WordPress.org

Igbo

Get WordPress
WordPress.org

Plugin Directory

Advanced IP Blocker

Advanced IP Blocker

By IniLerm
Download

Description

Advanced IP Blocker is your all-in-one security solution to safeguard your WordPress website from a wide range of threats. This plugin provides a comprehensive suite of tools to automatically detect and block malicious activity, including brute-force attacks, vulnerability scanning, and spam bots. With its intuitive interface, you can easily manage whitelists, blocklists, and view detailed security logs to understand exactly how your site is being protected.

Important Note on PHP Version:
To ensure maximum security and access to all features, we strongly recommend using PHP 8.1 or higher. Some advanced features (like the local MaxMind database or full 2FA management via WP-CLI) require PHP 8.1.

Key Features:
* NEW: AbuseIPDB Integration. Proactively block attackers before they strike. The plugin can now check visitor IPs against AbuseIPDB’s real-time, crowdsourced database of malicious IPs and block those with a high abuse score on their very first request.
* NEW: Edge Firewall Mode! Protect any PHP file or standalone application within your WordPress directory (even if it’s not part of WordPress). Ideal for securing custom scripts, legacy applications, or folders like /scan/. (Requires manual configuration).
* NEW: Advanced Rules Engine! Create powerful, custom security rules with multiple conditions (IP, Country, ASN, URI, User-Agent) and actions (Block, Challenge, or add Threat Score).
* NEW: Known Bot Verification. A powerful new security layer that uses reverse DNS lookups to verify legitimate crawlers like Googlebot and Bingbot. This completely neutralizes attackers who try to bypass security rules by faking their User-Agent, assigning high threat scores to impostors.
* NEW: Onboarding Setup Wizard. A brand new step-by-step wizard that guides new users through the essential security configurations (IP whitelisting, WAF, and bot traps) in under a minute, ensuring a strong security posture from day one.
* Major Refactor: Codebase Modernization. The entire plugin architecture has been refactored into a modern, modular structure. Logic for admin pages, AJAX, actions, and settings is now handled by dedicated classes, making the plugin more stable, performant, and easier to maintain and extend in the future.
* NEW: Advanced IP Spoofing Protection. A zero-trust “Trusted Proxies” system ensures the plugin always identifies the true visitor IP, even behind complex setups like Cloudflare or a custom reverse proxy. It neutralizes attacks that attempt to fake their IP, preventing block evasion and the framing of innocent users.
* NEW: Geo-Challenge. A smarter way to handle traffic from high-risk countries. Instead of a hard block, it presents a quick, invisible JavaScript challenge that stops bots but is seamless for human visitors. This reduces unwanted traffic without affecting potential legitimate users.
* ENHANCEMENT: Full Bulk-Action Support. IP management is now faster than ever. Both the Whitelist and the Blocked IPs list now support full bulk actions, allowing you to select and remove multiple entries at once, or unblock all IPs with a single click.
* Endpoint Lockdown Mode: Automatically shields wp-login.php and xmlrpc.php with a JavaScript challenge during sustained distributed attacks, preventing server overload.
* Two-Factor Authentication (2FA): Secure user accounts with industry-standard TOTP authentication, backup codes, role enforcement, and a central admin management dashboard.
* IP Trust & Threat Scoring System: An intelligent defense that assigns “threat points” to IPs for malicious actions, blocking them only when they reach a configurable score. More accurate and context-aware than simple rules.
* Attack Signature Engine (Beta): Proactively stops distributed botnet attacks by identifying and blocking the attacker’s “fingerprint” (signature) instead of just individual IPs.
* Web Application Firewall (WAF): Block malicious requests (SQLi, XSS, etc.) with a customizable ruleset.
* And much more: Rate Limiting, Country & ASN Blocking (with Spamhaus support), ASN Whitelisting, Push Notifications, Google reCAPTCHA, Honeypots, Active User Session Management, and Full WP-CLI Support.

Screenshots

  • The new Security Dashboard with real-time charts and a Live Attack Map.
  • Modern and intuitive two-level navigation system for easy access to all features.
  • The main Settings page to configure all protection modules like WAF and Rate Limiting.
  • Powerful Web Application Firewall (WAF) with recommended rules.
  • Block entire networks with ASN Blocking, powered by the Spamhaus list.
  • Detailed Blocked IPs table with the “View Map” modal in action.
  • Country Blocking (Geoblocking) and Geo-Challenge with user-friendly selectors and smart warnings.
  • Unified Security Log with a powerful filter to analyze all attack events.
  • Active User Session Management to monitor and terminate logged-in users.
  • Full WP-CLI support documentation, accessible from the “About” tab.
  • An example of a professional HTML email notification.
  • The new “Trusted Proxies” setting for advanced anti-spoofing protection.
  • IP Trust & Threat Scoring System.
  • Attack Signature Engine (Beta).

Installation

  1. Upload the advanced-ip-blocker folder to the /wp-content/plugins/ directory.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  3. A new “Security” menu item will appear in your admin sidebar. All settings are located there.
  4. Crucial: Visit Security > Dashboard > System Status to ensure your IP and your server’s IP are whitelisted. Use the one-click buttons if they are not.

FAQ

How should I configure the plugin for my specific website?

While every website’s security needs are unique, here is a general guide to get you started based on your site’s profile. For a deep dive into every feature, please consult our Comprehensive Feature Guide.

1. Essential First Steps (For ALL Websites)

No matter your site type, do these three things immediately after installation to ensure a strong baseline security without locking yourself out:

  • Whitelist Your IPs: Go to Security > Dashboard > System Status and use the one-click buttons to add your current IP and your server’s IP to the whitelist. This is the most critical step.
  • Activate Trap Defenses: Go to Security > Blocking Rules, and in the “User Agents” and “Honeypot URLs” tabs, copy the suggested lists into the active blocklist text areas. This provides immediate protection from thousands of common bots.
  • Enable Logging: Go to Security > Settings > General and ensure “Enable Logging” is turned on. This gives you the visibility you need to understand what is happening on your site.

2. Recommended Profiles

Once the essentials are done, tailor the configuration to your site type:

For a Standard Blog or Business Website:
Your main goal is to block automated threats without affecting administrators.
* Enable the IP Trust & Threat Scoring System: This is the smartest way to block bad actors contextually. The default point values are an excellent starting point. (Found in Settings > IP Trust & Threat Scoring).
* Enable the WAF and Rate Limiting: These are powerful proactive defenses. (Found in Settings > Core Protections and Threshold Blocking).
* Enable Spamhaus ASN Protection: Let the plugin automatically block thousands of known malicious networks for you. (Found in Settings > Core Protections).

For an E-commerce or Membership Site (WooCommerce, etc.):
You need to protect your site while ensuring legitimate customers from around the world are never blocked.
* Enable Two-Factor Authentication (2FA): This is the single best way to protect administrator and shop manager accounts. Enforce it for these roles in Settings > Login & User Protection.
* Use Geo-Challenge Instead of Geoblocking: If you receive attacks from a specific country but also have customers there, use the Geo-Challenge feature instead of a hard block. This will stop bots without affecting human users.
* CRITICAL: DO NOT USE “Whitelist Login Access”. This feature will lock out your customers.
* WAF Exclusions: Double-check that URLs for your payment gateways (like Stripe or PayPal webhooks) are in the WAF exclusion list to ensure payments are processed correctly.

For Any Site Using a CDN or Reverse Proxy (like Cloudflare):
Your top priority is ensuring the plugin detects the correct visitor IP address.
* Configure Trusted Proxies: Go to Security > Settings > IP Detection. Add the IPs or, even better, the ASNs of your CDN/proxy service to this list. For Cloudflare, simply add AS13335 on a new line. This is essential for the accuracy of all other security features.

What is AbuseIPDB Protection and how does it work?

AbuseIPDB is a global, crowdsourced project that tracks and reports malicious IP addresses in real-time. Our new integration allows the plugin to check the reputation of a new, unknown visitor against this database on their first visit. If the IP has been recently reported by others for activities like hacking, spam, or brute-force attacks, and its “abuse confidence score” is above your configured threshold, the plugin will block it instantly. This acts as a proactive shield against known bad actors, stopping them before they even have a chance to test your defenses. You can enable it and add your free API key under Security > Settings > Threat Intelligence.

What is “Known Bot Verification”?

This is an advanced security feature that checks if visitors claiming to be from major search engines (like Googlebot) are legitimate. It performs a DNS lookup to verify their IP address. If the check fails, the visitor is identified as an “impersonator” and receives a high threat score, preventing them from exploiting the trust given to real crawlers. This feature is enabled by default under Settings > Core Protections.

What is “Trusted Proxies” and why do I need it?

This is a critical security feature that prevents IP spoofing. If your site is behind a service like Cloudflare, Varnish, or another reverse proxy, the server’s direct connection IP (REMOTE_ADDR) will always be the proxy’s IP, not the visitor’s. The real visitor IP is sent in an HTTP header (e.g., CF-Connecting-IP). An attacker can fake this header. The “Trusted Proxies” setting tells the plugin: “Only trust these headers if the request comes from an IP address I know is my proxy.” You can add IPs, CIDR ranges, or ASNs (like AS13335 for Cloudflare) to this list under Security > Settings > IP Detection.

What is Geo-Challenge? How is it different from Geoblocking?

Geoblocking is a hard block. It shows a “403 Access Denied” page to visitors from selected countries.
Geo-Challenge is a soft block. It shows a quick, automated JavaScript test to visitors from selected countries. Legitimate humans pass instantly, while most bots are stopped. This is useful for regions you are suspicious of but do not want to block entirely. You can, for example, block Country A and challenge Country B. You can configure it in Security > Settings > Core Protections.

How do I solve issues with the JavaScript challenge and caching plugins?

The JavaScript challenge (used by Geo-Challenge, Signature Engine, and Endpoint Lockdown) requires dynamic content. Aggressive page caching can interfere with it. If you experience issues (like a challenge loop or a “Verification failed” error), you must configure your caching plugin (e.g., WP Rocket, WP Fastest Cache, LiteSpeed Cache) to NOT cache pages for visitors who do not have the advaipbl_js_verified cookie. Most caching plugins have a setting like “Never cache pages that use this cookie.”

How do I solve issues with the JavaScript challenge and cookie consent (RGPD/GDPR) plugins?

Cookie consent plugins (like CookieYes) may block our security cookie from being set. To fix this, you must go into your cookie plugin’s settings and classify the cookie named advaipbl_js_verified as “Strictly Necessary” or “Essential”. This will allow the security challenge to function correctly.

What is the new “Local Database” Geolocation Method?

For maximum performance, the plugin offers two ways to identify an IP’s location (Security > Settings > Geolocation):
1. Real-time API (Default): Easy to set up and great for most websites.
2. Local Database (Highest Performance): Downloads the MaxMind GeoLite2 database to your server for instant, offline lookups with zero external API calls. Recommended for high-traffic sites. Requires a free MaxMind license key.

How do I set up Two-Factor Authentication (2FA)?

  1. Admin: Go to Security > Settings > Login & User Protection and enable 2FA globally. You can also enforce it for specific user roles.
  2. User: Go to your WordPress Profile page. You will find a new section to set up 2FA by scanning a QR code with an authenticator app and saving your backup codes.

What is the “Attack Signature Engine”?

This is an advanced defense that stops botnets by blocking the attacker’s “fingerprint” (signature), not just their IP. It works in three phases you can enable in Security > Settings > Signature Engine: Logging, Analysis (a background task that finds patterns), and Blocking (presents a JS challenge to malicious signatures). You can manage detected signatures in IP Management > Blocked Signatures.

What is the difference between the WAF, Signature Engine, and Advanced Rules?

Think of them as three layers of defense:
1. WAF (Web Application Firewall): The simplest layer. It blocks requests based on simple malicious patterns (e.g., union select). It’s fast and stops common, generic attacks.
2. Attack Signature Engine: The automated layer. It looks for patterns of attack from many different IPs (botnets) and blocks the attack’s “fingerprint” (signature) for all visitors. You don’t create these rules; the plugin does.
3. Advanced Rules Engine: The manual control layer. This is where you build your own specific, multi-conditional rules. For example: “IF the visitor is from China AND is trying to access /wp-admin/ THEN Block them permanently.” It gives you the ultimate power to create a security policy tailored exactly to your site’s needs.

How can I protect a non-WordPress folder on my site?

This plugin includes an advanced “Edge Firewall Mode” that allows you to extend its protection to any PHP script on your server. This is perfect for securing custom applications or directories that are not managed by WordPress. To enable it, you need to add a single line of code to the beginning of the PHP file you want to protect. This manual step ensures that the protection is explicit and works on any server environment. For a complete step-by-step guide, please see our documentation: How to Protect Non-WordPress Folders.

Reviews

Works great

Onwa-atรถ 5, 2025
Thanks alot! It works great and makes good use of the spamhaus api.Within minutes it detected 7 malicious IPs and blocked them.

Blocking ASNs, Spamhouse, AbuseIPDB, very good addition to Cleantalk

Onwa-ise 7, 2025
THIS PLUGIN IS GORGEOUS! ๐Ÿ˜€ Initially I was usting it only as addition to Cleantalk, which is not offering a blocking by ASN (a highly important feature). But meanwhile the “Advanced IP Blocker” is developed so far further that somehow it switches – now I am using Cleantalk rather as addition and “Advanced IP Blocker” becomes my main security/blocking-plugin. It has of course basic security features and: Not only do we have the possibility to block ASNs, but also the “Advanced IP Blocker” includes the blacklist by spamhouse.org and newly – also very worthful – the database by AbuseIPDB (free 1000 checks every day). As far as I can see it works flawless, quick – and is still developed further and optimized regulary. THANK YOU FOR THE GREAT JOB! Highly recommended!

I’ve Been Waiting For This! Well Done!

Onwa-mbu 7, 2025 3 replies
This is logically arranged and covers a lot of territory. The initial setup is easy and not time consuming. I’ll report further when I’ve had some time to fully evaluate, but it looks like this plugin will take the place of several I have been using, which should speed my site up. Thanks for creating this.
Read all 4 reviews

Contributors & Developers

“Advanced IP Blocker” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Advanced IP Blocker” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

8.5.14

  • Major Stability Fix: Implemented robust error handling for the MaxMind local database integration. The plugin will no longer cause a fatal error if the GeoIP database file is corrupt or unreadable, ensuring site stability.
  • Enhancement: Geolocation data (Country/City) will now be displayed in the Security Log for all relevant events, including warnings like Challenges, not just for critical blocks. This provides administrators with better context for all security events when using the local MaxMind database.
  • Security: Added a secure, IP-whitelisted internal endpoint for integration with external monitoring tools.
  • Dev: General code maintenance and improvements to the plugin’s core stability.

8.5.13

  • NEW MAJOR FEATURE: AbuseIPDB Integration. Added a powerful new security layer to proactively block known malicious IPs by checking their reputation against the real-time AbuseIPDB threat database. This feature can be enabled in a new “Threat Intelligence” section in the settings and requires a free API key.
  • Enhancement: The AbuseIPDB integration is resilient, featuring a “circuit breaker” that temporarily pauses API calls if the daily quota is exceeded or the service is unavailable, preventing errors and log spam.
  • Enhancement: Improved the “Live Security Feed” to show more descriptive details for blocks originating from AbuseIPDB, Advanced Rules, and the WAF.
  • Enhancement: Added the new AbuseIPDB status to the main Security Dashboard and the Telemetry data.

8.5.12

  • Major Performance Enhancement: Refactored the caching compatibility logic to resolve a critical issue with LiteSpeed Cache (LSCWP) and other page caching plugins. The DONOTCACHEPAGE constant is now only defined when a JavaScript challenge is actively being served, allowing all other pages to be cached correctly. This significantly improves performance for all sites using page caching. (A big thank you to user Moddo from the WordPress.org forums for their detailed bug report!)
  • Enhancement: Improved the sanitization and validation of the WAF (Web Application Firewall) rules. The system now automatically removes duplicate rules and discards invalid regular expressions upon saving, preventing potential errors and improving usability.
  • Enhancement: Added a prominent warning to the WAF configuration page to caution users against creating overly broad rules that could cause a site lockout.
  • Fix: The custom block message now correctly renders basic HTML tags (<h1>, <br>), allowing for better formatted and more professional-looking block pages.
  • Fix: Resolved an issue where the “Completely Disabled” mode for XML-RPC would result in a blank page instead of a proper 403 Forbidden error response.

8.5.11

  • NEW MAJOR FEATURE: Edge Firewall Mode. The plugin’s full security suite (WAF, Advanced Rules, Challenges, Threat Scoring) can now be extended to protect any standalone PHP script or application within your WordPress installation. This requires a manual one-line code addition to the file you wish to protect.
  • Enhancement: The “Advanced Rules Engine” now includes robust data sanitization and validation, making custom rule creation even more secure.
  • Enhancement: Improved the Admin Bar menu by adding separate counters for Blocked IPs, Signatures, and Endpoints, with a total count on the main menu items for better at-a-glance visibility.
  • Enhancement: The “Verify Known Bots” feature now uses the “User-Agent” block duration as a fallback if the Threat Scoring system is disabled, ensuring impostor bots are always blocked.
  • Fix: Resolved a critical bug where the JavaScript Challenge could enter an infinite loop in specific contexts, particularly with xmlrpc.php lockdowns or when triggered by the Edge Firewall.
  • Fix: Corrected a fatal error (Class "BaconQrCode..." not found) that occurred in limited environments like xmlrpc.php or the new Edge Mode by implementing a more robust “lazy loading” for the 2FA module.
  • Fix: Solved an issue where the custom block message would not render HTML tags (<h1>, <br>) correctly, now allowing for formatted block pages.
  • Fix: The “Smart Protection” mode for xmlrpc.php now correctly blocks unauthorized users instead of showing a server error (503) in certain post-challenge scenarios.
  • Fix: Fixed a fatal error (Undefined constant "ADVAIPBL_USM_...") that occurred when the Edge Firewall Mode was active.
  • Fix: Patched a fatal error in the “Whitelist Signature” AJAX function (self::OPTION_SETTINGS scope issue).

8.5.10

  • New: Advanced Rules Engine! Create powerful, custom security rules with multiple conditions (IP, Country, ASN, URI, User-Agent) and actions (Block, Challenge, or add Threat Score).
  • Enhancement: Added ‘is not’ operator to ‘Country’ and ‘ASN’ conditions in the Advanced Rules Engine for more flexible rule creation.
  • Enhancement: Added dependency status notices in the Advanced Rules tab to improve user experience.
  • Fix: Resolved a loop issue in the JavaScript Challenge functionality when triggered by Advanced Rules.
  • Fix: Corrected notification details (duration and reason) for blocks originating from Advanced Rules to ensure accuracy.
  • Fix: Improved UI for the Advanced Rules constructor, especially the country selector within modals.
  • Dev: Added foundation for future improvements to the Advanced Rules UI, such as pagination and bulk actions.

8.5.9 – The Foundation Update: Refactoring, Onboarding & Bot Verification

  • NEW MAJOR FEATURE: Onboarding Setup Wizard. A new step-by-step wizard guides first-time users through the most critical security settings (IP whitelisting, WAF, bot traps), ensuring a strong security posture from the moment of activation.
  • NEW MAJOR FEATURE: Known Bot Verification. A new security layer that uses reverse DNS to verify legitimate crawlers (Googlebot, Bingbot, etc.). This neutralizes attackers faking their User-Agent and assigns a high threat score to impostors.
  • MAJOR REFACTOR: Complete Codebase Overhaul. The entire plugin has been refactored into a modern, modular, object-oriented structure. Logic for admin pages, AJAX handlers, action handlers, and settings management has been separated into dedicated classes. This significantly improves stability, performance, and long-term maintainability.
  • Enhancement: The Import/Export feature is now more robust, correctly backing up and restoring the main blocked IPs table and automatically handling all plugin-related options for future-proof compatibility.
  • Enhancement: Added comprehensive WP-CLI commands for all new features, including trusted-proxy, geo-challenge, asn-whitelist, signature, and bot-verify.
  • Enhancement: Improved the user interface of the JavaScript challenge page, making it fully responsive and adding better user interaction with a timeout and manual verification option.
  • Fix: Resolved a critical bug where the JavaScript challenge system could cause infinite loops or fail on sites with aggressive page caching (e.g., WP Rocket, WP Fastest Cache) or cookie consent (GDPR) plugins.
  • Fix: Addressed multiple bugs in WP-CLI, including a fatal error on the session list command and compatibility issues with PHP versions below 8.1.

8.5.8.1

  • Fix: Corrected the Tested up to version in the readme.txt file to remove the “This plugin has not been tested with your current version of WordPress” warning. The plugin is fully compatible with the latest WordPress version.
  • Tweak: Updated and completed missing strings in the Spanish translation.
  • Note: This version includes all the major features and enhancements from version 8.5.8, such as the new Trusted Proxies system and Geo-Challenge functionality.

8.5.8

  • NEW MAJOR FEATURE: Advanced IP Spoofing Protection. Implemented a “Trusted Proxies” system to ensure accurate visitor IP detection behind services like Cloudflare or other reverse proxies. The plugin now operates on a zero-trust model, ignoring proxy headers from untrusted sources to prevent block evasion and framing attacks.
  • NEW MAJOR FEATURE: Geo-Challenge. Added a new security layer to challenge visitors from selected countries with an invisible JavaScript test instead of a hard block. This is ideal for filtering bot traffic from high-risk regions without affecting legitimate users. The feature is fully configurable and independent of the main Geoblocking module.
  • Major Enhancement: Full Bulk Actions for IP Management. The Whitelist and Blocked IPs tables now support full bulk actions. Administrators can select multiple entries to remove/unblock them at once, or unblock all IPs from all lists with a single click, dramatically improving management efficiency.
  • WP-CLI Expansion: Added a comprehensive set of new WP-CLI commands to manage all new features from the command line, including wp advaipbl trusted-proxy, wp advaipbl geo-challenge, wp advaipbl asn-whitelist, and wp advaipbl signature.
  • Security & UX Hardening: The JavaScript challenge page has been completely redesigned. It is now fully responsive, includes enhanced security headers (CSP), and features a more robust user interaction flow with a timeout and manual verification option.
  • Fix: Resolved a critical bug where the JavaScript challenge could enter an infinite loop on sites with aggressive page caching or cookie consent (RGPD/GDPR) plugins. The system is now significantly more compatible with these environments.
  • Fix: Corrected a bug in WP-CLI where the session list command would cause a fatal error due to a missing dependency.
  • Fix: Patched a compatibility issue with WP-CLI on servers running PHP versions older than 8.1, preventing fatal errors when using geolocation-dependent commands.
  • Code Quality: Major Refactor. The main plugin class (class-advaipbl-main.php) has been significantly refactored. All UI rendering logic has been moved to a new dedicated class (class-advaipbl-admin-pages.php), separating concerns and making the codebase much more maintainable and scalable for future development.

8.5.7

  • NEW FEATURE: Endpoint Lockdown for Login Page. The automated Endpoint Lockdown defense now protects wp-login.php from distributed brute-force attacks.
  • NEW FEATURE: ASN Whitelist. You can now whitelist entire networks (ASNs) like Google or Cloudflare to prevent false positives.
  • Major Fix: Race Condition Elimination. Refactored the IP blocking mechanism with an atomic, database-level locking system to prevent duplicate blocks during high-frequency attacks.
  • Security Hardening: Implemented anti-spoofing intelligence to correctly block attackers faking their IP as 127.0.0.1.
  • Fix: Resolved a bug where the admin dashboard counter could become out of sync on sites with persistent object caching.
  • Fix: Corrected a bug causing a fatal error on WP-CLI when used on servers with a CLI PHP version older than 8.1.
  • Enhancement: Redesigned the main “Settings” page with a side navigation menu and modern toggle switches.

For a complete history, please refer to the project’s repository.

Meta

Ratings

5 out of 5 stars.

Add my review

See all reviews

Contributors

Support

Issues resolved in last two months:

2 out of 2

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin