IP Geo Block?

It’s really not likely that we’d put that functionality in this plugin. It’s not scalable security:
https://www.icontrolwp.com/blog/beware-new-security-theat-wordpress-misinformation-virus/

We do have an automatic IP Address blocking system in place though:
https://www.icontrolwp.com/blog/wordpress-security-plugin-update-automatically-block-malicious-visitors/

Hope that helps.

Hi,

Very interesting post for the wordpress misinformation virus.

Can I ask you something else? Why do you allow us to only choose between 1 min/hour/day/week/month for the auto IP blacklist, when some people (like me) expected to defined it at something like 5 min. 1 min is way too short, and 1 hour is way too long (for my case btw).

Regards.

For simplicity, really. More choice/options creates more complexity both for the user and developer/maintenance. This feature comes with 2 variables for this, so essentially you can find a sweet spot with these for most scenarios.

If a visitor from Russia is malignant, then blocking them for an hour is perfectly reasonable. But what you can do is offset the risk of blocking with a higher transgression threshold. Conversely you can create a lower threshold with a lower lock-out time. In that way, 1 minute would suffice. You could link 1 transgression to 1 minute and effectively block that visitor.

… all the while keeping your IP address lookup table slim. ??

Edit: Note that the 1 minute is extended indefinitely beyond 1 minute all the while the same visitor keeps accessing the site.

There are many ways to skin this cat, and I think we’ve provided suitable options and variability to meet the vast majority of users in a simplified manner. Now as I think about it, we could offer a filter for advanced setting of this option… never thought of that before.

Does that help?

• This reply was modified 8 years ago by Paul.

Yes that help, I understand your choice. Nevertheless, one more variable related to an additional custom field in order to set the desired number of minute(s)/hour(s)/day(s)/week(s)/month(s) isn’t, in my opinion, hard to deal for the maintenance of the plugin. And the user experience will be improved, imo.

Why am I asking for this? Because in a membership environment, there will be 2 kind of visitors :

1 – legit users which can try to login multiple times because they don’t remember their password (this can happen to everybody)… and that’s why, in this case, you can’t set it to 1 transgression. or if you do so, you have to blacklist him for 1 minute only, which will not fit the need for the 2nd kind of “visitors” : bots

2 – Allright, here we go, with bots trying to bruteforce your login/password. You can set a rule for 5 transgressions (in order to let everybody a chance to fail), but because you take care of brute force attacks, you have then to set it up to a 1 hour blacklist. Allright, but what will happened to the “legit user” then, who failed 5 times because he was just tired of his day work? Shall he wait 1 hour? What a sad life :p

Even if my english isn’t perfect, I hope you understand what I mean : there is a gap too much important for some particular uses. And I really think that being able to choose a number of minutes for the blacklist is the best deal we can have.

Regards.

• This reply was modified 8 years ago by moxymore.
• This reply was modified 8 years ago by moxymore.

What you say makes sense, and don’t worry, your English is absolutely fine! ??

Are you familiar with WordPress hooks/filters? I can provide you a filter that you can use, simply add the code to file that’s not going to get updated/overwritten, like your functions.php and you’ll be able to modify the 1x for min/hour/day to any number you want.

Would that work for you?

• This reply was modified 8 years ago by Paul.

Familiar? I can’t say so, since I have begun to code 6 months ago. But yes, I’m already coding a lot of simple stuffs, and know what are the functions of add_action(), add_filter() etc.

So yes, it’s ok. I’ll probably not put it directly in my functions.php, since I have divided my theme’s core functions into several files (for a better organisation), but I can easily create a new shield.php files which will act like functions.php :

$files = new \FilesystemIterator( __DIR__.'/src', \FilesystemIterator::SKIP_DOTS );
 foreach ( $files as $file )
 {
    /** @noinspection PhpIncludeInspection */
    ! $files->isDir() and include $files->getRealPath();
}

That’s a good idea… organising your code.
But, from a security perspective this sort of iterative code is a not recommended.

If for some reason you’re compromised and a malicious PHP file gets added to this directory, it’ll be loaded. If you want to loop, you are always better to create a list of files explicitly and loop through them.

eg:

$aFilesToLoad = array( 'file1', 'file2', 'file3' );
foreach ( $aFilesToLoad as $sFile ) {
	$sFullPath = __DIR__ . DIRECTORY_SEPARATOR . $sFile . '.php';
	if ( file_exists( $sFullPath ) ) {
		include( $sFullPath );
	}
}

You have probably right buddy, I’ll think about it even if I expected to protect the folder directly in the .htaccess and with CHMOD in order to prevent this kind of vulnerabilities.

Waiting for your filter btw ?? And thank you for the instructive post ??

the filter wont be available until the next release, but hopefully that wont be too far away.

Allright, thank you.