2.2.2.1 =
478
+ * **Urgent security update:** Killed the possibility of the options being altered.
479
480
= 2.2.2 =
481
+ * **Enhancement:** Refactored some codes and components. The number of attacks that can be proccessed per second has been improved by 25% at the maximum.
482
+ * **Improvement:** In the previous version, the statistical data was recorded into `wp_options`. It caused the uncertainty of recording especially in case of burst attacks. Now the data will be recorded in an independent table to improve this issue.
483
+ * **Bug fix:** Fixed conflict with NextGEN Gallary Pro. Thanks to [bodowewer](https://wordpress.org/support/profile/bodowewer).
484
* **Bug fix:** Fixed some filter hooks that did not work as intended.
485
* See more details at [2.2.2 release note](http://www.ipgeoblock.com/changelog/release-2.2.2.html "2.2.2 Release Note").
486
488
* **Bug fix:** Fixed "open_basedir restriction" issue caused by `file_exists()`.
489
490
= 2.2.1 =
491
+ * **Enhancement:** In previous version, local geolocation databases will always be removed and downloaded again at every upgrading. Now, the class library for Maxmind and IP2Location have become independent of this plugin and you can put them outside this plugin in order to cut the above useless process. The library can be available from [WordPress-IP-Geo-API](https://github.com/tokkonopapa/WordPress-IP-Geo-API).
492
+ * **Deprecated:** Cooperation with IP2Location plugins such as [IP2Location Tags](http://wordpress.org/plugins/ip2location-tags/ "WordPress - IP2Location Tags - WordPress Plugins"), [IP2Location Variables](http://wordpress.org/plugins/ip2location-variables/ "WordPress - IP2Location Variables - WordPress Plugins"), [IP2Location Country Blocker](http://wordpress.org/plugins/ip2location-country-blocker/ "WordPress - IP2Location Country Blocker - WordPress Plugins") is out of use. Instead of it, free [IP2Location LITE databases for IPv4 and IPv6](http://lite.ip2location.com/ "Free IP Geolocation Database") will be downloaded.
493
* **Improvement:** Improved connectivity with Jetpack.
494
* **Improvement:** Improved immediacy of downloading databases at upgrading.
495
* **Improvement:** Replaced a terminated RESTful API service with a new stuff.
496
+ * **Bug fix:** Fixed issue that clicking a link tag without href always refreshed the page. Thanks to [wyclef](https://wordpress.org/support/topic/conflict-with-menu-editor-plugin "WordPress › Support » Conflict with Menu Editor plugin?").
497
+ * **Bug fix:** Fixed issue that deactivating and activating repeatedly caused to show the welcome message.
498
+ * **Bug fix:** Fixed issue that a misaligned argument in the function caused 500 internal server error when a request to the php files in plugins/themes area was rewrited to `rewrite.php`.
499
500
= 2.2.0.1 =
501
Sorry for frequent update.
503
* **Fix:** Fixed the issue that some actions of other plugins were blocked.
504
505
= 2.2.0 =
506
+ * **Important:** Now **Block by country** and **Prevent Zero-day Exploit** become to work independently on **Admin area**, **Admin ajax/post** at **Validation target settings**. Please reconfirm them.
507
+ * **Important:** Previously, a request whose country code can't be available was always blocked. But from this release, such a request is considered as comming from the country whose code is `ZZ`. It means that you can put `ZZ` into the white list and black list.
508
+ * **New feature:** White list and Black list of extra IP addresses prior to the validation of country code. Thanks to Fabiano for good suggestions at [support forum](https://wordpress.org/support/topic/white-list-of-ip-addresses-or-ranges "WordPress › Support » White list of IP addresses or ranges?")
509
+ * **New feature:** Malicious signatures to prevent disclosing the important files via vulnerable plugins or themes. A malicious request to try to expose `wp-config.php` or `passwd` can be blocked.
510
+ * **New feature:** Add privacy considerations related to IP address. Add **Anonymize IP address** at **Record settings**.
511
+ * **Bug fix:** Fix the issue that spaces in **Text message on comment form** are deleted.
512
* See details at [2.2.0 release note](http://www.ipgeoblock.com/changelog/release-2.2.0.html "2.2.0 Release Note").
513
514
= 2.1.5.1 =
515
+ * **Bug fix:** Fixed the issue that the Blacklist did not work properly. Thanks to TJayYay for reporting this issue at [support forum](https://wordpress.org/support/topic/hackers-from-country-in-blocked-list-of-countries-trying-to-login "WordPress › Support » Hackers from country in Blocked List of Countries trying to login").
516
517
= 2.1.5 =
518
+ * **Enhancement:** Enforce preventing self blocking at the first installation. And add the scan button to get all the country code using selected API. Thanks to **Nils** for a nice idea at [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country").
519
* **New feature:** Add pie chart to display statistics of "Blocked by country".
520
* **Enhancement:** WP-ZEP is reinforced against CSRF.
521
* **Bug fix:** Fix illegal handling of the fragment in a link.
522
* See details at [2.1.5 release note](http://www.ipgeoblock.com/changelog/release-2.1.5.html "2.1.5 Release Note").
523
524
= 2.1.4 =
525
+ * **Bug fix:** Fix the issue that this plugin broke functionality of a certain plugin. Thanks to **opsec** for reporting this issue at [support forum](https://wordpress.org/support/topic/blocks-saves-in-types-or-any-plugins-from-wp-typescom "WordPress › Support » Blocks saves in Types or any plugins from wp-types.com").
526
+ * **Improvement:** Add checking process for validation rule to prevent being blocked itself. Thanks to **internationals** for proposing at [support forum](https://wordpress.org/support/topic/locked-out-due-to-eu-vs-country "WordPress › Support » Locked out due to EU vs. Country")
527
+ * **Improvement:** Arrage the order of setting sections to focus the goal of this plugin.
528
* See details at [2.1.4 release note](http://www.ipgeoblock.com/changelog/release-2.1.4.html "2.1.4 Release Note").
529
530
= 2.1.3 =
531
* **New feature:** Add "show" / "hide" at each section on the "Settings" tab.
532
+ * **New feature:** Add an emergency function that invalidate blocking behavior in case yourself is locked out. This feature is commented out by default at the bottom of `ip-geo-block.php`.
533
+ * **Improvement:** Prevent adding query strings to the static resources when users logged in.
534
* **Improvement:** Improved the compatibility with Autoptimize.
535
* **Bug fix:** Fix the issue related to showing featured themes on dashboard.
536
* **Bug fix:** Fix minor bug in `rewrite.php` for the advanced use case.
539
= 2.1.2 =
540
This is a maintenance release.
541
542
+ * **Bug fix:** Fix the issue that the login-fail-counter didn't work when the validation at `Login form` was `block by country (register, lost password)`. In this release, the login-fail-counter works correctly.
543
+ * **Bug fix:** Fix the issue that the validation settings of `Admin area` and `Admin ajax/post` were influential with each other. Now each of those works individually.
544
+ * **Bug fix:** "Site Stats" of Jetpack is now shown on the admin bar which issue was reported on [support forum](https://wordpress.org/support/topic/admin-area-prevent-zero-day-exploit-incompatible-with-jetpack-site-stats-in-a "WordPress › Support » Admin area - Prevent zero-day exploit: Incompatible with Jetpack Site Stats in A").
545
+ * **Improvement:** Hide checking the existence of log db behind the symbol `IP_GEO_BLOCK_DEBUG` to reduce 1 query on admin screen.
546
+ * **Improvement:** Add alternative functions of BCMath extension to avoid `PHP Fatal error: Call to undefined function` in `IP2Location.php` when IPv6 is specified.
547
+ * **Improvement:** Use MaxMind database at the activating process not to be locked out by means of inconsistency of database at the activation and after.
548
* See more details at [2.1.2 release note](http://www.ipgeoblock.com/changelog/release-2.1.2.html "2.1.2 Release Note").
549
550
= 2.1.1 =
551
+ * **New feature:** Added `Block by country (register, lost password)` at `Login form` on `Settings` tab in order to accept the registered users as membership from anywhere but block the request of new user ragistration and lost password by the country code. Is't suitable for BuddyPress and bbPress.
552
+ * **Improvement:** Added showing the custom error page for http response code 4xx and 5xx. For example the `403.php` in the theme template directory or in the child theme directory is used if it exists. And new filter hooks `ip-geo-block-(comment|xmlrpc|login|admin)-(status|reason)` are available to customize the response code and reason for human.
553
+ * **Obsoleted:** Obsoleted the filter hooks `ip-geo-block-(admin-actions|admin-pages|wp-content)`. Alternatively new filter hooks `ip-geo-block-bypass-(admins|plugins|themes)` are added to bypass WP-ZEP.
554
* Find out more details in the [2.1.1 release note](http://www.ipgeoblock.com/changelog/release-2.1.1.html "2.1.1 Release Note").
555
556
= 2.1.0 =
557
+ * **New feature:** Expanded the operating range of ZP-ZEP, that includes admin area, plugins area, themes area. Now it can prevent a direct malicios attack to the file in plugins and themes area. Please go to the "Validation Settings" on "Settings" tab and check it. Also check my article in "[Analysis of Attack Vector against WP Plugins](http://www.ipgeoblock.com/article/analysis-attack-vector.html)".
558
+ * **Bug fix:** Fixed the issue that action hook `ip-geo-block-backup-dir` did not work correctly because the order of argument was mismatched.
559
+ * **Bug fix:** Fixed the issue that a record including utf8 4 bytes character in its columns was not logged into DB in WordPress 4.2.
560
+ * **Improvement:** Fixed the issue that Referrer Suppressor do nothing with a new element which is added into DOM after DOM ready. The event handler is now delegated at the `body`.
561
562
= 2.0.8 =
563
+ * Fixed an issue that a certain type of attack vector to the admin area ([example](https://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html "Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin")) could not be blocked by the reason that some plugins accept it on earlier hook (ie `init`) than this plugin (previously `admin_init`).
564
+ * Added re-creating DB table for validation logs in case of accidentally failed at activation process.
565
+ * The time of day is shown with local time by adding GMT offset based on the time zone setting.
566
* Optimized resource loading and settings to avoid redundancy.
567
* See details at [this plugin's blog](http://www.ipgeoblock.com/changelog/release-2.0.8.html "2.0.8 Release Note").
568
575
* Sorry for urgent update but avoid an javascript error.
576
577
= 2.0.4 =
578
+ * Sorry for frequent update but added a function of showing admin notice when none of the IP geolocation providers is selected. Because the user will be locked out from admin screen when the cache expires.
579
+ * **Bug fix:** Fixed an issue of `get_geolocation()` method at a time of when the cache of IP address is cleared.
580
* Referrer suppressor now supports [meta referrer](https://wiki.whatwg.org/wiki/Meta_referrer "Meta referrer - WHATWG Wiki")
581
582
= 2.0.3 =
583
+ * **Bug fix:** Fixed an issue that empty black list doesn't work correctly when matching rule is black list.
584
+ * **New feature:** Added 'Zero-day Exploit Prevention for wp-admin'. Because it is an experimental feature, please open a new issue at [support forum](https://wordpress.org/support/plugin/ip-geo-block "WordPress › Support » IP Geo Block") if you have any troubles with it.
585
+ * **New feature:** Referrer suppressor for external link. When you click an external hyperlink on admin screen, http referrer will be suppressed to hide a footprint of your site.
586
+ * Also added the filter hook `ip-geo-block-admin-actions` for safe actions on back-end.
587
588
= 2.0.2 =
589
+ * **New feature:** Include `wp-admin/admin-post.php` as a validation target in the `Admin area`. This feature is to protect against a vulnerability such as [Analysis of the Fancybox-For-WordPress Vulnerability](http://blog.sucuri.net/2015/02/analysis-of-the-fancybox-for-wordpress-vulnerability.html) on Sucuri Blog.
590
+ * Added a sample code snippet as a use case for 'Give ajax permission in case of safe actions on front facing page'. See Example 10 in `sample.php`.
591
592
= 2.0.1 =
593
+ * Fixed the issue of improper scheme from the HTTPS site when loading js for google map.
594
+ * In order to prevent accidental disclosure of the length of password, changed the length of `*` (masked password) which is logged into the database.
595
596
= 2.0.0 =
597
+ * **New feature:** Protection against brute-force and reverse-brute-force attacks to `wp-login.php`, `xmlrpc.php` and admin area. This is an experimental function and can be enabled on `Settings` tab. Malicious access can try to login only 5 times per IP address. This retry counter can be reset to zero by `Clear statistics` on `Statistics` tab.
598
599
= 1.0.0 =
600
* Ready to release.
admin/class-ip-geo-block-admin.php CHANGED
@@ -6,7 +6,7 @@
6
* @author tokkonopapa <tokkonopapa@yahoo.com>
7
* @license GPL-2.0+
8
* @link http://www.ipgeoblock.com/
9
- * @copyright 2013-2016 tokkonopapa
10
*/
11
12
class IP_Geo_Block_Admin {
@@ -28,9 +28,6 @@ class IP_Geo_Block_Admin {
28
* and adding a settings page and menu.
29
*/
30
private function __construct() {
31
- $this->admin_tab = isset( $_GET['tab'] ) ? (int)$_GET['tab'] : 0;
32
- $this->admin_tab = min( 4, max( 0, $this->admin_tab ) );
33
-
34
// Load plugin text domain.
35
add_action( 'init', array( $this, 'load_plugin_textdomain' ) );
36
@@ -44,8 +41,9 @@ class IP_Geo_Block_Admin {
44
add_filter( 'wp_prepare_revision_for_js', array( $this, 'add_revision_nonce' ), 10, 3 );
45
46
// If multisite, then enque the authentication script for network admin
47
- if ( is_multisite() )
48
add_action( 'network_admin_menu', 'IP_Geo_Block::enqueue_nonce' );
49
}
50
51
/**
@@ -85,7 +83,7 @@ class IP_Geo_Block_Admin {
85
*
86
*/
87
public function enqueue_admin_assets() {
88
- $footer = TRUE;
89
$dependency = array( 'jquery' );
90
91
// css for option page
@@ -155,8 +153,18 @@ class IP_Geo_Block_Admin {
155
'IP_GEO_BLOCK',
156
array(
157
'action' => 'ip_geo_block',
158
'url' => admin_url( 'admin-ajax.php' ),
159
'nonce' => IP_Geo_Block_Util::create_nonce( $this->get_ajax_action() ),
160
)
161
);
162
wp_enqueue_script( $handle );
@@ -206,43 +214,52 @@ class IP_Geo_Block_Admin {
206
}
207
208
/**
209
- * Display global notice
210
*
211
- * @notice: Sanitization should be done at the caller
212
*/
213
public function show_admin_notices() {
214
$key = IP_Geo_Block::PLUGIN_NAME . '-notice';
215
if ( FALSE !== ( $notices = get_transient( $key ) ) ) {
216
foreach ( $notices as $msg => $type ) {
217
- echo "\n<div class=\"notice is-dismissible ", esc_attr( $type ), "\"><p><strong>IP Geo Block:</strong> ", IP_Geo_Block_Util::kses( $msg ), "</p></div>\n";
218
}
219
}
220
}
221
222
public static function add_admin_notice( $type, $msg ) {
223
$key = IP_Geo_Block::PLUGIN_NAME . '-notice';
224
if ( FALSE === ( $notices = get_transient( $key ) ) )
225
$notices = array();
226
227
if ( ! isset( $notices[ $msg ] ) ) {
228
$notices[ $msg ] = $type;
229
set_transient( $key, $notices, MINUTE_IN_SECONDS );
230
}
231
}
232
233
- /**
234
- * Display local notice
235
- *
236
- */
237
- private function show_setting_notice( $type, $msg ) {
238
- add_settings_error( IP_Geo_Block::PLUGIN_NAME, IP_Geo_Block::OPTION_NAME, $msg, $type );
239
- }
240
-
241
/**
242
* Register the administration menu into the WordPress Dashboard menu.
243
*
244
*/
245
- private function add_plugin_admin_page() {
246
// Add a settings page for this plugin to the Settings menu.
247
$hook = add_options_page(
248
__( 'IP Geo Block', 'ip-geo-block' ),
@@ -262,27 +279,25 @@ class IP_Geo_Block_Admin {
262
*
263
*/
264
private function diagnose_admin_screen() {
265
- // delete all admin noties
266
- delete_transient( IP_Geo_Block::PLUGIN_NAME . '-notice' );
267
-
268
// Check version and compatibility
269
if ( version_compare( get_bloginfo( 'version' ), '3.7.0' ) < 0 )
270
self::add_admin_notice( 'error', __( 'You need WordPress 3.7+.', 'ip-geo-block' ) );
271
272
$settings = IP_Geo_Block::get_option();
273
274
// Check consistency of matching rule
275
if ( -1 === (int)$settings['matching_rule'] ) {
276
if ( FALSE !== get_transient( IP_Geo_Block::CRON_NAME ) ) {
277
self::add_admin_notice( 'notice-warning', sprintf(
278
__( 'Now downloading geolocation databases in background. After a little while, please check your country code and &#8220;<strong>Matching rule</strong>&#8221; at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
279
- esc_url( admin_url( 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME ) )
280
) );
281
}
282
else {
283
self::add_admin_notice( 'error', sprintf(
284
__( 'The &#8220;<strong>Matching rule</strong>&#8221; is not set properly. Please confirm it at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
285
- esc_url( admin_url( 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME ) )
286
) );
287
}
288
}
@@ -290,23 +305,35 @@ class IP_Geo_Block_Admin {
290
// Check to finish updating matching rule
291
elseif ( 'done' === get_transient( IP_Geo_Block::CRON_NAME ) ) {
292
delete_transient( IP_Geo_Block::CRON_NAME );
293
- self::add_admin_notice( 'updated', __( 'Local database and matching rule have been updated.', 'ip-geo-block' ) );
294
}
295
296
// Check self blocking
297
if ( 1 === (int)$settings['validation']['login'] ) {
298
$instance = IP_Geo_Block::get_instance();
299
- $validate = $instance->validate_ip( 'login', $settings, TRUE, FALSE, FALSE );
300
301
- if ( 'passed' !== $validate['result'] ) {
302
self::add_admin_notice( 'error',
303
( $settings['matching_rule'] ?
304
__( 'Once you logout, you will be unable to login again because your country code or IP address is in the blacklist.', 'ip-geo-block' ) :
305
__( 'Once you logout, you will be unable to login again because your country code or IP address is not in the whitelist.', 'ip-geo-block' )
306
- ) .
307
sprintf(
308
__( 'Please check your <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
309
- esc_url( admin_url( 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME . '#' . IP_Geo_Block::PLUGIN_NAME . '-settings-0' ) )
310
)
311
);
312
}
@@ -328,13 +355,17 @@ class IP_Geo_Block_Admin {
328
*
329
*/
330
public function setup_admin_page() {
331
- $this->diagnose_admin_screen();
332
- $this->add_plugin_admin_page();
333
334
- // Register settings page only if it is needed
335
if ( ( isset( $_GET ['page' ] ) && IP_Geo_Block::PLUGIN_NAME === $_GET ['page' ] ) ||
336
- ( isset( $_POST['option_page'] ) && IP_Geo_Block::PLUGIN_NAME === $_POST['option_page'] ) )
337
$this->register_settings_tab();
338
339
// Add an action link pointing to the options page. @since 2.7
340
else {
@@ -342,8 +373,10 @@ class IP_Geo_Block_Admin {
342
add_filter( 'plugin_action_links_' . IP_GEO_BLOCK_BASE, array( $this, 'add_action_links' ), 10, 1 );
343
}
344
345
- // Register scripts and admin notice
346
add_action( 'admin_enqueue_scripts', array( 'IP_Geo_Block', 'enqueue_nonce' ) );
347
add_action( 'admin_notices', array( $this, 'show_admin_notices' ) );
348
}
349
@@ -352,6 +385,7 @@ class IP_Geo_Block_Admin {
352
*
353
*/
354
public function display_plugin_admin_page() {
355
$tabs = array(
356
0 => __( 'Settings', 'ip-geo-block' ),
357
1 => __( 'Statistics', 'ip-geo-block' ),
@@ -359,7 +393,6 @@ class IP_Geo_Block_Admin {
359
2 => __( 'Search', 'ip-geo-block' ),
360
3 => __( 'Attribution', 'ip-geo-block' ),
361
);
362
- $tab = $this->admin_tab;
363
?>
364
<div class="wrap">
365
<h2><?php echo esc_html( get_admin_page_title() ); ?></h2>
@@ -417,7 +450,7 @@ class IP_Geo_Block_Admin {
417
3 => 'admin/includes/tab-attribution.php',
418
);
419
420
- require_once( IP_GEO_BLOCK_PATH . $files[ $this->admin_tab ] );
421
IP_Geo_Block_Admin_Tab::tab_setup( $this );
422
}
423
@@ -540,7 +573,7 @@ class IP_Geo_Block_Admin {
540
}
541
542
/**
543
- * A callback function that validates the option's value.
544
*
545
* @param array $input The values to be validated.
546
*
@@ -555,13 +588,15 @@ class IP_Geo_Block_Admin {
555
$output = IP_Geo_Block::get_option();
556
$default = IP_Geo_Block::get_default();
557
558
- // checkboxes not on the form (added after 2.0.0, just in case)
559
- foreach ( array( 'anonymize' ) as $key )
560
$output[ $key ] = 0;
561
562
- // checkboxes not on the form
563
- foreach ( array( 'admin', 'ajax', 'plugins', 'themes' ) as $key )
564
$output['validation'][ $key ] = 0;
565
566
// restore the 'signature' that might be transformed to avoid self blocking
567
if ( isset( $input['signature'] ) && FALSE === strpos( $input['signature'], ',' ) )
@@ -607,18 +642,16 @@ class IP_Geo_Block_Admin {
607
}
608
609
// Check providers setting
610
- if ( $error = IP_Geo_Block_Provider::diag_providers( $output[ $key ] ) ) {
611
- $this->show_setting_notice( 'error', $error );
612
- }
613
break;
614
615
case 'comment':
616
- if ( isset( $input[ $key ]['pos'] ) ) {
617
$output[ $key ]['pos'] = (int)$input[ $key ]['pos'];
618
- }
619
- if ( isset( $input[ $key ]['msg'] ) ) {
620
$output[ $key ]['msg'] = IP_Geo_Block_Util::kses( $input[ $key ]['msg'] );
621
- }
622
break;
623
624
case 'white_list':
@@ -675,7 +708,7 @@ class IP_Geo_Block_Admin {
675
else {
676
$output[ $key ][ $sub ] = ( is_int( $default[ $key ][ $sub ] ) ?
677
(int)$input[ $key ][ $sub ] :
678
- IP_Geo_Block_Util::kses( preg_replace( '/[^-,:!*#+=\.\/\w\s]/', '', $input[ $key ][ $sub ] ), FALSE )
679
);
680
}
681
}
@@ -693,7 +726,7 @@ class IP_Geo_Block_Admin {
693
) );
694
695
// sanitize and format ip address
696
- $key = array( '/[^\d\n\.\/,:]/', '/([\s,])+/', '/(?:^,|,$)/' );
697
$val = array( '', '$1', '' );
698
$output['extra_ips']['white_list'] = preg_replace( $key, $val, trim( $output['extra_ips']['white_list'] ) );
699
$output['extra_ips']['black_list'] = preg_replace( $key, $val, trim( $output['extra_ips']['black_list'] ) );
@@ -703,19 +736,40 @@ class IP_Geo_Block_Admin {
703
array_shift( $val );
704
$output['signature'] = preg_replace( $key, $val, trim( $output['signature'] ) );
705
706
// reject invalid signature which potentially blocks itself
707
$output['signature'] = implode( ',', $this->trim( $output['signature'] ) );
708
709
// 2.2.5 exception : convert associative array to simple array
710
- foreach ( array( 'plugins', 'themes' ) as $key )
711
$output['exception'][ $key ] = array_keys( $output['exception'][ $key ] );
712
713
return $output;
714
}
715
716
// Callback for preg_replace_callback()
717
public function strtoupper( $matches ) {
718
- return strtoupper( $matches[0] );
719
}
720
721
// Trim extra space and comma avoiding invalid signature which potentially blocks itself
@@ -734,29 +788,28 @@ class IP_Geo_Block_Admin {
734
* Check admin post
735
*
736
*/
737
- private function check_admin_post( $ajax ) {
738
- $nonce = TRUE;
739
-
740
- if ( $ajax ) {
741
- $action = $this->get_ajax_action();
742
- $nonce &= IP_Geo_Block_Util::verify_nonce( IP_Geo_Block_Util::retrieve_nonce( 'nonce' ), $action );
743
- // $nonce &= check_admin_referer( $this->get_ajax_action(), 'nonce' );
744
}
745
746
$action = IP_Geo_Block::PLUGIN_NAME . '-auth-nonce';
747
$nonce &= IP_Geo_Block_Util::verify_nonce( IP_Geo_Block_Util::retrieve_nonce( $action ), $action );
748
749
- if ( ! current_user_can( 'manage_options' ) || ! $nonce ) {
750
status_header( 403 );
751
wp_die(
752
__( 'You do not have sufficient permissions to access this page.' ), '',
753
- array( 'response' => 403, 'back_link' => true )
754
);
755
}
756
}
757
758
/**
759
- * Sanitize options before saving them into DB.
760
*
761
*/
762
public function validate_settings( $input = array() ) {
@@ -766,10 +819,8 @@ class IP_Geo_Block_Admin {
766
// validate setting options
767
$options = $this->validate_options( $input );
768
769
- //----------------------------------------
770
// activate rewrite rules
771
- //----------------------------------------
772
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-rewrite.php' );
773
$stat = IP_Geo_Block_Admin_Rewrite::activate_rewrite_all( $options['rewrite'] );
774
775
// check the status of rewrite rules
@@ -785,20 +836,18 @@ class IP_Geo_Block_Admin {
785
$file[] = '<code>' . $dirs[ $key ] . '.htaccess</code>';
786
}
787
788
- $this->show_setting_notice( 'error',
789
sprintf( __( 'Unable to write %s. Please check the permission.', 'ip-geo-block' ), implode( ', ', $file ) ) . '&nbsp;' .
790
sprintf( _n( 'Or please refer to %s to set it manually.', 'Or please refer to %s to set them manually.', count( $file ), 'ip-geo-block' ), '<a href="http://ipgeoblock.com/codex/how-to-fix-permission-troubles.html" title="How to fix permission troubles? | IP Geo Block">How to fix permission troubles?</a>' )
791
);
792
}
793
794
- //----------------------------------------
795
- // additional installation
796
- //----------------------------------------
797
- require_once( IP_GEO_BLOCK_PATH . 'classes/class-ip-geo-block-opts.php' );
798
$file = IP_Geo_Block_Opts::setup_validation_timing( $options );
799
if ( TRUE !== $file ) {
800
$options['validation']['timing'] = 0;
801
- $this->show_setting_notice( 'error', sprintf(
802
__( 'Unable to write %s. Please check the permission.', 'ip-geo-block' ), $file
803
) );
804
}
@@ -806,9 +855,6 @@ class IP_Geo_Block_Admin {
806
// Force to finish update matching rule
807
delete_transient( IP_Geo_Block::CRON_NAME );
808
809
- // register a settings error to be displayed to the user
810
- $this->show_setting_notice( 'updated', __( 'Settings saved.' ) );
811
-
812
return $options;
813
}
814
@@ -823,6 +869,8 @@ class IP_Geo_Block_Admin {
823
// Check request origin, nonce, capability.
824
$this->check_admin_post( TRUE );
825
826
$which = isset( $_POST['which'] ) ? $_POST['which'] : NULL;
827
switch ( isset( $_POST['cmd' ] ) ? $_POST['cmd' ] : NULL ) {
828
case 'download':
@@ -832,14 +880,12 @@ class IP_Geo_Block_Admin {
832
833
case 'search':
834
// Get geolocation by IP
835
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
836
$res = IP_Geo_Block_Admin_Ajax::search_ip( $which );
837
break;
838
839
case 'scan-code':
840
// Fetch providers to get country code
841
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
842
- $res = IP_Geo_Block_Admin_Ajax::scan_country();
843
break;
844
845
case 'clear-statistics':
@@ -862,7 +908,7 @@ class IP_Geo_Block_Admin {
862
863
case 'clear-logs':
864
// Delete logs in MySQL DB
865
- $hook = array( 'comment', 'login', 'admin', 'xmlrpc' );
866
$which = in_array( $which, $hook ) ? $which : NULL;
867
IP_Geo_Block_Logs::clear_logs( $which );
868
$res = array(
@@ -873,31 +919,26 @@ class IP_Geo_Block_Admin {
873
874
case 'export-logs':
875
// Export logs from MySQL DB
876
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
877
IP_Geo_Block_Admin_Ajax::export_logs( $which );
878
break;
879
880
case 'restore':
881
// Get logs from MySQL DB
882
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
883
$res = IP_Geo_Block_Admin_Ajax::restore_logs( $which );
884
break;
885
886
case 'validate':
887
// Validate settings
888
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
889
IP_Geo_Block_Admin_Ajax::validate_settings( $this );
890
break;
891
892
case 'import-default':
893
// Import initial settings
894
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
895
$res = IP_Geo_Block_Admin_Ajax::settings_to_json( IP_Geo_Block::get_default() );
896
break;
897
898
case 'import-preferred':
899
// Import preference
900
- require_once( IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php' );
901
$res = IP_Geo_Block_Admin_Ajax::preferred_to_json();
902
break;
903
@@ -908,12 +949,16 @@ class IP_Geo_Block_Admin {
908
$which['api_key']['GoogleMap'] = NULL;
909
update_option( IP_Geo_Block::OPTION_NAME, $which );
910
$res = array(
911
- 'page' => 'options-general.php?page=' . IP_Geo_Block::PLUGIN_SLUG,
912
'tab' => 'tab=2'
913
);
914
}
915
break;
916
917
case 'create-table':
918
case 'delete-table':
919
// Need to define `IP_GEO_BLOCK_DEBUG` to true
@@ -925,6 +970,7 @@ class IP_Geo_Block_Admin {
925
$res = array(
926
'page' => 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME,
927
);
928
}
929
930
if ( isset( $res ) ) // wp_send_json_{success,error}() @since 3.5.0
6
* @author tokkonopapa <tokkonopapa@yahoo.com>
7
* @license GPL-2.0+
8
* @link http://www.ipgeoblock.com/
9
+ * @copyright 2013-2017 tokkonopapa
10
*/
11
12
class IP_Geo_Block_Admin {
28
* and adding a settings page and menu.
29
*/
30
private function __construct() {
31
// Load plugin text domain.
32
add_action( 'init', array( $this, 'load_plugin_textdomain' ) );
33
41
add_filter( 'wp_prepare_revision_for_js', array( $this, 'add_revision_nonce' ), 10, 3 );
42
43
// If multisite, then enque the authentication script for network admin
44
+ if ( is_multisite() ) {
45
add_action( 'network_admin_menu', 'IP_Geo_Block::enqueue_nonce' );
46
+ }
47
}
48
49
/**
83
*
84
*/
85
public function enqueue_admin_assets() {
86
+ $footer = FALSE;
87
$dependency = array( 'jquery' );
88
89
// css for option page
153
'IP_GEO_BLOCK',
154
array(
155
'action' => 'ip_geo_block',
156
+ 'tab' => $this->admin_tab,
157
'url' => admin_url( 'admin-ajax.php' ),
158
'nonce' => IP_Geo_Block_Util::create_nonce( $this->get_ajax_action() ),
159
+ 'msg' => array(
160
+ __( 'Import settings ?', 'ip-geo-block' ),
161
+ __( 'Create table ?', 'ip-geo-block' ),
162
+ __( 'Delete table ?', 'ip-geo-block' ),
163
+ __( 'Clear statistics ?', 'ip-geo-block' ),
164
+ __( 'Clear cache ?', 'ip-geo-block' ),
165
+ __( 'Clear logs ?', 'ip-geo-block' ),
166
+ __( 'This feature is available with HTML5 compliant browsers.', 'ip-geo-block' ),
167
+ ),
168
)
169
);
170
wp_enqueue_script( $handle );
214
}
215
216
/**
217
+ * Show global notice.
218
*
219
*/
220
public function show_admin_notices() {
221
$key = IP_Geo_Block::PLUGIN_NAME . '-notice';
222
+
223
if ( FALSE !== ( $notices = get_transient( $key ) ) ) {
224
foreach ( $notices as $msg => $type ) {
225
+ echo "\n", '<div class="notice is-dismissible ', esc_attr( $type ), '"><p>';
226
+ if ( 'updated' === $type )
227
+ echo '<strong>', IP_Geo_Block_Util::kses( $msg ), '</strong>';
228
+ else
229
+ echo '<strong>IP Geo Block:</strong> ', IP_Geo_Block_Util::kses( $msg );
230
+ echo '</p></div>', "\n";
231
}
232
}
233
+
234
+ // delete all admin noties
235
+ delete_transient( $key );
236
}
237
238
+ /**
239
+ * Add global notice.
240
+ *
241
+ */
242
public static function add_admin_notice( $type, $msg ) {
243
$key = IP_Geo_Block::PLUGIN_NAME . '-notice';
244
if ( FALSE === ( $notices = get_transient( $key ) ) )
245
$notices = array();
246
247
+ // can't overwrite the existent notice
248
if ( ! isset( $notices[ $msg ] ) ) {
249
$notices[ $msg ] = $type;
250
set_transient( $key, $notices, MINUTE_IN_SECONDS );
251
}
252
}
253
254
/**
255
* Register the administration menu into the WordPress Dashboard menu.
256
*
257
*/
258
+ private function add_plugin_admin_menu() {
259
+ // Setup the tab number
260
+ $this->admin_tab = isset( $_GET['tab'] ) ? (int)$_GET['tab'] : 0;
261
+ $this->admin_tab = min( 4, max( 0, $this->admin_tab ) );
262
+
263
// Add a settings page for this plugin to the Settings menu.
264
$hook = add_options_page(
265
__( 'IP Geo Block', 'ip-geo-block' ),
279
*
280
*/
281
private function diagnose_admin_screen() {
282
// Check version and compatibility
283
if ( version_compare( get_bloginfo( 'version' ), '3.7.0' ) < 0 )
284
self::add_admin_notice( 'error', __( 'You need WordPress 3.7+.', 'ip-geo-block' ) );
285
286
$settings = IP_Geo_Block::get_option();
287
+ $adminurl = 'options-general.php';
288
289
// Check consistency of matching rule
290
if ( -1 === (int)$settings['matching_rule'] ) {
291
if ( FALSE !== get_transient( IP_Geo_Block::CRON_NAME ) ) {
292
self::add_admin_notice( 'notice-warning', sprintf(
293
__( 'Now downloading geolocation databases in background. After a little while, please check your country code and &#8220;<strong>Matching rule</strong>&#8221; at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
294
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME ), $adminurl ) )
295
) );
296
}
297
else {
298
self::add_admin_notice( 'error', sprintf(
299
__( 'The &#8220;<strong>Matching rule</strong>&#8221; is not set properly. Please confirm it at <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
300
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME ), $adminurl ) )
301
) );
302
}
303
}
305
// Check to finish updating matching rule
306
elseif ( 'done' === get_transient( IP_Geo_Block::CRON_NAME ) ) {
307
delete_transient( IP_Geo_Block::CRON_NAME );
308
+ self::add_admin_notice( 'updated ', __( 'Local database and matching rule have been updated.', 'ip-geo-block' ) );
309
}
310
311
// Check self blocking
312
if ( 1 === (int)$settings['validation']['login'] ) {
313
$instance = IP_Geo_Block::get_instance();
314
+ $validate = $instance->validate_ip( 'login', $settings, TRUE, FALSE, FALSE ); // skip authentication check
315
+
316
+ switch( $validate['result'] ) {
317
+ case 'limited':
318
+ self::add_admin_notice( 'error',
319
+ __( 'Once you logout, you will be unable to login again because the number of login attempts reaches the limit.', 'ip-geo-block' ) . ' ' .
320
+ sprintf(
321
+ __( 'Please execute "<strong>Clear cache</strong>" on <a href="%s">Statistics tab</a> to prevent locking yourself out.', 'ip-geo-block' ),
322
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME, 'tab' => 1 ), $adminurl ) )
323
+ )
324
+ );
325
+ break;
326
327
+ case 'blocked':
328
+ case 'extra':
329
self::add_admin_notice( 'error',
330
( $settings['matching_rule'] ?
331
__( 'Once you logout, you will be unable to login again because your country code or IP address is in the blacklist.', 'ip-geo-block' ) :
332
__( 'Once you logout, you will be unable to login again because your country code or IP address is not in the whitelist.', 'ip-geo-block' )
333
+ ) . ' ' .
334
sprintf(
335
__( 'Please check your <a href="%s">Validation rule settings</a>.', 'ip-geo-block' ),
336
+ esc_url( add_query_arg( array( 'page' => IP_Geo_Block::PLUGIN_NAME ), $adminurl ) ) . '#' . IP_Geo_Block::PLUGIN_NAME . '-settings-0'
337
)
338
);
339
}
355
*
356
*/
357
public function setup_admin_page() {
358
+ // Avoid multiple validation.
359
+ if ( 'POST' !== $_SERVER['REQUEST_METHOD'] ) {
360
+ $this->diagnose_admin_screen();
361
+ $this->add_plugin_admin_menu();
362
+ }
363
364
+ // Register settings page only if it is needed.
365
if ( ( isset( $_GET ['page' ] ) && IP_Geo_Block::PLUGIN_NAME === $_GET ['page' ] ) ||
366
+ ( isset( $_POST['option_page'] ) && IP_Geo_Block::PLUGIN_NAME === $_POST['option_page'] ) ) {
367
$this->register_settings_tab();
368
+ }
369
370
// Add an action link pointing to the options page. @since 2.7
371
else {
373
add_filter( 'plugin_action_links_' . IP_GEO_BLOCK_BASE, array( $this, 'add_action_links' ), 10, 1 );
374
}
375
376
+ // Register scripts for admin.
377
add_action( 'admin_enqueue_scripts', array( 'IP_Geo_Block', 'enqueue_nonce' ) );
378
+
379
+ // Show admin notices at the place where it should be.
380
add_action( 'admin_notices', array( $this, 'show_admin_notices' ) );
381
}
382
385
*
386
*/
387
public function display_plugin_admin_page() {
388
+ $tab = $this->admin_tab;
389
$tabs = array(
390
0 => __( 'Settings', 'ip-geo-block' ),
391
1 => __( 'Statistics', 'ip-geo-block' ),
393
2 => __( 'Search', 'ip-geo-block' ),
394
3 => __( 'Attribution', 'ip-geo-block' ),
395
);
396
?>
397
<div class="wrap">
398
<h2><?php echo esc_html( get_admin_page_title() ); ?></h2>
450
3 => 'admin/includes/tab-attribution.php',
451
);
452
453
+ require_once IP_GEO_BLOCK_PATH . $files[ $this->admin_tab ];
454
IP_Geo_Block_Admin_Tab::tab_setup( $this );
455
}
456
573
}
574
575
/**
576
+ * Sanitize options before saving them into DB.
577
*
578
* @param array $input The values to be validated.
579
*
588
$output = IP_Geo_Block::get_option();
589
$default = IP_Geo_Block::get_default();
590
591
+ // initialize checkboxes not in the form (added after 2.0.0, just in case)
592
+ foreach ( array( 'anonymize', 'network_wide' ) as $key ) {
593
$output[ $key ] = 0;
594
+ }
595
596
+ // initialize checkboxes not in the form
597
+ foreach ( array( 'login', 'admin', 'ajax', 'plugins', 'themes', 'public' ) as $key ) {
598
$output['validation'][ $key ] = 0;
599
+ }
600
601
// restore the 'signature' that might be transformed to avoid self blocking
602
if ( isset( $input['signature'] ) && FALSE === strpos( $input['signature'], ',' ) )
642
}
643
644
// Check providers setting
645
+ if ( $error = IP_Geo_Block_Provider::diag_providers( $output[ $key ] ) )
646
+ self::add_admin_notice( 'error', $error );
647
break;
648
649
case 'comment':
650
+ if ( isset( $input[ $key ]['pos'] ) )
651
$output[ $key ]['pos'] = (int)$input[ $key ]['pos'];
652
+
653
+ if ( isset( $input[ $key ]['msg'] ) )
654
$output[ $key ]['msg'] = IP_Geo_Block_Util::kses( $input[ $key ]['msg'] );
655
break;
656
657
case 'white_list':
708
else {
709
$output[ $key ][ $sub ] = ( is_int( $default[ $key ][ $sub ] ) ?
710
(int)$input[ $key ][ $sub ] :
711
+ IP_Geo_Block_Util::kses( trim( $input[ $key ][ $sub ] ), FALSE )
712
);
713
}
714
}
726
) );
727
728
// sanitize and format ip address
729
+ $key = array( '/[^\w\n\.\/,:]/', '/([\s,])+/', '/(?:^,|,$)/' );
730
$val = array( '', '$1', '' );
731
$output['extra_ips']['white_list'] = preg_replace( $key, $val, trim( $output['extra_ips']['white_list'] ) );
732
$output['extra_ips']['black_list'] = preg_replace( $key, $val, trim( $output['extra_ips']['black_list'] ) );
736
array_shift( $val );
737
$output['signature'] = preg_replace( $key, $val, trim( $output['signature'] ) );
738
739
+ // 3.0.0 convert country code to upper case, remove redundant spaces
740
+ $output['public']['ua_list'] = preg_replace( $key, $val, trim( $output['public']['ua_list'] ) );
741
+ $output['public']['ua_list'] = preg_replace( '/([:#]) *([!]+) *([^ ]+) *([,\n]+)/', '$1$2$3$4', $output['public']['ua_list'] );
742
+ $output['public']['ua_list'] = preg_replace_callback( '/[:#]([\w:]+)/', array( $this, 'strtoupper' ), $output['public']['ua_list'] );
743
+
744
// reject invalid signature which potentially blocks itself
745
$output['signature'] = implode( ',', $this->trim( $output['signature'] ) );
746
747
// 2.2.5 exception : convert associative array to simple array
748
+ foreach ( array( 'plugins', 'themes' ) as $key ) {
749
$output['exception'][ $key ] = array_keys( $output['exception'][ $key ] );
750
+ }
751
+
752
+ // 3.0.0 public : convert country code to upper case
753
+ foreach ( array( 'white_list', 'black_list' ) as $key ) {
754
+ $output['public'][ $key ] = strtoupper( preg_replace( '/\s/', '', $output['public'][ $key ] ) );
755
+ }
756
+
757
+ // 3.0.0 exception : trim extra space and comma
758
+ foreach ( array( 'admin', 'public', 'includes', 'uploads', 'languages' ) as $key ) {
759
+ if ( empty( $output['exception'][ $key ] ) ) {
760
+ $output['exception'][ $key ] = $default['exception'][ $key ];
761
+ } else {
762
+ $output['exception'][ $key ] = ( is_array( $output['exception'][ $key ] ) ?
763
+ $output['exception'][ $key ] : $this->trim( $output['exception'][ $key ] ) );
764
+ }
765
+ }
766
767
return $output;
768
}
769
770
// Callback for preg_replace_callback()
771
public function strtoupper( $matches ) {
772
+ return filter_var( $matches[1], FILTER_VALIDATE_IP ) ? $matches[0] : strtoupper( $matches[0] );
773
}
774
775
// Trim extra space and comma avoiding invalid signature which potentially blocks itself
788
* Check admin post
789
*
790
*/
791
+ private function check_admin_post( $ajax = FALSE ) {
792
+ if ( FALSE === $ajax ) {
793
+ // a postfix '-options' is added at settings_fields().
794
+ $nonce = check_admin_referer( IP_Geo_Block::PLUGIN_NAME . '-options' );
795
+ } else {
796
+ $nonce = IP_Geo_Block_Util::verify_nonce( IP_Geo_Block_Util::retrieve_nonce( 'nonce' ), $this->get_ajax_action() );
797
}
798
799
$action = IP_Geo_Block::PLUGIN_NAME . '-auth-nonce';
800
$nonce &= IP_Geo_Block_Util::verify_nonce( IP_Geo_Block_Util::retrieve_nonce( $action ), $action );
801
802
+ if ( ! $nonce || ( ! current_user_can( 'manage_options' ) ) ) {
803
status_header( 403 );
804
wp_die(
805
__( 'You do not have sufficient permissions to access this page.' ), '',
806
+ array( 'response' => 403, 'back_link' => TRUE )
807
);
808
}
809
}
810
811
/**
812
+ * Validate settings and configure some features.
813
*
814
*/
815
public function validate_settings( $input = array() ) {
819
// validate setting options
820
$options = $this->validate_options( $input );
821
822
// activate rewrite rules
823
+ require_once IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-rewrite.php';
824
$stat = IP_Geo_Block_Admin_Rewrite::activate_rewrite_all( $options['rewrite'] );
825
826
// check the status of rewrite rules
836
$file[] = '<code>' . $dirs[ $key ] . '.htaccess</code>';
837
}
838
839
+ self::add_admin_notice( 'error',
840
sprintf( __( 'Unable to write %s. Please check the permission.', 'ip-geo-block' ), implode( ', ', $file ) ) . '&nbsp;' .
841
sprintf( _n( 'Or please refer to %s to set it manually.', 'Or please refer to %s to set them manually.', count( $file ), 'ip-geo-block' ), '<a href="http://ipgeoblock.com/codex/how-to-fix-permission-troubles.html" title="How to fix permission troubles? | IP Geo Block">How to fix permission troubles?</a>' )
842
);
843
}
844
845
+ // additional configuration
846
+ require_once IP_GEO_BLOCK_PATH . 'classes/class-ip-geo-block-opts.php';
847
$file = IP_Geo_Block_Opts::setup_validation_timing( $options );
848
if ( TRUE !== $file ) {
849
$options['validation']['timing'] = 0;
850
+ self::add_admin_notice( 'error', sprintf(
851
__( 'Unable to write %s. Please check the permission.', 'ip-geo-block' ), $file
852
) );
853
}
855
// Force to finish update matching rule
856
delete_transient( IP_Geo_Block::CRON_NAME );
857
858
return $options;
859
}
860
869
// Check request origin, nonce, capability.
870
$this->check_admin_post( TRUE );
871
872
+ require_once IP_GEO_BLOCK_PATH . 'admin/includes/class-admin-ajax.php';
873
+
874
$which = isset( $_POST['which'] ) ? $_POST['which'] : NULL;
875
switch ( isset( $_POST['cmd' ] ) ? $_POST['cmd' ] : NULL ) {
876
case 'download':
880
881
case 'search':
882
// Get geolocation by IP
883
$res = IP_Geo_Block_Admin_Ajax::search_ip( $which );
884
break;
885
886
case 'scan-code':
887
// Fetch providers to get country code
888
+ $res = IP_Geo_Block_Admin_Ajax::scan_country( $which );
889
break;
890
891
case 'clear-statistics':
908
909
case 'clear-logs':
910
// Delete logs in MySQL DB
911
+ $hook = array( 'comment', 'login', 'admin', 'xmlrpc', 'public' );
912
$which = in_array( $which, $hook ) ? $which : NULL;
913
IP_Geo_Block_Logs::clear_logs( $which );
914
$res = array(
919
920
case 'export-logs':
921
// Export logs from MySQL DB
922
IP_Geo_Block_Admin_Ajax::export_logs( $which );
923
break;
924
925
case 'restore':
926
// Get logs from MySQL DB
927
$res = IP_Geo_Block_Admin_Ajax::restore_logs( $which );
928
break;
929
930
case 'validate':
931
// Validate settings
932
IP_Geo_Block_Admin_Ajax::validate_settings( $this );
933
break;
934
935
case 'import-default':
936
// Import initial settings
937
$res = IP_Geo_Block_Admin_Ajax::settings_to_json( IP_Geo_Block::get_default() );
938
break;
939
940
case 'import-preferred':
941
// Import preference
942
$res = IP_Geo_Block_Admin_Ajax::preferred_to_json();
943
break;
944
949
$which['api_key']['GoogleMap'] = NULL;
950
update_option( IP_Geo_Block::OPTION_NAME, $which );
951
$res = array(
952
+ 'page' => 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME,
953
'tab' => 'tab=2'
954
);
955
}
956
break;
957
958
+ case 'show-info':
959
+ $res = IP_Geo_Block_Admin_Ajax::get_wp_info();
960
+ break;
961
+
962
case 'create-table':
963
case 'delete-table':
964
// Need to define `IP_GEO_BLOCK_DEBUG` to true
970
$res = array(
971
'page' => 'options-general.php?page=' . IP_Geo_Block::PLUGIN_NAME,
972
);
973
+ break;
974
}
975
976
if ( isset( $res ) ) // wp_send_json_{success,error}() @since 3.5.0
admin/css/admin.css CHANGED
@@ -57,13 +57,13 @@ textarea.regular-text {
57
}
58
59
ul.ip_geo_block_settings_folding {
60
- margin: 0.3em 0;
61
}
62
ul.ip_geo_block_settings_folding ul {
63
margin-bottom: 0;
64
}
65
ul.ip_geo_block_settings_folding li:first-child {
66
- margin-top: 0.6em;
67
}
68
.folding-disable {
69
pointer-events: none;
@@ -74,6 +74,25 @@ ul.ip_geo_block_settings_folding li:first-child {
74
font-style:oblique !important;
75
}
76
77
.ip-geo-block-sup {
78
margin-left: 0.2em;
79
display: inline-block;
@@ -297,6 +316,10 @@ table.ip-geo-block-table {
297
word-wrap: break-word;
298
word-break: break-all;
299
}
300
301
/* Scan the country code */
302
#ip-geo-block-scan-code {
@@ -334,6 +357,14 @@ table.ip-geo-block-table {
334
position: relative;
335
top: 1px;
336
}
337
#ip-geo-block-cycle {
338
height: 16px;
339
width: 16px;
57
}
58
59
ul.ip_geo_block_settings_folding {
60
+ margin: 0.5em 0;
61
}
62
ul.ip_geo_block_settings_folding ul {
63
margin-bottom: 0;
64
}
65
ul.ip_geo_block_settings_folding li:first-child {
66
+ margin-top: 0.5em;
67
}
68
.folding-disable {
69
pointer-events: none;
74
font-style:oblique !important;
75
}
76
77
+ ul#ip-geo-block-actions dfn {
78
+ border: none;
79
+ }
80
+ ul#ip-geo-block-actions span.dashicons {
81
+ font-size: 90%;
82
+ }
83
+ .ip-geo-block-checked {
84
+ list-style-type: disc;
85
+ }
86
+
87
+ .ip-geo-block-ip-addr {
88
+ display: inline-block;
89
+ padding-top: 5px;
90
+ }
91
+
92
+ .ip-geo-block-hide {
93
+ display: none;
94
+ }
95
+
96
.ip-geo-block-sup {
97
margin-left: 0.2em;
98
display: inline-block;
316
word-wrap: break-word;
317