When you use the country blocking feature, you need to decide whether you want to block certain countries from accessing your whole site, or just the login page.
Wordfence uses a geolocation database, that is bundled into the plugin, for the country blocking feature. Note that the correct detection of the country where an IP address is located is over 99% accurate so there will be a tiny number that are incorrect. We update the geolocation database as often as we can. It may also be the case that detection of IPv6 protocol IP addresses may not be as highly accurate as IPv4 IP address detection as the adoption of IPv6 IP addresses increases over time.
Advanced country blocking options are found via the “Blocking Options” link under the “Blocking” tab on the “Firewall” page.
Selecting which pages to block access to
Block access to the login form
Using country blocking to block access to your login page is an effective way to immediately stop brute force login attacks from a specific country. Login attempts via the WordPress XML-RPC API are also blocked. Other plugins that create custom login pages that use the standard WordPress authentication hooks may also be successfully blocked with this option. Plugins that are known to be incompatible are:
Block access to the rest of the site (outside the login form)
If you enable this feature, you will block access for the selected countries to all parts of your site except the login form.
Google and other search engine crawlers
Be careful about blocking North America and countries in Europe because there are friendly web crawlers like Google’s Googlebot that are located in those areas. You can harm your search engine rankings if you block those countries because you can prevent Google, Bing, and other search and aggregation services from crawling your site. At this time Country Blocking does not make exceptions for Googlebot and will block it if you block the USA.
Please note that if you are using Google Ads (formerly Google AdWords) on your site, you may get penalties for blocking access to your site. If you are using Google Ads, we recommend you only use country blocking to block access to the login form. Note that there is no way to get around the Google Ads policy. Google Ads does not allow any participant to block any country from viewing pages at all, even if you have told Google Ads to not show adverts in that country. If you are a participant, you can only block access to the login form. If you get a warning from Google Ads, uncheck the option “Block access to the rest of the site” to fix this.
Selecting countries to block
As a general philosophy, we recommend you try to minimize the number of countries you are blocking. We do have a few customers who run tightly secured websites and who only allow a single country to access their site. But for most sites, we suggest that you only block problem countries who are regularly creating failed logins, a large number of 404 Not Found response status code errors, and/or are clearly engaged in malicious activity. We also recommend you re-evaluate your blocks from time to time.
Advanced Country Blocking Options
These options are found via the “Blocking Options” link under the “Blocking” tab on the “Firewall” page.
What to do when we block someone
You can either select the option to show a standard “Your access has been temporarily limited” message, or you can redirect the blocked user to a custom page on your site or an external site.
URL to redirect blocked users to
If you have selected to redirect users when they are blocked via country blocking, you can enter the URL they should be redirected to here. Whether you choose to redirect the user to an internal or external site, you must enter the URL as a fully qualified URL that starts with http:// or https://.
Access to the URL you are redirecting your users to will not be blocked using country blocking, because this would result in an infinite loop where a blocked user is redirected to a URL where they are blocked and redirected to the same URL.
Block countries even if they are logged in
Usually, you will want to leave this option unselected, unless you have someone who has already created a user account and is logged in who you now want to block. If you use country blocking on your whole site, including the login form, it is not possible for someone to login or register a new account, and therefore you will not need to worry about logged-in users from your blocked countries accessing your site.
First method to bypass country blocking using advanced options
The first method deals with someone who is currently in a blocked country but to whom you want to give access to your site. You can create a page and use it as a special hidden URL so that when visitors access that URL they will be redirected to another URL on your site that you define. Wordfence will then set a special cookie that lets them bypass country blocking. To set this up, simply fill in the two fields shown that define what the hidden URL is and where the user should be redirected to after Wordfence has set the special bypass cookie on your visitor’s device.
For the setting “If user hits the URL”, add in the special URL here and make it relative:
For the setting “then redirect that user to”, you might want to make this your home page or some other starting point for the user once they have their special cookie set. This URL also needs to be relative:
Second method to bypass country blocking using advanced options
This second method is a way to ensure that someone who CURRENTLY has access to your website is not blocked in the future by country blocking.
For the setting “If user who is allowed to access the site views the relative URL”, then enter a hidden URL which needs to be relative:
If any of your visitors hit that URL then they will receive a special cookie that will allow them to bypass country blocking in the future in case they get blocked. You can use this feature if you have a traveling team member who is visiting a blocked country and who needs access to your site. They can visit the special URL you define here before they leave the country. Then once they are inside the blocked country, country-blocking will not block them from accessing your site.
Please note that the URL does not have to exist on your site and you can make up any URL that you want to.