tokkonopapa / wordpress-ip-geo-block Goto Github PK

Actually, private or localhost address can also be used from shared server by other shared server users. So, I believe that this line should not skip 'XX' code from checking, but leave it to user defined checks (country codes). Same as 'ZZ' code described in two lines below.

I do not see why localhost/private request would be allowed to skip nonce validation, especially under shared server environment?

A license key/API key field is needed for maxmind GeoIP2.

Currently, the "class-maxmind-geolite2.php" file has to be modified manually to hard code the license key directly into the fetch URL such as:

define( 'IP_GEO_BLOCK_GEOLITE2_DB_IP',    'GeoLite2-Country.mmdb' );
define( 'IP_GEO_BLOCK_GEOLITE2_DB_ASN',   'GeoLite2-ASN.mmdb'     );
define( 'IP_GEO_BLOCK_GEOLITE2_ZIP_IP',   'https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=XXXXXXXXXXX&suffix=tar.gz' );
define( 'IP_GEO_BLOCK_GEOLITE2_ZIP_ASN',  'https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=XXXXXXXXXXX&suffix=tar.gz'     );
define( 'IP_GEO_BLOCK_GEOLITE2_DOWNLOAD', 'https://dev.maxmind.com/geoip/geoip2/geolite2/' );

Hello! I hope that you get this. Here are the screen shots of the Plugin Pro set up. I have also attached the plugin itself.

I did find one thing. In the pop up settings at the top - you can choose Ajax, etc. I found thast if I chose Page Footer... it seems to work better.

I hope that this system will send me an e-mail when you reply to this. [email protected] is my e-mail address.

Greg

Hi. WordPress threw this error: E_COMPILE_ERROR in line 849 in the file IPv6.php (Latest WP and php version 8.2.6). The error message: "Array and string offset access syntax with curly braces is no longer supported.

I just changed the curly braces $ip{$pos} = ''; with square brackets and problem solved:
$ip[$pos] = '';

Hi,

I have detected that a blocked post appears in blog list but a not found page is shown when you click on it.
Is there any fast way to fix this by myself?

I would like to avoid showing blocked post in blog list page to avoid noise for end user.

Best,

IP Geo Block produces an error in the browser console when displaying Wordfence plugin's Live Traffic Report, as described at https://wordpress.org/support/topic/live-traffic-cannot-scroll-down-more-than-50-instances/#post-10203820 in these two posts:

https://wordpress.org/support/topic/live-traffic-cannot-scroll-down-more-than-50-instances/#post-10203820
https://wordpress.org/support/topic/live-traffic-cannot-scroll-down-more-than-50-instances/#post-10204359

Nginx is second most important web server.
https://w3techs.com/technologies/market/web_server
IMHO it deserves rewrite rules support.

I installed the plug-in to my Wordpress site last night. I love it! I finally decided that CN and RU were two countries that just were not worth the trouble anymore. I blacklisted them and a few others and my spam comments went to ZERO overnight.

My only problem is that I have zero log entries even though I have the setting set to log everything. What next?

Hi

When you activate the IP Geo Block plugin with the default configuration, the WooCommerce Admin plugin does not work, any plugin link shows blank.

Thanks

WordPress.com App has a function to upload images on mobile phone, but it would be blocked by this plugin:

Actually, Automattic server tries to upload with action jetpack_upload_file:

Even if you turn on the checkbox of jetpack_upload_file at "Exceptions" in "Admin ajax/post" after you push "magnifying glass" button, this issue may be still there:

because validating the capability upload_files would fail:

To solve this issue, authentication via XMLRPC by jetpack should be also adopted in this plugin. But I don't know how to do it.

Hi,
first thing this plugin is awesome.
I have a question, would it be posible to add database such as https://www.abuseipdb.com/ even if it is not location based to block more IPs ?

I would like to introduce the IP2Location.io IP geolocation API. It has the following advantages compare to other API providers.

• Fast - one of the fastest API in the market using multi-location servers and anycast technology
• Accurate - based on IP2Location and IP2Proxy database which is available since 2002
• Free - free tier with 30,000 queries monthly available to all users who sign-up online

Please consider IP2Location.io as one of the database source in WordPress IP Geo Block. Feel free to ping me if you have any questions.

Thank you.

Latest update causes pages that took 1-2s to load to take 1+ minutes to load. Disabling your plugin restores website functions. All site pages including admin are affected. How can we downgrade?

Hi there, after last update (Version 3.0.10) I got this error:
wp-content/plugins/ip-geo-block/classes/class-ip-geo-block-logs.php (837) Unknown column 'last' in 'field list'

I have my entire ip range in the whitelist,
xxx.xxx.xxx.0/24

but I am still being blocked. I enabled the emergency unlock just to be able to view the settings page. I thought the CIDR range functionality wasn't working so I should try and add my individual ip address. When I tried to save the settings page, I was still blocked.

So I then deleted and reinstalled the plugin, still blocked! Then I went into the database and truncated the 3 ip geo block tables I could find

wp_ip_geo_block_cache, wp_ip_geo_block_logs, wp_ip_geo_block_stat

deleted and reinstalled the plugin, still blocked!

This makes my admin panel unusable.

The latest version produces the following errors:

Warning: implode(): Invalid arguments passed in /plugins/ip-geo-block/admin/includes/tab-settings.php on line 295

and

IP Geo Block: /plugins/ip-geo-block/classes/class-ip-geo-block-logs.php (685) Unknown column 'asn' in 'field list'

Hi,

if text is entered in the "Text message on comment form" at the "Submission settings" all spaces are stripped. It appears like "Thisismytext."

bug: Backend fatal error: PHP Fatal error: Array and string offset access syntax with curly braces is no longer supported in /......./wp-content/plugins/ip-geo-block/includes/Net/IPv6.php on line 849\n

https://wordpress.org/plugins/php-compatibility-checker/

FILE: /wp-content/plugins/ip-geo-block/wp-content/ip-geo-api/ip2location/bcmath.php

FOUND 2 ERRORS AFFECTING 2 LINES

156 | ERROR | Using 'break' outside of a loop or switch structure is invalid and will throw a fatal error since PHP 7.0
157 | ERROR | Using 'break' outside of a loop or switch structure is invalid and will throw a fatal error since PHP 7.0

FILE: /wp-content/plugins/ip-geo-block/classes/class-ip-geo-block-logs.php

FOUND 2 ERRORS AFFECTING 2 LINES

344 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since PHP 5.6 and removed since PHP 7.0 - use php://input instead.
348 | ERROR | Global variable '$HTTP_RAW_POST_DATA' is deprecated since PHP 5.6 and removed since PHP 7.0 - use php://input instead.

Hi @tokkonopapa, great plug-in and thank you for your work!

In an effort to keep query stings short and limited, would it be possible to put 'ip-geo-block-auth-nonce' in a cookie instead of the query string? Alternatively, can we have the option to rename it? Is it possible to disable the query string modification and nonce check?

I wanted to get your opinion before we look into doing any customization of your plugin.

Thank you,
Jeff

Having field to place ISP provider white-list
(example) *.dsl.provider.net to filter my (example) 12.34.56.78..dsl.provider.net
would improve login security filter within Geo IP country.

For a while, i thought my WP got hacked...

When I click on

/wp-admin/plugins.php

I noticed an intermediary redirect to

/wp-admin/plugins.php?=94634bda82

Then i looked at the code

var IP_GEO_BLOCK_AUTH = {"sites":["//MY_DOMAIN"],"nonce":"94634bda82","key":"","home":"","admin":"/wp-admin/","plugins":"/wp-content/plugins/","themes":"/wp-content/themes/"};
`

This also happens with few others... like woocommerce products..

As a complete noob, is this expected behavior?
 

Hi,

please make it possible to anonymize the last part of logged IPs before they are stored in the database. Just set the last part to "0" like it is done in server log files: 1.2.3.0
This is needed to fullfill data privacy laws of some countries (e.g. Germany).

Also you should make clear where and when IPs are transmitted to other servers for location checks. This also may be prohibited by law in some countries. Does the Maxmind API only check against the local database?

Thank you, great plugin. I'm using it with country white-list only.

In "Admin area" logs, I have my own address many times for
wp-zep POST:/wp-admin/admin-ajax.php

With ZEP enabled, Elementor (page builder) does not work.
wp-zep GET:/wp-admin/post.php?post=X&action=edit

What do you think about relaxing ZEP for already logged-in users?
I hate to disable ZEP. Maybe I'm doing something wrong?

Thanks

With this (optional) feature

So many bastard hackers ...

with automated scripts targeting admin/login would be excluded , like in other security plugins
https://wordpress.org/plugins/search.php?q=hide+login

The website stoped responding without any changes.

[Mon Dec 31 08:26:01.286164 2018] [lsapi:error] [pid 474884:tid 139839718479616] [client 192.192.192.192:1506] [host www.example.com] Backend fatal error: PHP Fatal error: Uncaught Error: Unsupported operand types in /home/deb50552n2/domains/example.com/public_html/wp-content/plugins/ip-geo-block/classes/class-ip-geo-block.php:968\nStack trace:\n#0 /home/deb50552n2/domains/example.com/public_html/wp-includes/class-wp-hook.php(286): IP_Geo_Block->check_capability(Array, Array, 'wp_user_roles')\n#1 /home/deb50552n2/domains/example.com/public_html/wp-includes/plugin.php(203): WP_Hook->apply_filters(Array, Array)\n#2 /home/deb50552n2/domains/example.com/public_html/wp-includes/option.php(312): apply_filters('pre_update_opti...', Array, Array, 'wp_user_roles')\n#3 /home/deb50552n2/domains/example.com/public_html/wp-includes/class-wp-roles.php(208): update_option('wp_user_roles', Array)\n#4 /home/deb50552n2/domains/example.com/public_html/wp-includes/class-wp-role.php(58): WP_Roles->add_cap('administrator', 'access_server_b...', true)\n#5 /home/deb50552n2/domains/example.com/public_html/wp-content/plugins/download-manager/libs/class.Apply.php(495): WP_Role->add_cap('access_server_b...')\n#6 /home/deb50552n2/doma in /home/deb50552n2/domains/example.com/public_html/wp-content/plugins/ip-geo-block/classes/class-ip-geo-block.php on line 968\n

jQuery Needs Update For WP 5.6

jQuery Migrate Helper shows:

/plugins/ip-geo-block/admin/js/authenticate.min.js:16:221): jQuery.trim is deprecated; use String.prototype.trim

Thanks for your plugin here my question :

1. Does this plugin blocking google search bot ? Such as google bot that identify outside my country ID (im using whitelist)
2. Does this plugin blocking request made by authorized wp plugin such as Jetpack or other plugin request ?

after updating my hosting from php 5.5 to 5.6 is throws an error on my wordpress site

The uploaded image is in the DB but it isn't shown on the browser.
It may be an ajax issue. When a image is uploaded, async-upload.php receives the image and returns json data for thumbnail. But the browser doen't show it.

"List" view works good.

Hi,
I created IP Geo API provider class for Nginx compiled with Module ngx_http_geoip_module

Gist IP Geo API provider class for ip-geo-block

Feel free to modify it and/or use as example or to include into your repository.

Just installed the plugin, added "GB" in Whitelist of country code. I expected a friend from hk cannot access /wp-admin but he can get in to the login page . Wondering maybe i missed sth? Thanks

• Matching rule: White list
• White list:

And it doesn't work... I have used the emergency function 13 times now. Using WP 4.3, anything I can provide to get some help?

Thanks in advance! Great plugin

I'm having issue with ZEP blocking background process on same server that is accessing wp_ajax from same server and private IP (127.0.0.1).

I wish that ZEP (or whole plugin) does not block private IPs.
Or at least offer option to skip protection for private IP access.

While client IP can be faked, as far as I know, server IP can't.
If you check server response IP ($_SERVER ['SERVER_ADDR']) with

false === filter_var ($_SERVER ['SERVER_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))

When server is responding on private IP address, then I believe that ZEP and other security filters can be safely disabled ?

TIA

https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/

If I enable IP Geo Block, I have problems with EasyUpdates Plugin.

VM14635:1 POST https://....mydomainname..../wp-admin/admin-ajax.php 404 (Not Found)

I forked the project and fixed all the problems that the current outdated version had.

https://wordpress.org/plugins/ip-location-block/
https://github.com/gdarko/ip-location-block/

Some notable changes

• Updated code to match the latest geolocation APIs
• Implemented key for Maxmind database (maxmind requires key as of 2018)
• Replaced Google Maps with Leaflet / OSM
• Fixed various warnings and made it compatible with most recent PHP
• Added migration tool
• much more...

Migration

1. Deactivate IP Geo Block but don't remove it yet because it will remove the settings as well.
2. In IP Location Block, use the "Migrate from IP Geo Block" option at the bottom to copy the settings from IP Geo Block.
3. You can now remove IP Geo Block

I wish I could add dynamic (and/or static) domain into whitelist filter.
Like mydls.ddns.net from free DDNS provider (ie: http://www.noip.com/)

I created simple plugin extension for me, but domain is coded.
Having ability to enter domain into admin screen would be great improvement.

Hi, I just committed extension for your plugin.
Would be happy to hear your opinion, good or bad.
https://github.com/ddur/WordPress-IP-Geo-Allow