This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Country blocking

From Wordfence Documentation
Revision as of 18:01, 4 November 2016 by Wfadmin (Talk | contribs)

Jump to: navigation, search

Wordfence country blocking is an effective way to stop an attack, content theft or other malicious activity that originates from a geographic region. Wordfence country blocking uses a commercial IP to country database that we have licensed to determine which country an IP address is in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP to country lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.

Country Blocking Options

What to do when we block someone

You can either select the option to show a standard "Your access has been temporarily limited" message. Or you can redirect the blocked user to a page your your website or an external website.

If you are using the option to redirect instead of just block: Whether you choose to redirect the user to an internal or external website, you must enter the URL as a fully qualified URL that starts with 'http://' or 'https://'. Access to the URL you are redirecting your users to will not be blocked using country blocking because this would result in a loop where a blocked user is redirected to a URL where they are blocked and redirected to the same URL, and so on.

Block countries even if they are logged in

Usually you will want to leave this option unselected unless you have someone who has already created a user account and is signed in who you want to block. If you use country blocking on your whole site, including the login form, it's not possible for someone to sign-in or register a new account and therefore you won't need to worry about logged-in users from your blocked countries accessing your site.

Block access to the login form

We recommend you always enable this unless you are blocking access to a specific page. Using country blocking to block access to your login form is an effective way to immediately stop brute force login attacks from a specific country. Login attempts via XML-RPC or through login plugins can also be blocked with this option.

Block access to the rest of the site

When you enable this option, Wordfence country blocking will block selected countries from accessing the rest of your website outside your login form.

By using this option and blocking access to the login form you can choose if you want to block the countries you have selected from accessing your login form, the rest of the site outside the login form or both.

Advanced Country Blocking Options

The options under advanced country blocking give you a way to allow someone who is inside a country that is blocked to access your website.

First method to bypass country blocking using advanced options

The first method deals with someone who is currently in a blocked country but you want to give access to your site. You can create a special hidden URL. When they access that URL they will be redirected to another URL on your website that you define and Wordfence will set a special cookie that lets them bypass country blocking. To set this up simply fill in the two fields shown that define what the hidden URL is and where the user should be redirected to after Wordfence has set the special bypass cookie.

If user hits the URL: "Fill in the special URL here and make it relative e.g. /countryblockingbypass"

...then redirect that user to: "You might want to make this your home page or some other starting point for the user once they have their special cookie set. This URL is also relative e.g. /"

Second method to bypass country blocking using advanced options

This second method is a way to ensure that someone who CURRENTLY has access to your website is not blocked in future by country blocking.

Next to the field that is titled "If user who is allowed to access the site views the URL...." Enter a hidden URL e.g. /bypassInFutureCountryBlocking

If any of your visitors hits that URL, they will receive a special cookie that will allow them to bypass country blocking in future in case they are blocked. You can use this feature if you have a traveling team member who is visiting a blocked country and who needs access to your site. They can visit the special URL you define here before they leave the country. Then once they're outside the country they won't be blocked from accessing your website by country blocking.

Selecting countries to block

As a general philosophy we recommend you try to minimize the number of countries you are blocking. We do have some customers who run tightly secured websites and who only allow a single country to access their site. However for most websites, we suggest that you only block problem countries who are regularly creating failed logins, a large number of page not found errors and are clearly engaging in malicious activity.

We also recommend you reevaluate your blocks from time to time.

Be careful about blocking countries in North America and Europe because there are friendly web crawlers like Google's Googlebot that are located in those areas and you may harm your search engine rankings if you block those countries because you will prevent Google, Bing and other search and aggregation services from crawling your site.

Database updates from Wordfence

We release updates every 1 to 2 months to the country blocking database that Wordfence distributes. This ensure that we adapt to the changes in structure that occur on the Net and are able to convert IP addresses to countries with a high degree of accuracy. The country database included with Wordfence is a database that we have licensed from a commercial provider and you are not granted a license to redistribute it in your own software product. However you are free to use it as part of Wordfence.


What information should you include in a ticket about country blocking?

To help us better serve you and make sure we get all the information we need to assist, please include these questions along with your answers when opening a support case.

  • In your opinion, what is broken?
    What is Wordfence not doing and why do you think that?
  • Are you seeing the hits from blocked IPs or countries in the live traffic feed or another analytics product?
    Read this link for this question specifically. We know this affects Google Analytics but other analytics products may have the same issue.
  • Is the Firewall enabled on options page?
    Blocking will not work if this isn't enabled
  • Is caching enabled (ours or anyone elses)?
    As noted on our Country blocking page, Country blocking will only work on the login page and other dynamic pages with caching enabled. We do this to keep your site fast and avoid a country lookup on every request. Serving cached pages only uses 2 to 3% of the resources that a non-cached page uses, so malicious countries won't eat up your server resources when they load cached pages. If you would like full country blocking, you can enable our Basic Caching on the "Site Performance" page.
  • On the Country blocking page are all three options checked?
    Block countries even if they are logged in Block access to the login form Block access to the rest of the site (outside the login form)

I want to block the US. Is this a good idea?

We generally do not recommend this. There is the potential to block several companies that legitimately might need to be able to access the site. For instance, blocking the US means that Bing, Yahoo, and Google might not be able to index you. We have seen cases where Akismet and Paypal were affected as well. This is due to where these servers originate from. That being said, try to avoid blocking the US.

Google Adwords says I can't block countries. How do I work around that?

Well, the short answer is that you can't. It's their program and they can run it how they want to. Google AdWords does not allow any participant to block any country at all, even if you have told Google AdWords to not show ads in that country. If you are a participant, you can only block login authentication. Uncheck "Block access to the rest of the site (outside the login form)" to fix this.

How can I fetch blocked countries from the database?

Put this in your functions.php file

function wf_blocked_countries($atts, $content = null) {

	global $wpdb;
	$results = $wpdb->get_results( 'SELECT val FROM wp_wfConfig where name = "cbl_countries"', ARRAY_N );
	$codes = $results[0][0];
	return $codes;


Then you can fetch blocked countries with this shortcode