However, there are some reasons why users have such an impression.
Sometimes, a Wordfence Security user who found some accesses in its Live Traffic view would claim that:
Hey, this plugin seems to block nothing!
But please do not get ahead of yourself, there’s a proper order for everything!
Before WordPress runs, Wordfence ingeniously filters out malicious requests to your site by enabling auto_prepend_file directive to include PHP based Web Application Firewall. Then this plugin validates the rest of the requests that pass over Wordfence because those were not in WAF rules, especially you enables “Prevent Zero-day Exploit”.
Unfortunately, accuracy of country code depends on the geolocation databases. Actually, there is a case that a same IP address has different country code.
Here are other examples:
In such a case, please consider to select more reliable databases.
Please consider to set
"mu-plugins" (ip-geo-block-mu.php) as Validation
timing in Validation rule settings. It enables to capture the requests
prior to other plugins.
Find more details at Validation timing.