Using VPN browser addon

You may want to test the blocking behavior of this plugin. This document shows you how to do it especially arround the admin, plugins and themes area based on version 2.2.2 and later.

Preparation

The most easy way to simulate submitting a request from outside of your country is using the browser addon for VPN service.

VPN addon

You can also find many articles that recommend which one is better.

How to test on back-end

After turning on your VPN addon and select the country you need to test, simple visit to your back-end e.g. /wp-login.php, /wp-admin/ or /xmlrpc.php with your browser.

Note that accessing to /xmlrpc.php with browser returns a simple message because this script needs to be accessed by not GET method but POST method.

XML-RPC server accepts POST requests only.

But it doesn’t matter. Your test access would be recorded in Logs tab of IP Geo Block dashboard.

Testing the blocking behavior on Admin ajax/post, Plugins area and Themes area would be a bit complicated. Please submit the following links to your post. The first 2 lines are for admin ajax, and the last 4 lines are for direct access to the PHP file in plugins area. In particular, the last 2 lines will include wp-load.php to load the WordPress core functions.

Ensure that http://example.com is replaced to your WordPress home.

<ol>
    <li><a href="http://example.com/wp-admin/admin-ajax.php?action=my-ajax">/wp-admin/admin-ajax-php?action=my-ajax</a>
    <li><a href="http://example.com/wp-admin/admin-ajax.php?action=my-ajax&file=../../../wp-config.php">/wp-admin/admin-ajax-php?action=my-ajax&file=../../../wp-config.php</a></li>
    <li><a href="http://example.com/wp-content/plugins/ip-geo-block/samples.php">/wp-content/plugins/ip-geo-block/samples.php</a></li>
    <li><a href="http://example.com/wp-content/plugins/ip-geo-block/samples.php?file=../../../wp-config.php">/wp-content/plugins/ip-geo-block/samples.php?file=../../../wp-config.php</a></li>
    <li><a href="http://example.com/wp-content/plugins/ip-geo-block/samples.php?wp-load=1">/wp-content/plugins/ip-geo-block/samples.php?wp-load=1</a></li>
    <li><a href="http://example.com/wp-content/plugins/ip-geo-block/samples.php?wp-load=1&file=../../../wp-config.php">/wp-content/plugins/ip-geo-block/samples.php?wp-load=1&file=../../../wp-config.php</a></li>
</ol>

As you can see, an even line is a malicious request to attempt to expose wp-config.php.

Sample page

Also to handle a ajax request properly, put the following code into your functions.php.

/**
 * Ajax for non privileged user
 *
 */
add_action( 'wp_ajax_nopriv_my-ajax', 'my_ajax_handler' );
function my_ajax_handler() {
    ;
}

Blocking malicious request

Now at first, uncheck and disable all the settings for “Admin ajax/post” and “Plugins area”.

Setting for admin and plugins

When you assess the above links as a visitor on the public facing page, you’ll see 0 in case your request are success, otherwise you’ll be blocked.

Important: If you click the 4th link and see 0 (means success), then you should properly configure the `.htaccess` in your plugins area. Please refer to this article.

Block by country

OK then, check and enable “Block by country”.

Block by country

All the links will be blocked when you’re behind the VPN proxy and .htaccess is set properly. And when you turn off the VPN addon, then only the malicious links at even lines will be blocked.

Prevent Zero-day Exploit

Yeah, the last one is “Prevent Zero-day Exploit”.

Prevent Zero-day Exploit

All the links except the 1st one will be blocked. It is because the 1st link is a service for the visitors. If you add the action hook for the admin as follows, then the 1st link is also blocked.

/**
 * Ajax for admin
 *
 */
add_action( 'wp_ajax_my-ajax', 'my_ajax_admin_handler' );
function my_ajax_admin_handler() {
    ;
}

It means that non privileged user never succeed zero-day attacks via Admin ajax and plugins / themes area. On the other hand, if you’re logged in as an admin, all the links at odd lines will not be blocked.

Important: If the links are submitted as comments, then the WordPress commenting system will add rel="nofollow" into each anchor tag. In this case, WP-ZEP will block every link to prevent CSRF.

See also