前言介紹
- 這款 WordPress 外掛「IP Geo Block」是 2014-01-31 上架。
- 目前有 10000 個安裝啟用數。
- 上一次更新是 2019-01-22,距離現在已有 2293 天。超過一年沒更新,安裝要確認版本是否可用。以及後續維護問題!
- 外掛最低要求 WordPress 3.7 以上版本才可以安裝。
- 有 96 人給過評分。
- 還沒有人在論壇上發問,可能目前使用數不多,還沒有什麼大問題。
外掛協作開發者
外掛標籤
login | firewall | security | Brute Force | vulnerability |
內容簡介
安裝越多主題和外掛,你的網站越容易受到攻擊,即使你對其進行了安全加固。
雖然 WordPress.org 提供了優秀的資源,如關於主題和外掛安全性的文件,但是由於開發人員的人為因素,例如對安全意識的缺乏、未遵循最佳安全實踐等,這些主題和外掛往往容易受到攻擊。
此外掛專注於開發人員的人為因素,而不是在攻擊向量披露後再進行檢測。這帶來了智能且強大的方法,稱為「WP零日攻擊預防」和「WP Metadata攻擊保護」。
結合這些方法和IP地址地理位置,你會驚訝地發現,安裝幾天後,此外掛的日誌中會阻止許多惡意或不良訪問。
功能
隱私設計:
IP地址在記錄日誌/緩存時始終被加密。而且,它可以被匿名化和限制發送到第三方,例如地理位置API或whois服務。
移民管制:
對於基本重要的後端入口,如 wp-comments-post.php、xmlrpc.php、wp-login.php、wp-signup.php、wp-admin/admin.php、wp-admin/admin-ajax.php、wp-admin/admin-post.php,將通過基於IP地址的國家代碼進行驗證。你可以設置白名單或黑名單來指定國家、IP地址範圍的CIDR記法和IP網絡的AS號碼。
零日攻擊預防:
與基於攻擊模式的安全防火牆不同,原始功能「WordPress零日攻擊預防」(WP-ZEP)專注於漏洞的模式。即使你的網站中存在一些易受攻擊的外掛和主題,它仍然足夠智能且強大,可以阻止任何對 wp-admin/*.php、plugins/*.php 和 themes/*.php 的惡意訪問,此功能可以保護你的網站免受 CSRF、LFI、SQLi、XSS 等攻擊。
防範登錄嘗試:
為了防止通過登錄表單和XML-RPC進行暴力和反向暴力攻擊,每個IP地址的登錄嘗試次數將受到限制,即使來自允許的國家。
最小化防範暴力攻擊的伺服器負載:
你可以將此外掛配置為使用 Mus 的網絡,以最小化防範暴力攻擊時產生的伺服器負載。
原文外掛簡介
The more you install themes and plugins, the more likely your sites will be vulnerable, even if you securely harden your sites.
While WordPress.org provides excellent resources, themes and plugins may often get vulnerable due to developers’ human factors such as lack of security awareness, misuse and disuse of the best practices in those resources.
This plugin focuses on insights into such developers’ human factors instead of detecting the specific attack vectors after they were disclosed. This brings a smart and powerful methods named as “WP Zero-day Exploit Prevention” and “WP Metadata Exploit Protection“.
Combined with those methods and IP address geolocation, you’ll be surprised to find a bunch of malicious or undesirable access blocked in the logs of this plugin after several days of installation.
Features
Privacy by design:
IP address is always encrypted on recording in logs/cache. Moreover, it can be anonymized and restricted on sending to the 3rd parties such as geolocation APIs or whois service.
Immigration control:
Access to the basic and important entrances into back-end such as wp-comments-post.php, xmlrpc.php, wp-login.php, wp-signup.php, wp-admin/admin.php, wp-admin/admin-ajax.php, wp-admin/admin-post.php will be validated by means of a country code based on IP address. It allows you to configure either whitelist or blacklist to specify the countires, CIDR notation for a range of IP addresses and AS number for a group of IP networks.
Zero-day Exploit Prevention:
Unlike other security firewalls based on attack patterns (vectors), the original feature “WordPress Zero-day Exploit Prevention” (WP-ZEP) is focused on patterns of vulnerability. It is simple but still smart and strong enough to block any malicious accesses to wp-admin/*.php, plugins/*.php and themes/*.php even from the permitted countries. It will protect your site against certain types of attack such as CSRF, LFI, SQLi, XSS and so on, even if you have some vulnerable plugins and themes in your site.
Guard against login attempts:
In order to prevent hacking through the login form and XML-RPC by brute-force and the reverse-brute-force attacks, the number of login attempts will be limited per IP address even from the permitted countries.
Minimize server load against brute-force attacks:
You can configure this plugin as a Must Use Plugins so that this plugin can be loaded prior to regular plugins. It can massively reduce the load on server.
Prevent malicious down/uploading:
A malicious request such as exposing wp-config.php or uploading malwares via vulnerable plugins/themes can be blocked.
Block badly-behaved bots and crawlers:
A simple logic may help to reduce the number of rogue bots and crawlers scraping your site.
Support of BuddyPress and bbPress:
You can configure this plugin so that a registered user can login as a membership from anywhere, while a request such as a new user registration, lost password, creating a new topic and subscribing comment can be blocked by country. It is suitable for BuddyPress and bbPress to help reducing spams.
Referrer suppressor for external links:
When you click an external hyperlink on admin screens, http referrer will be eliminated to hide a footprint of your site.
Multiple source of IP Geolocation databases:
MaxMind GeoLite2 free databases (it requires PHP 5.4.0+) and IP2Location LITE databases can be installed in this plugin. Also free Geolocation REST APIs and whois information can be available for audit purposes.
Father more, dedicated API class libraries can be installed for CloudFlare and CloudFront as a reverse proxy service.
Customizing response:
HTTP response code can be selectable as 403 Forbidden to deny access pages, 404 Not Found to hide pages or even 200 OK to redirect to the top page.
You can also have a human friendly page (like 404.php) in your parent/child theme template directory to fit your site design.
Validation logs:
Validation logs for useful information to audit attack patterns can be manageable.
Cooperation with full spec security plugin:
This plugin is lite enough to be able to cooperate with other full spec security plugin such as Wordfence Security. See this report about page speed performance.
Extendability:
You can customize the behavior of this plugin via add_filter() with pre-defined filter hook. See various use cases in samples.php bundled within this package.
You can also get the extension IP Geo Allow by Dragan. It makes admin screens strictly private with more flexible way than specifying IP addresses.
Self blocking prevention and easy rescue:
Website owners do not prefer themselves to be blocked. This plugin prevents such a sad thing unless you force it. And futhermore, if such a situation occurs, you can rescue yourself easily.
Clean uninstallation:
Nothing is left in your precious mySQL database after uninstallation. So you can feel free to install and activate to make a trial of this plugin’s functionality.
Attribution
This package includes GeoLite2 library distributed by MaxMind, available from MaxMind (it requires PHP 5.4.0+), and also includes IP2Location open source libraries available from IP2Location.
Also thanks for providing the following great services and REST APIs for free.
http://ip-api.com/ (IPv4, IPv6 / free for non-commercial use)
http://geoiplookup.net/ (IPv4, IPv6 / free)
https://ipinfo.io/ (IPv4, IPv6 / free)
[https://ipapi.com/](https://ipapi.com/ “ipapi – IP Address Lookup and Geolocation API) (IPv4, IPv6 / free, need API key)
https://ipdata.co/ (IPv4, IPv6 / free, need API key)
https://ipstack.com/ (IPv4, IPv6 / free for registered user, need API key)
https://ipinfodb.com/ (IPv4, IPv6 / free for registered user, need API key)
Development
Development of this plugin is promoted at WordPress-IP-Geo-Block and class libraries to handle geo-location database are developed separately as “add-in”s at WordPress-IP-Geo-API.
All contributions will always be welcome. Or visit my development blog.
Known issues
No image is shown after drag & drop a image in grid view at “Media Library”. For more details, please refer to this ticket at Github.
From WordPress 4.5, rel=nofollow had no longer be attached to the links in comment_content. This change prevents to block “Server Side Request Forgeries” (not Cross Site but a malicious internal link in the comment field).
WordPress.com Mobile App can’t execute image uploading because of its own authentication system via XMLRPC.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「IP Geo Block」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
3.0.0 | 3.0.5 | 3.0.8 | 3.0.9 | trunk | 3.0.11 | 3.0.13 | 3.0.14 | 3.0.15 | 3.0.16 | 3.0.17 | 2.2.9.1 | 3.0.1.2 | 3.0.2.2 | 3.0.3.4 | 3.0.4.6 | 3.0.6.1 | 3.0.7.2 | 3.0.10.4 | 3.0.12.1 | 3.0.17.1 | 3.0.17.2 | 3.0.17.3 | 3.0.17.4 |
延伸相關外掛(你可能也想知道)
Wordfence Security – Firewall, Malware Scan, and Login Security 》fective way to manage multiple WordPress sites with Wordfence installed from a single location., Monitor security status across all your sites from...。
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall 》Limit Login Attempts Reloaded 是一款WordPress外掛,可阻止暴力破解攻擊並透過限制常規登錄、XMLRPC、Woocommerce和自訂登錄頁面的登錄嘗試次數來優化您的...。
Security Optimizer – The All-In-One Protection Plugin 》透過精心挑選且易於配置的功能,SiteGround Security 外掛提供了您所需的一切來保護您的網站並預防多種威脅,例如暴力破解攻擊、登錄錯誤、資料外洩等等。, ...。
All-In-One Security (AIOS) – Security and Firewall 》vated to your website, All-in-One Security's WAF will detect and block hacking attempts, adding an extra layer of security to your WordPress site. ...。
Sucuri Security – Auditing, Malware Scanner and Security Hardening 》Sucuri Inc. 是全球公認的網站安全權威,專門為 WordPress 安全提供專業知識。, Sucuri Security WordPress 擴充套件對所有 WordPress 使用者免費提供。它是...。
MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall 》at Is MalCare Security Services?, MalCare Security Services 是一款 WordPress 網站的安全外掛程式。★★★★★, 這款 WordPress 安全外掛程式可以確保您的網站...。
Spam protection, Anti-Spam, FireWall by CleanTalk 》Forms spam filter, Plugin extends spam protection for Gravity Forms. It filters spam submissions for each form created with Gravity Forms., MemberP...。
NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall 》真正的網路應用防火牆, NinjaFirewall (WP Edition)是一個真正的網路應用防火牆。雖然它可以像外掛一樣安裝和設定,但它是一個獨立的防火牆,位於 WordPress ...。
Login Lockdown & Protection 》Login LockDown 記錄每次失敗的登入嘗試的 IP 位址和時間戳記。如果在短時間內來自相同 IP 範圍的嘗試次數超過一定數量,那麼該 IP 位址的所有登入請求都會被...。
WP Ghost (Hide My WP Ghost) – Security & Firewall 》Hide My WP Ghost 是一個 WordPress 安全外掛,透過強大且易於使用的功能,提供最佳的安全解決方案。它可以在不改變任何目錄或檔案的情況下,將網站的安全性...。
Anti-Malware Security and Brute-Force Firewall 》特點:, , 下載定義更新以保護免受新威脅。, 運行完整掃描以自動刪除已知的安全威脅、後門腳本和資料庫注入等問題。, 阻止防火牆 SoakSoak 和其他惡意軟體利...。
BBQ Firewall – Fast & Powerful Firewall Security 》, 安裝、啟用、完成!, WP 最快的防火牆外掛程式提供強大的保護。, , BBQ Firewall 是一個輕量級、超快速的外掛程式,可以保護您的網站免受各種威脅。BBQ 會...。
Defender Security – Malware Scanner, Login Security & Firewall 》our WordPress website with Defender. This plugin offers comprehensive security features that protect against various vulnerabilities and hacks, inc...。
Titan Anti-spam & Security 》ime for new hacking patterns and malicious IP addresses, to block attacks., [PRO] We provide 24/7 technical support., [PRO] Protect your website fr...。
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches 》你一定會喜歡的功能, , 獨家AntiBot Detection Engine - 強大的替代 Google reCAPTCHA 和 CloudFlare Turnstile。, 自動防止機器人和 IP - 基於評分的安全智...。