This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Country blocking

From Wordfence Documentation
Revision as of 16:48, 27 November 2017 by Wfadmin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Country Blocking settings are located on a tab of the Blocking page on the Wordfence menu.

Wordfence country blocking is an effective way to stop an attack, content theft or other malicious activity that originates from a geographic region. Wordfence country blocking uses a commercial IP to country database that we have licensed to determine which country an IP address is in. The database is installed on your WordPress server along with the Wordfence plugin, which means that the IP to country lookup happens extremely quickly (it takes approximately 1/300,000th of a second) and it has no performance impact.

Country Blocking Options

What to do when we block someone

You can either select the option to show a standard "Your access has been temporarily limited" message. Or you can redirect the blocked user to a page your website or an external website.

If you are using the option to redirect instead of just block: Whether you choose to redirect the user to an internal or external website, you must enter the URL as a fully qualified URL that starts with 'http://' or 'https://'. Access to the URL you are redirecting your users to will not be blocked using country blocking because this would result in a loop where a blocked user is redirected to a URL where they are blocked and redirected to the same URL, and so on.

Block countries even if they are logged in

Usually you will want to leave this option unselected unless you have someone who has already created a user account and is signed in who you want to block. If you use country blocking on your whole site, including the login form, it's not possible for someone to sign-in or register a new account and therefore you won't need to worry about logged-in users from your blocked countries accessing your site.

Block access to the login form

We recommend you always enable this unless you are blocking access to a specific page. Using country blocking to block access to your login form is an effective way to immediately stop brute force login attacks from a specific country. Login attempts via XML-RPC or through login plugins can also be blocked with this option.

Block access to the rest of the site

When you enable this option, Wordfence country blocking will block selected countries from accessing the rest of your website outside your login form.

By using this option and blocking access to the login form you can choose if you want to block the countries you have selected from accessing your login form, the rest of the site outside the login form or both.

Please note that if you are using Google AdWords on your site, you may get penalties for blocking access to your site. If you are using Google AdWords, we recommend you only use Country Blocking to block access to the login form.

Advanced Country Blocking Options

The options under advanced country blocking give you a way to allow someone who is inside a country that is blocked to access your website.

First method to bypass country blocking using advanced options

The first method deals with someone who is currently in a blocked country but you want to give access to your site. You can create a special hidden URL. When they access that URL they will be redirected to another URL on your website that you define and Wordfence will set a special cookie that lets them bypass country blocking. To set this up simply fill in the two fields shown that define what the hidden URL is and where the user should be redirected to after Wordfence has set the special bypass cookie.

If user hits the URL: "Fill in the special URL here and make it relative e.g. /countryblockingbypass"

...then redirect that user to: "You might want to make this your home page or some other starting point for the user once they have their special cookie set. This URL is also relative e.g. /"

Second method to bypass country blocking using advanced options

This second method is a way to ensure that someone who CURRENTLY has access to your website is not blocked in future by country blocking.

Next to the field that is titled "If user who is allowed to access the site views the URL...." Enter a hidden URL e.g. /bypassInFutureCountryBlocking

If any of your visitors hits that URL, they will receive a special cookie that will allow them to bypass country blocking in future in case they are blocked. You can use this feature if you have a traveling team member who is visiting a blocked country and who needs access to your site. They can visit the special URL you define here before they leave the country. Then once they're outside the country they won't be blocked from accessing your website by country blocking.

Please note that the URL does not have to exist on the server. You can make up any URL you want.

Selecting countries to block

As a general philosophy we recommend you try to minimize the number of countries you are blocking. We do have some customers who run tightly secured websites and who only allow a single country to access their site. However for most websites, we suggest that you only block problem countries who are regularly creating failed logins, a large number of page not found errors and are clearly engaging in malicious activity.

We also recommend you reevaluate your blocks from time to time.

Be careful about blocking countries in North America and Europe because there are friendly web crawlers like Google's Googlebot that are located in those areas and you may harm your search engine rankings if you block those countries because you will prevent Google, Bing and other search and aggregation services from crawling your site.

Database updates from Wordfence

We release updates every 1 to 2 months to the country blocking database that Wordfence distributes. This ensures that we adapt to the changes in structure that occur on the Net and are able to convert IP addresses to countries with a high degree of accuracy. The country database included with Wordfence is a database that we have licensed from a commercial provider and you are not granted a license to redistribute it in your own software product. However you are free to use it as part of Wordfence.


What information should you include in a ticket about country blocking?

To help us better serve you and make sure we get all the information we need to assist, please include these questions along with your answers when opening a support case.

  • In your opinion, what is broken?
    What is Wordfence not doing and why do you think that?
  • Are you seeing the hits from blocked IPs or countries in the live traffic feed or another analytics product?
    Read this link for this question specifically. We know this affects Google Analytics but other analytics products may have the same issue.
  • Is the blocking enabled on Wordfence's options page?
    Wordfence will not block anything unless the option "Enable Rate Limiting and Advanced Blocking" is enabled.
  • On the Country blocking page, which of these options are checked?
    Block countries even if they are logged in Block access to the login form Block access to the rest of the site (outside the login form)
  • Are you using any cache plugins?
    Some cache plugins create .html pages for their cache. PHP does not run on .html pages and therefore Country Blocking will not work on cached pages.
  • I want to block the US. Is this a good idea?

    We generally do not recommend this. There is the potential to block several companies that legitimately might need to be able to access the site. For instance, blocking the US means that Bing, Yahoo, and Google might not be able to index you. We have seen cases where Akismet and Paypal were affected as well. This is due to where these servers originate from. That being said, try to avoid blocking the US.

    Google Adwords says I can't block countries. How do I work around that?

    Well, the short answer is that you can't. It's their program and they can run it how they want to. Google AdWords does not allow any participant to block any country from viewing pages at all, even if you have told Google AdWords to not show ads in that country. If you are a participant, you can only block login authentication. Uncheck "Block access to the rest of the site (outside the login form)" to fix this.

    How can I fetch blocked countries from the database?

    Put this in your functions.php file

    function wf_blocked_countries($atts, $content = null) {
    	global $wpdb;
    	$results = $wpdb->get_results( 'SELECT val FROM wp_wfConfig where name = "cbl_countries"', ARRAY_N );
    	$codes = $results[0][0];
    	return $codes;

    Then you can fetch blocked countries with this shortcode