Validation rules and behavior
In addition to blocking based on IP address geolocation information, this plugin blocks malicious requests by validating based on some additional rules. In this section, such validation rules and behavior at blocking are described.
Your IP address / Country
The information shown here is your IP address and country code recognized by this plugin. The “Scan country code” button derives the country code based on the IP address from multiple geolocation databases. In rare cases, some databases may indicate different country codes. If you found an inconsistent country code, it’s good to select only applicable databases at “Geolocation API settings”.
Also, if your country code is shown as XX (Private), it means that your
server is placed behind a reverse proxy server / a load balancer or inside a
LAN. In such a case, please put an appropriate key, corresponding to the HTTP
header field wihch is acquired by PHP such as
HTTP_X_FOWARDED_FOR, into “$_SERVER keys to retrieve extra
IP addresses” described later so that a public IP address can be retrieved.
Matching rule
Select either Whitelist or Blacklist. With this selection, the titles and
text boxe in the next section are changed.
[Whitelist|Blacklist] of country code
Specify the country code according to the selection of “Matching rule” with two letters of the alphabet defined by ISO 3166-1 alpha-2.
Use Autonomous System Number
ASN is the number assigned to the group of IP addresses. For example, Facebook has many IP addresses, and AS32934 is assigned. Activating this will allow you to specify a group of IP addresses all in one piece for a specific organization.
[Whitelist|Blacklist] of extra IP addresses prior to country code
Specify IP addresses or AS number to be blocked or passed, prior to validating the country code. “CIDR calculator forIPv4 / IPv6” can help you to get the range of IP addresses that can be expressed simply as CIDR notation.
$_SERVER keys to retrieve extra IP addresses
In the case of a request via a proxy server, the IP addresses of multiple
servers may be passed through in some specific HTTP fields. In order to
validate all such IP addresses, you can set up some keys acquired by PHP
such as HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP and so on.
Bad signatures in query
Specify malicious strings to be scanned from the requested query in order to block a malicious request. This validation excludes the contents of comments and articles.
Prevent malicious file uploading
This configures some rules to prevent uploading of malicious files targeted at plugins and theme vulnerabilities.
-
Verify file extension and MIME type
Select the white list of MIME type to be permitted. -
Verify file extension only
Put the black list of prohibited file extension. -
Capabilities to be verified
Put the necessary capabilities for uploading. See Roles and Capabilities for details.
Response code
Specify the HTTP status code for response on blocking. Set the followings according to your selection.
-
Redirect URL
For 2XX and 3XX, specify the destination URL to be redirected (default is blackhole.webpagetest.org). -
Response message
For 4XX and 5XX, specify a message displayed on a simple interface bywp_die(). Instead of this message, you can setup a human-friendly error page based on the theme template such as404.phpcan be configured.
Validation timing
Specify when this plugin will perform the validation.
Normally, the timing when the plugin can safely be initialized may be init
action hook. But since it is after loading the theme and all
the activated plugins, it takes unnecessary server load in case of blocking.
In order to avoid such waste, you can select it as muplugins_loaded.
Simulation mode
This option enables to simulate validation without deployment of blocking on both back-end and front-end. The results can be found on “Logs” tag so that you can check in advance which pages would be blocked or passed.
