Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Country Blocking

Country Blocking lets you reduce the audience for your site to the countries where your real users actually are. For sites with a tightly geographic audience — a regional ecommerce site, a national news outlet, an internal tool — this can dramatically reduce the volume of attack traffic, since the majority of automated WordPress attacks come from a small number of countries that are unlikely to overlap with your customer base.

Country Blocking is included in the free version of VMP Security.

In This Article

How it works

For each incoming request, the firewall looks up the country of the visitor’s IP address using a regularly-updated geo-IP database. If the country is on your blocklist, the firewall applies the configured action (the standard VMP block message, or a redirect to a custom URL). The lookup happens in memory and adds no measurable latency to legitimate requests.

The plugin downloads and refreshes the GeoIP database automatically. You do not have to manage it separately.

Enabling Country Blocking

  1. Open VMP Security → Blocking and select the Country Blocking tab.
  2. Use the country picker to add the countries you want to block. The list shows ISO codes alongside country names; you can use the search field to find a country quickly.
  3. Open Blocking Options and configure how blocked users are handled:
    • What to do when we block someone. Either show the standard VMP block message, or redirect to a custom URL.
    • URL to redirect blocked users to. Used when the action is set to redirect.
    • Block countries even if they are logged in. Optional checkbox; when off, authenticated users from blocked countries are still allowed in.
    • Bypass Redirect / Bypass Cookie. Set a magic GET parameter and value (e.g. ?bypass_key=secret123) that, when used once, drops a 30-day cookie allowing that browser to bypass country blocks.
  4. Click Save. The block takes effect on the next request from any of the selected countries.

Choosing countries to block

Two strategies are common:

Block known attack sources

Look at the Top Countries panel on the Firewall page (or the dashboard’s analytics) and identify the countries responsible for the highest share of blocked attacks. Adding those countries to the Country Blocking list catches the same attackers earlier and reduces server load. This is the right approach for most sites.

Allow only your real audience

If your site has a clearly defined geographic audience — a single country, a region, or a small set of countries — you can invert the logic and block everything else. This is a stronger reduction in attack surface, but it can affect legitimate visitors who happen to be traveling, using a VPN, or whose IP is mis-classified by the geo-IP database. Use this approach only when you are confident your audience really is that constrained.

Bypass and exceptions

Country Blocking is a coarse defense, and you will sometimes want exceptions:

  • Allowlist specific IPs. Add an IP to the firewall’s allowlist (in Firewall → Firewall Options → “Allowlisted IP addresses that bypass all rules”) and it bypasses Country Blocking regardless of geolocation. Useful for known-good remote contributors, payment provider callbacks, and similar.
  • Bypass key. Configure a Bypass Redirect parameter and value on the Blocking Options page; visiting any URL with that GET parameter drops a 30-day cookie that lets that browser bypass country blocking.
  • “Block countries even if they are logged in”. Leave this checkbox off if you want existing authenticated users (such as remote staff) to keep working from blocked countries.

Considerations and side effects

Before turning Country Blocking on widely, think about:

  • VPN and travel. Real users on a VPN appear in the country where the VPN server is. Real users traveling appear in the country they are visiting. If you do internal admin work over a VPN, do not block that VPN’s exit country.
  • Service provider callbacks. Payment processors, transactional email services, and other third-party integrations send callbacks from their own infrastructure, which may be in a country you would otherwise block. Allowlist their IPs before turning on a block.
  • Search engine crawlers. Major search engines crawl from datacenters that are typically not blocked, but check your traffic logs after enabling to confirm crawlers can still reach you.
  • CDN considerations. If your site is behind a CDN, the country lookup runs on the CDN’s IP unless you have configured the visitor-IP setting in All Options. Make sure the visitor-IP setting is correct, or country blocking will not work as intended.
  • Legitimate visitors mis-classified. Geo-IP is accurate but not perfect. A small percentage of legitimate visitors per country may be mis-located. Choose the redirect-to-custom-URL action with a contact form if you want a way for mis-located visitors to reach you.
Contents