You may want to test the blocking behavior of this plugin. This document shows you how to do it especially arround the admin, plugins and themes area based on version 2.2.2 and later.
The most easy way to simulate submitting a request from outside of your country is using the browser addon for VPN service.
You can also find many articles that recommend which one is better.
After turning on your VPN addon and select the country you need to test, simple
visit to your back-end e.g.
Note that accessing to
/xmlrpc.php with browser returns a simple message
because this script needs to be accessed by not GET method but POST
XML-RPC server accepts POST requests only.
But it doesn’t matter. Your test access would be recorded in Logs tab of IP Geo Block dashboard.
Testing the blocking behavior on Admin ajax/post, Plugins area and
Themes area would be a bit complicated. Please submit the following links
to your post. The first 2 lines are for admin ajax, and the last 4 lines are
for direct access to the PHP file in plugins area. In particular, the last 2
lines will include
wp-load.php to load the WordPress core functions.
http://example.com is replaced to your WordPress home.
As you can see, an even line is a malicious request to attempt to expose
Also to handle a ajax request properly, put the following code into your
Now at first, uncheck and disable all the settings for “Admin ajax/post” and “Plugins area”.
When you assess the above links as a visitor on the public facing page, you’ll
0 in case your request are success, otherwise you’ll be blocked.
0(means success), then you should properly configure the `.htaccess` in your plugins area. Please refer to this article.
OK then, check and enable “Block by country”.
All the links will be blocked when you’re behind the VPN proxy and
is set properly. And when you turn off the VPN addon, then only the malicious
links at even lines will be blocked.
Yeah, the last one is “Prevent Zero-day Exploit”.
All the links except the 1st one will be blocked. It is because the 1st link is a service for the visitors. If you add the action hook for the admin as follows, then the 1st link is also blocked.
It means that non privileged user never succeed zero-day attacks via Admin ajax and plugins / themes area. On the other hand, if you’re logged in as an admin, all the links at odd lines will not be blocked.
rel="nofollow"into each anchor tag. In this case, WP-ZEP will block every link to prevent CSRF.