How to block visitors (and hackers) from specific countries
Note: If you have found this post because you have an error message in your IQ Block Country, please see this later post on the IQ Block Country error message.
[standoutbox fx=”johnson”]Update!! If you need this installed for you, we now offer that as a service! Details at the bottom of this post.[/standoutbox]
I’ve been playing a bit lately with some (free) WordPress plugins for blocking visitors to client sites. I want to report my findings here, so that everyone can benefit from it. If you are one of my clients, and on the Gold or Silver Support plan, I am happy to set this up for you on request – please raise a support ticket.
Blocking Visitors by Country in WordPress
There are two types of blocks – front end and back end. The front end of your site is what you want visitors to see. This is all your content, your pages, your blog posts, your products – all the good bits that you want made publicly visible.
The back end is your administration area (admin). You do NOT want anyone but you and your web guy getting access to this. This is where the hackers really want to get to, so they can take over your site.
If you are only selling to certain countries, or if you are getting swamped by comment spammers that you would rather keep out, you might decide to block countries on the front end. But most people should be blocking countries on the back end, so that their admin area is super protected.
I have played with quote a few plugins to achieve this, and the one I like the best is iQ Block Country by Pascal.
First, please read this quick tutorial on how to add a plugin to your WordPress site, if you don’t already know how. It will show you how to add this iQ Block Country plugin.
Once you have the plugin installed and activated, in your admin menu, hover over the Settings entry and then click on iQ Block Country.
(Your admin menu and Settings menu will look different to this – the thing you are looking for is in the bottom right of that picture above).
Blocking Frontend Visitors
You will find a number of tabs across the top of the page. On the first one, Home, you can leave the default settings. Click on the next one, Frontend.
This is where you will specify which countries you don’t want to get access to the front end of your site (the publicly visible parts). In many cases you won’t make any changes here. But if you are being swamped by traffic from countries you don’t want visiting, or if you are getting a lot of spam comments from such countries, you can specify countries you want blocked here.
To do this, make sure the box next to “Block visitors from visiting the frontend of your website” is ticked. Then you need to click on the area next to “Select the countries…” and start choosing countries you want to block.
Probably you will want to block more than one country, so hold down the CTRL button (I think it would be the Command button on a Mac but I am not sure – please let us know in the comments if you are a Mac user doing this), and click on the ones you want to add to the list of blocked countries.
Make sure you don’t block your own country. Also, don’t block the country where you web site dude is, if they aren’t in the same country as you.
Another thing you want to watch out for is that you might be blocking access to search engine bots. These are little programs that come to your web site and “crawl” it, or look at it closely, to see what is there, so they can list it on their search engines (like Google). I have found that a lot of the bots are from USA IP addresses. So for my sites, I leave the USA as a country that CAN access the front end. If you keep an eye on the Logging tab entries, you will soon see if there are bots being blocked. It will also tell you what country they are from, then you can decide whether you want to allow those bots to have access to scan your site.
When you have chosen the countries you want to block, click on Save Changes at the bottom of the page.
[standoutbox fx=”johnson”]Update!! If you need this installed for you, we now offer that as a service! Details at the bottom of this post.[/standoutbox]
How It Works
It will take effect immediately. There are a couple of ways you can see it working. One is to go to the Logging tab, and as people are blocked from your site you will see the details appear there. Another way is to go to the Tools tab and enter the IP address of a suspicious visitor. It will tell you what country their IP is from (which is probably the country they are in), and whether that country is blocked on either the Front or Back end.
An IP address is a unique identifier for every connection to the Internet. You can find out what your own IP address is by going to http://whatsmyip.net . Once you know your IP address, put it into the lookup box on the Tools tab, to make sure the Internet thinks you are in the country you think you are in. For example, while my home Internet connection knows I am in Australia, my cell (mobile) phone connection sometimes thinks I am in Singapore, because I have a Singapore-based mobile provider. So it would not be wise for me to block access to Singapore visitors.
The iQ Block Country plugin links to a thing called the GeoIP database. This is a huge list of IP addresses and what country they are in. The plugin updates this list once a month for you automatically, but you can do a manual update on the Tools tab if you want/need to.
Blocking Backend Visitors
The real power of the plugin is in preventing access to the admin area (the back end) of your site. To get to this, click on the Backend tab.
This is a bit different to the frontend tab, in that it starts off with ALL countries listed. You will need to tick the “Block visitors…” thing again, but it is very important that you also remove your own country from the list BEFORE you click Save Changes at the bottom of that page. Otherwise you will find yourself locked out of your own site.
To remove a country, simply click on the little x next to its name.
You should also remove the country of your web site guy, or anyone else that needs to get access to your admin, if they are not in the same country as you. (So, my clients need to make sure Australia is removed from that list).
One thing I did find in my testing that will affect some people is related to site security. The default address to go to when accessing the back end (admin) login page is yoursite.com/wp-admin (or /wp-login.php). However, many people (including many of my clients) have used iThemes security or other plugins to change this to something else, like /myadmin or /admin.
If a country is blocked from the back end, they are only blocked from accessing /wp-admin and /wp-login.php, not from accessing those other login pages. So if they have access to the front end, they will still be able to access the login page if it is not at the “standard” location. To remedy this, you will need to turn off the setting that allows the non-standard admin login page address. My clients can contact me for this change if they need help.
That’s It!
I hope that making this change to your site will allow you to cope better with the influx of hack attempts, by simply blocking their whole country from getting access to your site.
[standoutbox fx=”johnson”]Update!! If you need this installed for you, we now offer that as a service! Details at the bottom of this post.[/standoutbox]
The Result
Postscript – just half an hour after installing this on this very site, the software had already blocked 6 attempts to reach my admin login page (I don’t have front end blocking turned on, only back end).
And no, I don’t give a shit about their privacy.
Another Postscript – 28 hours after installing this, it has blocked a whopping 85 attempts to get to the back end (admin) login page for this site. About 44 of them are from the USA (since I am in Australia, people in the USA are blocked. So readers in the USA who would not want to block USA access would not benefit from that, but hey it is better than allowing everyone in!
There were also (according to my iThemes Security log) a small number of people in the USA who did get to my admin login page and then were unable to proceed because they didn’t know my admin username or password (and no, the username isn’t admin!). I can see two possible reasons for this. One is that the database of IP addresses is not continuously updated, and these might have been using IP addresses that were not on the database, and so were not recognised as being in the USA. The other thing is that since these attempts there has been an update of the iQ plugin which fixed some issues – maybe this was among them.
Anyway, I’m not going to bore you with ongoing updates of how much I love this thing and how effective it is. Just try it.
22 July 2014 – Update…
I made a video to show a client how to manage the countries in the plugin. Here you go!
See also this blog post on other ways to cope with admin security breach attempts.
If you are concerned about WordPress security on your site, we encourage you to follow the full set of tips on our WordPress Security page. And get in touch if you need help with protecting your site from hackers.
May 31, 2014 @ 3:39 pm
Hi Christine,
Excellent blog article! Thanks
Cheers,
Pascal
May 31, 2014 @ 3:58 pm
No problem – thanks for the excellent plugin!
Readers – if you are using this plugin, be sure to check out Pascal’s site for more information and discussion.
October 14, 2014 @ 11:00 pm
Hey ! thank you for posting this up!
Im in Melbourne and my google analytics is bombarded with false data from countries outside OZ trying to sell me things..
im also getting 3-4 emails a day!! from made up names on Yellowpages (where i advertise) and they try running me through stories like offshore oil rig scams and other similar local ones.
currently one going on to me is, they contact me via my yellow pages ad, and say they need me to clean their house ( i manufacture 1 cleaning product) and that they are bed ridden and can not attend the cleaning, but their Removalist guy will let me in. then a day after he sends another email saying could i pay his removalist a small fee of 3300, and that he (the bed ridden guy) will pay me for paying his removalist, so he doesent have to pay 2 people as he is bed ridden and its hard for him to do so.
yeah, right.. obvious scam.
so, im gonna use this plugin and hopefully block anyone outside Australia,and clean up my analytics results too.
thanks once again.
andy C
December 13, 2014 @ 1:34 pm
Thank you so much for this thorough run through. I didn’t know about that plugin and have now added it to a couple of sites to see how it runs.
I’ve been using Spyder Spanker Pro for several years but Todd doesn’t seem to be updating it and I’ve noticed hackers from China trying to access some of my sites.
As a tight-arse I’ve been trying to make some free plugins work but that’s meant having to cut n paste from Wordfence logs, manually strip them down with other programs then paste the list of IPs back into iThemes.
I’m very paranoid after being pharmacy hacked even with a ridiculous amount of htaccess, empty index.php/html etc to block directory access(es), ridiculous user names and passwords etc.
December 13, 2014 @ 1:37 pm
Just noticed I left out the fact that the whole country of China is blocked in that paid plugin (Spyder Spanker), so the point I was trying to make was that the plugin is not stopping them when it should be.
December 13, 2014 @ 9:52 pm
Thanks for the feedback Peter. I don’t support the plugin, I was simply letting people know about it. If you are having problems with it, I suggest you contact the developer.
February 16, 2015 @ 11:53 am
I think the point with this free plugin is that it uses Maxmind to identify IP addresses so it’s only as good as Maxmind is. I notice paid plugins use different databases which are presumably more accurate, but you get what you pay for. If you want free it’s not going to be as thorough. It’s good enough for me, though.
March 26, 2015 @ 11:38 am
Good post regarding IQBC!
One problem for me is that IQBC appears to not be compatible with caching plugins like WP Super Cache.
Many ISPs now require that domains install caching software or plugins to reduce the load on their servers (and it’s just good practice to use caching). Unfortunately, caching programs (or at least WP Super Cache) will cache the generated html page when a blocked country visits a page. Subsequent visits to the same page from a PERMITTED country will then receive the BLOCKED page html (because it was blocked by a previous site visitor, and that blocked page was then cached).
There needs to be a way that IQBC can be compatible with cachings plugins, and vice versa.
Any suggestions? Thanks.
March 26, 2015 @ 2:49 pm
Good point! When someone visits a site from a blocked country, they are redirected to a blocked page, and the original page is not loaded. Therefore the cache for the “real” page is not affected.
To give you an example, I have a site http://cloverproducts.com.au where I only sell products to people in Australia. If someone from outside Australia visits the site they (usually, if IQ Block Country recognises that their IP is not in Australia) get redirected to http://cloverproducts.com.au/sorry . But if they are in Australia, the requested page loads instead. This site uses caching at the server level, provided by the hosting company, rather than WP Super Cache, but the principle is the same.
September 21, 2016 @ 4:08 pm
Read on WordPress Forums that iQ Block conflicts with Yoast SEO, so hopefully someone will fix it soon
December 14, 2016 @ 6:23 pm
I have also read on the forums that iQ Block conflicts with Yoast SEO. Secondly, as someone who uses paid Wordfence Country Block and having tried iQ Block, I can tell you that Wordfence Country Block is way more accurate. With iQBlock, I had hackers posing as bots still getting access and got close to taking our site down. Maybe the plugin author needs to come up with a paid version with better Country Block accuracy.
December 14, 2016 @ 6:42 pm
Thanks for the feedback! I will take a look at the other plugin too. I personally have never had a site that was protected by IQ hacked, but that isn’t the only measure I use.