Advanced IP Blocker

2025-08-10 WP免费插件库 5

Advanced IP Blocker is your all-in-one security solution to safeguard your WordPress website from a wide range of threats. This plugin provides a comprehensive suite of tools to automatically detect and block malicious activity, including brute-force attacks, vulnerability scanning, and spam bots. With its intuitive and newly redesigned interface, you can easily manage whitelists, blocklists, and view detailed security logs to understand exactly how your site is being protected.

Whether you’re a beginner or an experienced administrator, Advanced IP Blocker gives you the control you need to secure your digital presence.

Key Features:

Security Dashboard: Get a real-time, visual overview of threats with interactive charts for attack summaries, a threat timeline, and a live, clustered attack map.
IP Trust & Threat Scoring System: An advanced, intelligent defense layer that moves beyond simple thresholds. It assigns threat points to IPs for various malicious actions (404s, WAF triggers, etc.). IPs are only blocked upon reaching a configurable score, resulting in more accurate, context-aware blocking and fewer false positives. Features an automatic score decay system to “forgive” IPs over time.
Web Application Firewall (WAF): Proactively block malicious requests (SQLi, XSS, LFI) with a customizable ruleset and a URL exclusion system to ensure compatibility with payment gateways.
Request Rate Limiting: Automatically prevent DoS attacks and brute-force attempts by temporarily blocking IPs that make too many requests.
Granular ASN Blocking: Block entire networks by blacklisting Autonomous System Numbers (ASN). Now with separate controls for the automated Spamhaus DROP list and your own manual blocklist.
Country Blocking (Geoblocking): Easily block traffic from entire countries with a user-friendly selector and smart warnings to prevent lockouts.
Threshold-Based Blocking: Automatically block IPs based on configurable thresholds for 404 errors, 403 errors, and failed login attempts.
Advanced Login Protection: Harden your login page with intelligent “Smart” XML-RPC protection that verifies traffic from Automattic’s official network (ASN verification). Also includes options to disable user enumeration and restrict access to whitelisted IPs only.
Push Notifications (Webhooks): Receive instant, detailed security alerts on modern platforms like Slack and Discord, keeping you informed of critical events in real-time.
Google reCAPTCHA Integration: Shield your login and registration forms from bots by integrating Google reCAPTCHA (v2 & v3).
Honeypot & User-Agent Traps: Instantly ban bots and scanners that access decoy URLs or use malicious User-Agent strings.
Live Security Feed Shortcode: Display a real-time, terminal-style feed of block events on any page or post using the [advaipbl_live_feed] shortcode.
Active User Session Management: View all logged-in users in real-time, see their location, and terminate their sessions remotely.
Full WP-CLI Support: Manage every aspect of the plugin via the command line, ideal for developers and system administrators.
Detailed Event Logging: Track all security events with detailed, sortable, and filterable logs. Now with even more context, like the source of an ASN block and the URI of the attack.

This plugin gives you the power to see who is trying to access your site and to stop threats before they become a problem.

Recommended Setup

For optimal protection, follow these steps after installation:

Navigate to the Plugin: Find the new “Security” menu item in your WordPress admin menu.
Whitelist Your IPs: Go to Settings > Status & Debug and use the one-click buttons to add your current IP and your server’s IP to the whitelist. This is the most important step to prevent accidental lockouts.
Activate Core Defenses: Go to Blocking Rules > User Agents, copy the suggested list of malicious bots, and paste it into the blocklist. Then, go to Blocking Rules > Honeypot URLs and do the same. Click “Save” on each page.
Enable WAF & Rate Limiting: Go to Settings > General and enable the “Web Application Firewall” and “Request Rate Limiting” options for proactive protection.
Review Login Protection: Navigate to Settings > General. We recommend keeping Disable User Enumeration and Prevent author scans enabled. Also, consider enabling Disable XML-RPC for maximum security (read the FAQ first if you use Jetpack or the mobile app).
Enable Notifications: In the Email Notifications section on the Settings tab, enable notifications to receive alerts or daily/weekly security summaries.

That’s it! Your plugin is now actively configured to block a wide range of common automated attacks.

Compatibility with Other Security Plugins

Can I use Advanced IP Blocker with other security plugins like Wordfence, iThemes Security, etc.?
Yes, in most cases. Our plugin is designed to be a focused firewall and can complement larger security suites. However, to avoid conflicts, please follow these guidelines:
Choose One Login Protection: Do not enable reCAPTCHA, “Whitelist Login Access”, or other login form protections in more than one plugin at a time. Choose which plugin you want to handle login security and disable those features in the other.
Check Your Whitelist: Always ensure your server’s IP address is on our whitelist (Status & Debug tab). This prevents our plugin from blocking internal scans performed by other security tools.
XML-RPC: If you use another plugin to manage XML-RPC, disable the “Disable XML-RPC” option in our plugin to avoid conflicts.
In general, features like IP/Country blocking, Honeypots, and User-Agent blocking can run alongside other plugins without issue.

作者：IniLerm

截图：

The new Security Dashboard with real-time charts and a Live Attack Map.
Modern and intuitive two-level navigation system for easy access to all features.
The main Settings page to configure all protection modules like WAF and Rate Limiting.
Powerful Web Application Firewall (WAF) with recommended rules.
Block entire networks with ASN Blocking, powered by the Spamhaus list.
Detailed Blocked IPs table with the “View Map” modal in action.
Country Blocking (Geoblocking) with a user-friendly selector and smart warnings.
Unified Security Log with a powerful filter to analyze all attack events.
Active User Session Management to monitor and terminate logged-in users.
Full WP-CLI support documentation, accessible from the “About” tab.
An example of a professional HTML email notification.
User-Agent management with both block and whitelist capabilities.

额外信息：

版本 8.4.5.1

最后更新：19 小时前

活跃安装数量 30+

WordPress 版本 5.5 或更高版本

已测试的最高版本为 6.8.2

PHP 版本 7.4 或更高版本

语言

English (US)

评分：5

各个星级评论数量：100%#1#0%#0#0%#0#0%#0#0%#0

问答：

I can’t find the plugin’s settings!

After activation, the plugin adds a main menu item named “Security” (with a shield icon) to your WordPress admin sidebar. All features are now organized into logical parent tabs: Dashboard, Settings, Blocking Rules, IP Management, Logs & Sessions, and About.

What does the new Security Dashboard show?

The dashboard provides a real-time overview of your site’s security. It includes interactive charts showing the volume and types of attacks over the last 7 days, as well as lists of the top attacking IPs and countries. It’s the best way to see the plugin working to protect your site.

What is the new “IP Trust & Threat Scoring” system?

Previously, some plugin features worked on a simple “three strikes and you’re out” basis (e.g., “block after 10 errors”). The new IP Trust system is a much more intelligent “demerit points” system that understands context.

Here’s how it works:
1. Points Accumulation: Each malicious or suspicious action (like a 404 error, a failed login, or a WAF trigger) adds a specific number of “threat points” to an IP’s score.
2. Configurable Weights: You can decide exactly how many points each action is worth. For example, a critical WAF event like an SQL injection attempt can be worth 100 points (an instant block), while a single 404 error might only be worth 5.
3. Threshold Blocking: An IP is only blocked when its total score reaches a threshold that you define (e.g., 100 points).

This is far more accurate because it evaluates the overall behavior of an IP rather than a single type of action. What makes it truly powerful is the automatic score decay. The plugin will periodically reduce the score of inactive IPs, allowing them to “redeem” themselves over time. This means less manual management of the blocklist for you! You can find all the settings for this feature under Security > Settings > General.

What is a Web Application Firewall (WAF)?

The WAF is a proactive security layer. It inspects incoming web traffic for malicious patterns (like SQL injection or cross-site scripting) and blocks the request before it can reach WordPress, protecting you from vulnerabilities in other plugins or themes. You can add your own custom rules in the Blocking Rules > Firewall (WAF) tab.

What is Rate Limiting?

Rate Limiting automatically blocks any IP address that sends an excessive number of requests in a short period. This is extremely effective against denial-of-service (DoS) attacks, aggressive web scrapers, and certain types of brute-force attacks.

What is ASN Blocking?

Every network on the internet has an Autonomous System Number (ASN), like a license plate for a hosting company (e.g., “AS16509” for Amazon Web Services). ASN blocking allows you to block traffic from entire organizations, such as known spam-heavy hosting providers or VPN services, which is much more powerful than blocking individual IP ranges. This feature requires a compatible Geolocation Provider like ip-api.com or ipinfo.io.

Which Geolocation Provider should I use?

For most users, ip-api.com (the new default) is recommended. It is free, requires no API key, and supports all features, including ASN blocking. If you need HTTPS or higher limits, ipinfo.io is an excellent alternative (requires a free registration and whitelisting your server IP).

Does ASN or Country Blocking slow down my site by using an API on every page load?

No, it is highly efficient. The plugin uses an intelligent internal cache for geolocation data. When a visitor arrives from a new IP address, the plugin makes a single API call to get its country and ASN information and then caches the result for 24 hours. For all subsequent visits from that same IP address within that 24-hour period, the information is retrieved instantly from the local cache without any external API calls. This ensures that the impact on your site’s performance is negligible while maintaining a high level of security.

What is “Whitelist Login Access” and when should I use it?

This is a very powerful security feature that completely blocks access to the WordPress login page (wp-login.php) for every IP address that is NOT on your whitelist. This will stop 100% of brute-force login attacks. However, you should use it with extreme caution:
* DO NOT USE this feature if you have a public website where users need to register or log in (e.g., WooCommerce, membership sites).
* ONLY USE this feature on private sites where only a few administrators with known, static IP addresses need to log in.
* ALWAYS ensure your own IP address is on the whitelist before enabling this feature.

What is XML-RPC and how does the “Smart Protection” work?

XML-RPC is a legacy interface in WordPress that is a primary target for brute-force attacks. Our “Smart Protection” mode is the recommended setting. It uses a powerful, multi-layered approach:
1. ASN Verification: It first checks if a request comes from Automattic’s official network (AS2635). If it does, the traffic is considered 100% legitimate (from Jetpack, the WordPress/WooCommerce mobile apps, etc.) and is always allowed.
2. Spoofing Detection: If a request is not from Automattic’s network but claims to be (by using a fake User-Agent), the plugin identifies it as a spoofed attack and instantly blocks the IP.
3. Third-Party Whitelist: It allows traffic from a curated list of known, legitimate third-party services that use XML-RPC, like Microsoft Live Writer.
4. Fallback: If the ASN verification service is temporarily unavailable, the system gracefully falls back to a User-Agent check to prevent blocking legitimate users.

For maximum security on sites that do not use any XML-RPC services, you can set the mode to “Completely Disabled” in the Settings > General tab.

Can “Disable User Enumeration” break my site?

It is extremely unlikely. This feature blocks unauthenticated access to the REST API endpoint that lists usernames. Legitimate plugins and themes almost never need to access this list publicly. The security benefit greatly outweighs the minimal risk.

How do the new Push Notifications work?

This feature allows you to receive instant security alerts on platforms like Slack or Discord. It works using “Incoming Webhooks,” which are special URLs you can generate in your Slack or Discord channel.

In your Slack/Discord channel, create a new Incoming Webhook and copy its URL.
In the plugin, go to Settings > Notifications.
Enable “Push Notifications” and paste the URL into the “Push Webhook URLs” box. You can add multiple URLs, one per line, to send alerts to different services at once.
Optionally, add a mention like @channel in the “Mentions” box to force a notification on your device.
Click the “Send Test Notification” button to verify it’s working.

This is highly recommended for real-time monitoring, even if you use email for daily or weekly summaries.

How does the Import/Export feature work?

This feature allows you to download a .json file of your plugin’s configuration.
* Export Template (No API Keys): Safe to use as a starting point for other websites.
* Export Full Backup (With API Keys): Creates a complete backup for restoring on the same site.
The Import function will overwrite your current settings. It is a secure process that only imports known plugin options.

How do I enable reCAPTCHA protection?

Get reCAPTCHA keys from the Google reCAPTCHA Admin Console.
Go to Settings > Advanced IP Blocker.
In the “reCAPTCHA Protection” card, check “Enable reCAPTCHA”.
Select the correct version (v2 or v3) and paste your Site Key and Secret Key.
Click “Save Changes”.

插件官方网址：https://cn.wordpress.org/plugins/advanced-ip-blocker/

下载数量：30

缩略图网址：https://ps.w.org/advanced-ip-blocker/assets/icon-256x256.png?rev=3320247

Advanced IP Blocker

Recommended Setup

Compatibility with Other Security Plugins

猜你喜欢

MC4WP: Mailchimp for WordPress

TruVisibility Plagiarism Checker

EHx Members

Contact Form Builder by RioForms – Drag & Drop WordPress Form Plugin

Edit Recent Edited Posts

Clean Post Content

评论0

社交账号快速登录

社交账号快速登录