How to block visitors (and hackers) from specific countries

Note:  If you have found this post because you have an error message in your IQ Block Country, please see this later post on the IQ Block Country error message.

Update!!  If you need this installed for you, we now offer that as a service!  Details at the bottom of this post.

WordPress Help ButtonI’ve been playing a bit lately with some (free) WordPress plugins for blocking visitors to client sites. I want to report my findings here, so that everyone can benefit from it.  If you are one of my clients, and on the Gold or Silver Support plan, I am happy to set this up for you on request – please raise a support ticket.

Blocking Visitors by Country in WordPress

There are two types of blocks – front end and back end.  The front end of your site is what you want visitors to see.  This is all your content, your pages, your blog posts, your products – all the good bits that you want made publicly visible.

The back end is your administration area (admin).  You do NOT want anyone but you and your web guy getting access to this.  This is where the hackers really want to get to, so they can take over your site.

If you are only selling to certain countries, or if you are getting swamped by comment spammers that you would rather keep out, you might decide to block countries on the front end.  But most people should be blocking countries on the back end, so that their admin area is super protected.

I have played with quote a few plugins to achieve this, and the one I like the best is iQ Block Country by Pascal.

First, please read this quick tutorial on how to add a plugin to your WordPress site, if you don’t already know how.  It will show you how to add this iQ Block Country plugin.

Once you have the plugin installed and activated, in your admin menu, hover over the Settings entry and then click on iQ Block Country.

installing iQ Block Country

(Your admin menu and Settings menu will look different to this – the thing you are looking for is in the bottom right of that picture above).

Blocking Frontend Visitors

You will find a number of tabs across the top of the page.  On the first one, Home, you can leave the default settings.  Click on the next one, Frontend.

This is where you will specify which countries you don’t want to get access to the front end of your site (the publicly visible parts).  In many cases you won’t make any changes here.  But if you are being swamped by traffic from countries you don’t want visiting, or if you are getting a lot of spam comments from such countries, you can specify countries you want blocked here.

To do this, make sure the box next to “Block visitors from visiting the frontend of your website” is ticked.  Then you need to click on the area next to “Select the countries…” and start choosing countries you want to block.

iQ Block Country frontend options

Probably you will want to block more than one country, so hold down the CTRL button (I think it would be the Command button on a Mac but I am not sure – please let us know in the comments if you are a Mac user doing this), and click on the ones you want to add to the list of blocked countries.

Make sure you don’t block your own country.  Also, don’t block the country where you web site dude is, if they aren’t in the same country as you.

Another thing you want to watch out for is that you might be blocking access to search engine bots.  These are little programs that come to your web site and “crawl” it, or look at it closely, to see what is there, so they can list it on their search engines (like Google).  I have found that a lot of the bots are from USA IP addresses.  So for my sites, I leave the USA as a country that CAN access the front end.  If you keep an eye on the Logging tab entries, you will soon see if there are bots being blocked.  It will also tell you what country they are from, then you can decide whether you want to allow those bots to have access to scan your site.

When you have chosen the countries you want to block, click on Save Changes at the bottom of the page.

Update!!  If you need this installed for you, we now offer that as a service!  Details at the bottom of this post.

How It Works

It will take effect immediately.  There are a couple of ways you can see it working.  One is to go to the Logging tab, and as people are blocked from your site you will see the details appear there.  Another way is to go to the Tools tab and enter the IP address of a suspicious visitor.  It will tell you what country their IP is from (which is probably the country they are in), and whether that country is blocked on either the Front or Back end.

An IP address is a unique identifier for every connection to the Internet.  You can find out what your own IP address is by going to http://whatsmyip.net .  Once you know your IP address, put it into the lookup box on the Tools tab, to make sure the Internet thinks you are in the country you think you are in.  For example, while my home Internet connection knows I am in Australia, my cell (mobile) phone connection sometimes thinks I am in Singapore, because I have a Singapore-based mobile provider.  So it would not be wise for me to block access to Singapore visitors.

The iQ Block Country plugin links to a thing called the GeoIP database.  This is a huge list of IP addresses and what country they are in.  The plugin updates this list once a month for you automatically, but you can do a manual update on the Tools tab if you want/need to.

Blocking Backend Visitors

The real power of the plugin is in preventing access to the admin area (the back end) of your site.  To get to this, click on the Backend tab.

iQ Block Country backend options

This is a bit different to the frontend tab, in that it starts off with ALL countries listed.  You will need to tick the “Block visitors…” thing again, but it is very important that you also remove your own country from the list BEFORE you click Save Changes at the bottom of that page.  Otherwise you will find yourself locked out of your own site.

To remove a country, simply click on the little x next to its name.

You should also remove the country of your web site guy, or anyone else that needs to get access to your admin, if they are not in the same country as you.  (So, my clients need to make sure Australia is removed from that list).

One thing I did find in my testing that will affect some people is related to site security.  The default address to go to when accessing the back end (admin) login page is yoursite.com/wp-admin (or /wp-login.php).  However, many people (including many of my clients) have used iThemes security or other plugins to change this to something else, like /myadmin or /admin.

If a country is blocked from the back end, they are only blocked from accessing /wp-admin and /wp-login.php, not from accessing those other login pages.  So if they have access to the front end, they will still be able to access the login page if it is not at the “standard” location.  To remedy this, you will need to turn off the setting that allows the non-standard admin login page address.  My clients can contact me for this change if they need help.

That’s It!

I hope that making this change to your site will allow you to cope better with the influx of hack attempts, by simply blocking their whole country from getting access to your site.

Update!!  If you need this installed for you, we now offer that as a service!  Details at the bottom of this post.

 

The Result

Postscript – just half an hour after installing this on this very site, the software had already blocked 6 attempts to reach my admin login page (I don’t have front end blocking turned on, only back end).

blocked

And no, I don’t give a shit about their privacy.

 

Another Postscript – 28 hours after installing this, it has blocked a whopping 85 attempts to get to the back end (admin) login page for this site.  About 44 of them are from the USA (since I am in Australia, people in the USA are blocked.  So readers in the USA who would not want to block USA access would not benefit from that, but hey it is better than allowing everyone in!

There were also (according to my iThemes Security log) a small number of people in the USA who did get to my admin login page and then were unable to proceed because they didn’t know my admin username or password (and no, the username isn’t admin!).  I can see two possible reasons for this.  One is that the database of IP addresses is not continuously updated, and these might have been using IP addresses that were not on the database, and so were not recognised as being in the USA.  The other thing is that since these attempts there has been an update of the iQ plugin which fixed some issues – maybe this was among them.

Anyway, I’m not going to bore you with ongoing updates of how much I love this thing and how effective it is.  Just try it.

22 July 2014 – Update…

I made a video to show a client how to manage the countries in the plugin.  Here you go!

 

See also this blog post on other ways to cope with admin security breach attempts.

If you are concerned about WordPress security on your site, we encourage you to follow the full set of tips on our WordPress Security page. And get in touch if you need help with protecting your site from hackers.

Want us to install IQ Block Country for you?  Sure!