Country Blocking

Country Blocking allows you to block access to your site from certain countries.

When you use the country blocking feature, you need to decide whether you want to block certain countries from accessing your whole site or from just the login page.

Advanced country blocking options are found via the “Blocking Options” link under the “Blocking” tab on the “Firewall” page.

Country Blocking Accuracy, Updates, and Effects of Caching

Wordfence uses a geolocation database that is bundled into the plugin for the country blocking feature. While the correct detection of the country where an IP address is located is over 99% accurate, there can be some IP addresses that are identified incorrectly. These inaccuracies usually occur when an ISP or hosting company moves some of their IP addresses from one country to another, or when an IP address has not been used for some time.

At times, updates can be applied to the city-level database used on the Live Traffic page before they are applied at the smaller country-only level database that is bundled with the plugin for country blocking, so if you see a hit blocked by Country Blocking on the Live Traffic page for a country that you have not blocked, it is likely an IP address that has recently changed and been updated in one database, but not in the other one yet. Detection of IPv6 addresses also may be less accurate as IPv4 address detection for new addresses, as the adoption of IPv6 IP addresses increases over time.

When using a page caching plugin or an external page cache such as Varnish, the plugin or Varnish can serve cached pages to visitors without WordPress or any plugins (including Wordfence) running, since these caches make a site load faster by sending previously-saved copies of pages to visitors. If it is important to you to block a country from viewing the site at all, then you may need to disable this type of cache, because caching plugins and Varnish generally cannot determine the country that a visitor is from. If you are blocking countries only to reduce risk of attacks, as Wordfence is a security plugin, then these types of caches are ok to use, since visits that are served these cached pages cannot affect the site’s content, files, or database. For example, logging into the site, submitting a form, or sending data to admin-ajax.php all require PHP to run, so the cache will be skipped, allowing Wordfence to run and block hits when necessary.

Selecting which pages to block access to

Block access to the login form

Using country blocking to block access to your login page is an effective way to immediately stop brute force login attacks from a specific country. Login attempts via the WordPress XML-RPC API are also blocked. Other plugins that create custom login pages that use the standard WordPress authentication hooks may also be successfully blocked with this option. Plugins that are known to be incompatible are:

  • Ultimate Member

Block access to the rest of the site (outside the login form)

If you enable this feature, you will block access for the selected countries to all parts of your site except the login form.

Google and other search engine crawlers

Be careful about blocking North America and countries in Europe because there are friendly web crawlers like Google’s Googlebot that are located in those areas. You can harm your search engine rankings if you block those countries because you can prevent Google, Bing, and other search and aggregation services from crawling your site. At this time Country Blocking does not make exceptions for Googlebot and will block it if you block the USA.

Google Ads

Please note that if you are using Google Ads (formerly Google AdWords) on your site, you may get penalties for blocking access to your site. If you are using Google Ads, we recommend you only use country blocking to block access to the login form. Note that there is no way to get around the Google Ads policy. Google Ads does not allow any participant to block any country from viewing pages at all, even if you have told Google Ads to not show adverts in that country. If you are a participant, you can only block access to the login form. If you get a warning from Google Ads, uncheck the option “Block access to the rest of the site” to fix this.

Selecting countries to block

As a general philosophy, we recommend you try to minimize the number of countries you are blocking. We do have a few customers who run tightly secured websites and who only allow a single country to access their site. But for most sites, we suggest that you only block problem countries who are regularly creating failed logins, a large number of 404 Not Found response status code errors, and/or are clearly engaged in malicious activity. We also recommend you re-evaluate your blocks from time to time.

Advanced Country Blocking Options

These options are found via the “Blocking Options” link under the “Blocking” tab on the “Firewall” page.

What to do when we block someone

You can either select the option to show a standard “Your access has been temporarily limited” message, or you can redirect the blocked user to a custom page on your site or an external site.

URL to redirect blocked users to

If you have selected to redirect users when they are blocked via country blocking, you can enter the URL they should be redirected to here. Whether you choose to redirect the user to an internal or external site, you must enter the URL as a fully qualified URL that starts with http:// or https://.

Access to the URL you are redirecting your users to will not be blocked using country blocking, because this would result in an infinite loop where a blocked user is redirected to a URL where they are blocked and redirected to the same URL.

Block countries even if they are logged in

Usually, you will want to leave this option unselected, unless you have someone who has already created a user account and is logged in who you now want to block. If you use country blocking on your whole site, including the login form, it is not possible for someone to login or register a new account, and therefore you will not need to worry about logged-in users from your blocked countries accessing your site.

First method to bypass country blocking using advanced options

The first method deals with someone who is currently in a blocked country but to whom you want to give access to your site. You can create a page and use it as a special hidden URL so that when visitors access that URL they will be redirected to another URL on your site that you define. Wordfence will then set a special cookie that lets them bypass country blocking. To set this up, simply fill in the two fields shown that define what the hidden URL is and where the user should be redirected to after Wordfence has set the special bypass cookie on your visitor’s device.

For the setting “If user hits the URL”, add in the special URL here and make it relative:

/country-blocking-bypass

For the setting “then redirect that user to”, you might want to make this your home page or some other starting point for the user once they have their special cookie set. This URL also needs to be relative:

/example-page

This second method is a way to ensure that someone who CURRENTLY has access to your website is not blocked in the future by country blocking.

For the setting “If user who is allowed to access the site views the relative URL”, then enter a hidden URL which needs to be relative:

/bypass-in-future-country-blocking

If any of your visitors hit that URL then they will receive a special cookie that will allow them to bypass country blocking in the future in case they get blocked. You can use this feature if you have a traveling team member who is visiting a blocked country and who needs access to your site. They can visit the special URL you define here before they leave the country. Then once they are inside the blocked country, country-blocking will not block them from accessing your site.

Please note that the URL does not have to exist on your site and you can make up any URL that you want to.