Hi @tonycreative,
There are two typical cases related to your concern.
1. Using with Wordfence: In normal usage of WF, it always runs before this plugin start to run (even if you configure “mu-plugins (ip-geo-block-mu.php)” as “Validation timing” in this plugin’s settings page), because their firewall starts before WordPress starts. It is a matter of execution order. In this case, you can find all the accesses in live trafic of WF at first.
2. Using with cache plugin: If you find unwanted traffic in Google Analytics for example, it might be the issue of cached page. In this case, please refer to FAQ or “Living with caching plugin“.
If your case does not related to the above, please let me know how you could find unwanted traffic from outside US.
