When you enable Country Blocking, you need to decide whether you want to block certain countries from accessing your whole site, or just login page.
Wordfence uses a geolocation database, that is bundled into the plugin, for the country blocking feature. Note that the correct detection of the country where an IP address is located is over 99% accurate so there will be a tiny number that are incorrect. We update the geolocation database as often as we can. It may also be the case that detection of IPv6 protocol IP addresses may not be as highly accurate as IPv4 IP address detection as the adoption of IPv6 IP addresses increases over time.
Advanced Country Blocking Options are located under Firewall > Blocking > Blocking Options.
Selecting which pages to block access to
Block access to the login form
Using country blocking to block access to your login form is an effective way to immediately stop brute force login attacks from a specific country. Login attempts via the WordPress XML-RPC API are also blocked. Other plugins that create custom login pages that use the standard WordPress authentication hooks may also be successfully blocked with this option. Plugins that are known to be incompatible are:
Block access to the rest of the site (outside the login form)
If you enable this feature, you will block access for the selected countries to all parts of your site except the login form.
Google and other search engine crawlers
Be careful about blocking countries in North America and Europe, because there are friendly web crawlers like Google’s Googlebot that are located in those areas and you may harm your search engine rankings if you block those countries because you will prevent Google, Bing and other search and aggregation services from crawling your site. At this time Country Blocking does not make exceptions for Googlebot and will block it if you block the USA.
Please note that if you are using Google Ads (formerly Google AdWords) on your site, you may get penalties for blocking access to your site. If you are using Google Ads, we recommend you only use Country Blocking to block access to the login form. Note that there is no way to get around the Google Ads policy. Google Ads does not allow any participant to block any country from viewing pages at all, even if you have told Google Ads to not show adverts in that country. If you are a participant, you can only block access to the login form. If you get a warning from Google Ads, uncheck “Block access to the rest of the site (outside the login form)” to fix this.
You can also choose to “Block countries even if they are logged in.” Usually you will want to leave this option unselected, unless you have someone who has already created a user account and is signed in who you now want to block. If you use country blocking on your whole site, including the login form, it will no longer be possible for someone to sign in or register a new account, and therefore you won’t need to worry about logged-in users from your blocked countries accessing your site.
Selecting countries to block
As a general philosophy, we recommend you try to minimize the number of countries you are blocking. We do have a few customers who run tightly secured websites and who only allow a single country to access their site. But for most websites, we suggest that you only block problem countries who are regularly creating failed logins, a large number of page-not-found errors, and/or are clearly engaging in malicious activity. We also recommend you re-evaluate your blocks from time to time.
Advanced Country Blocking Options
These options are located under Firewall > Blocking > Blocking Options.
What to do when we block someone
You can either select the option to show a standard “Your access has been temporarily limited” message, or you can redirect the blocked user to a custom page on your website or an external website.
URL to redirect blocked users to
If you have selected to redirect users when they are blocked via Country Blocking, you can enter the URL they should be redirected to here. Whether you choose to redirect the user to an internal or external website, you must enter the URL as a fully qualified URL that starts with ‘http://’ or ‘https://’.
Access to the URL you are redirecting your users to will not be blocked using country blocking, because this would result in a loop where a blocked user is redirected to a URL where they are blocked and redirected to the same URL, and so on.
Block countries even if they are logged in
Usually you will want to leave this option unselected, unless you have someone who has already created a user account and is signed in who you now want to block. If you use country blocking on your whole site, including the login form, it’s not possible for someone to sign-in or register a new account and therefore you won’t need to worry about logged-in users from your blocked countries accessing your site.
First method to bypass country blocking using advanced options
The first method deals with someone who is currently in a blocked country but to whom you want to give access to your site. You can create a page and use it as a special hidden URL, so that when visitors access that URL, they will be redirected to another URL on your website that you define and Wordfence will set a special cookie that lets them bypass country-blocking. To set this up, simply fill in the two fields shown that define what the hidden URL is and where the user should be redirected to after Wordfence has set the special bypass cookie on your visitor’s machine.
If user hits the URL: "Fill in the special URL here and make it relative e.g. /countryblockingbypass"
…then redirect that user to: “You might want to make this your home page or some other starting point for the user once they have their special cookie set. This URL is also relative e.g. /”
Second method to bypass country blocking using advanced options
This second method is a way to ensure that someone who CURRENTLY has access to your website is not blocked in the future by country blocking.
Next to the field that is titled “If user who is allowed to access the site views the URL….” Enter a hidden URL e.g. /bypassInFutureCountryBlocking
If any of your visitors hits that URL, they will receive a special cookie that will allow them to bypass country blocking in the future in case they get blocked. You can use this feature if you have a traveling team member who is visiting a blocked country and who needs access to your site. They can visit the special URL you define here before they leave the country. Then once they’re outside the country, country-blocking won’t block them from accessing your site.
Please note that the URL does not have to exist on the server. You can make up any URL you want.