📚 Plugin Documentation

Country Blocker & Geoblocker

Complete documentation for version 1.1.6 — block visitors by country, continent, state, or region with VPN & datacenter detection, AI-bot blocking, IP lists, custom block pages, scheduling, redirects, WooCommerce integration, and a live world map. No API keys required.

← Back to all documentation

Requirements

WordPress5.6 or higher
PHP7.4 or higher
API KeysNone. Geo lookups use free public APIs out of the box with automatic failover across four providers
External DependenciesNone to install. The interactive world map is bundled locally (no external requests)
As of version 1.1.0 the MaxMind GeoLite2 dependency was removed entirely. The plugin no longer needs a license key or a downloaded database — geolocation now runs on free, no-key providers with automatic failover.

Installation

  1. Download the ZIP file from your account
  2. Go to Plugins → Add New → Upload Plugin
  3. Upload the ZIP and click Install Now
  4. Click Activate
On activation the plugin creates a logging database table, sets sensible defaults, and is ready immediately. No setup wizard or configuration files needed. If the free version of Country Blocker is active, the paid version asks you to deactivate it first.

Uninstalling

Deactivate and delete from the Plugins screen. Scheduled cron events are cleared on deactivation. Options stored under bsas_* in the wp_options table and the wp_bsas_logs table remain in your database; remove them manually for a completely clean removal.

Quick Start

  1. Open Geoblocker (Paid) in your WordPress admin sidebar
  2. On the General tab, confirm Enable Geoblocking is on (it is by default)
  3. Go to the Countries tab and check the countries or continents you want to block
  4. Click Save
  5. Optionally set up regions, redirect rules, schedules, IP lists, and a custom block page on the other tabs

Visitors from the selected locations immediately see a “403 Access Restricted” block page. Customize it on the Block Page tab.

The admin menu is organized into ten tabs: General, Countries, Regions, Rules, Automation, IP Lists, Block Page, Logs, Tools, and Support.

Core Settings (General Tab)

Enable GeoblockingMaster on/off switch. When off, no visitors are blocked regardless of other settings
Allow Search CrawlersWhen on, recognized search engines (Google, Bing, and others) bypass blocking. Crawlers are verified by forward-confirmed reverse DNS, not just the user-agent string, so spoofed bots can't slip through. Recommended on for SEO
Block VPNs & Data CentersBlock visitors from known VPN services, hosting providers, and data-center IPs even when their country is allowed
Block REST API AccessApply blocking rules to /wp-json/ REST API requests. Off by default

Log Mode

Log everythingRecords both blocked and allowed visitors
Log blocked onlyRecords only blocked visitors (recommended)
Log allowed onlyRecords only allowed/bypassed visitors
Disable loggingNo access logs are written. Reduces database writes on high-traffic sites

Unknown Location Policy

Allow accessIf a visitor's country can't be determined, they are allowed through (recommended)
Block accessIf a visitor's country can't be determined, they are blocked. Use for strict compliance

Blocking Mode

BlocklistDefault. Everyone is allowed except the countries, continents, and regions you select
AllowlistReverses the logic: everyone is blocked except the locations you select. Use this when you only serve a small number of countries
In Allowlist mode, double-check your selections before saving — anything not on the list is blocked, including yourself if you're outside the allowed locations. Your /wp-admin/ login always stays reachable.

Behind a Proxy / CDN

By default the plugin trusts the direct connection IP, which is the safe choice and prevents IP-spoofing bypasses.

Trust proxy headersEnable only if your site sits behind Cloudflare or another reverse proxy. When on, the plugin reads the real visitor IP from headers like CF-Connecting-IP and X-Forwarded-For
Don't enable proxy-header trust unless you actually run a proxy/CDN. If you do, an attacker could forge those headers to fake their location and slip past blocking.

AI Scrapers & Bots

Block AI training & scraper botsBlocks known AI crawlers regardless of their country — including GPTBot, ClaudeBot, CCBot, Google-Extended, PerplexityBot, Bytespider, and more

Use this to keep your content out of AI training datasets and to cut crawler bandwidth. Legitimate search-engine crawlers are unaffected when “Allow Search Crawlers” is on.

Hosting, VPN & Network Blocking

Block hosting providers & datacentersBlocks visitors whose IP belongs to a hosting/datacenter network (a common source of bots and abuse)
Custom network / ASN blocklistOne keyword or ASN per line, matched against the visitor's network name. Example entries: AS13335, DigitalOcean. Lines are matched case-insensitively

Test an IP Address

Right on the General tab you can enter any IP and see exactly how the plugin would handle it against your current settings — the detected country/region, the decision (blocked, allowed, or bypassed), and the reason. A dedicated IP Tester is also available on the Tools tab.

Use this before going live with strict rules or Allowlist mode to confirm you won't lock out the locations you care about.

Admin Access & URL Allow List

WordPress Admin Access

The WordPress admin area and login page are never blocked by default, so you can't lock yourself out. An optional Block WordPress admin area toggle is available if you specifically want geo rules applied to /wp-admin/ as well.

Never Block These URLs

Enter URLs or path fragments (one per line) that should always bypass blocking — for example a webhook endpoint, a health-check URL, or a public landing page you want reachable from everywhere.

Live World Map

The General tab includes an interactive world map (bundled locally, no external requests) that color-codes every country by its current status:

Allowed, receiving trafficAllowed countries that have recent visitors
Allowed, no trafficAllowed countries with no recent visitors
Blocked, receiving trafficBlocked countries that are actively being turned away
Blocked, no trafficBlocked countries with no recent hits

Above the map, live counters show total blocked, last 24h, and last 7d so you can see your blocking activity at a glance.

Countries & Continents (Countries Tab)

Block Countries

A searchable grid of 250+ countries and territories. Use the search box to find a country fast, or the Select All / Deselect All buttons for bulk actions. Checked entries are affected according to your Blocking Mode.

Block Continents

Block entire continents with one checkbox: Africa, Antarctica, Asia, Europe, North America, Oceania, and South America. Continent selections stack with individual country selections.

In Blocklist mode, selecting a continent blocks every country in it. In Allowlist mode, selecting a continent allows every country in it.

Regions / States (Regions Tab)

Block at a sub-country level for seven countries:

United StatesAll 50 states plus DC, Puerto Rico, Guam, and U.S. Virgin Islands
CanadaAll 13 provinces and territories
United KingdomEngland, Scotland, Wales, and Northern Ireland
AustraliaAll 8 states and territories
GermanyAll 16 Bundesländer
IndiaAll 36 states and union territories
ChinaAll 31 provinces, municipalities, and autonomous regions
Region blocking depends on the geo lookup returning subdivision data. Coverage varies by provider and is generally strongest for the US. Check the Region column on the Logs tab to confirm regions are being detected for your visitors.

Rules Tab

Redirect Rules

Instead of showing the block page, send visitors from a specific location to a custom URL (302 redirect). Each rule has a Type (Country, Continent, US State, CA Province, UK Region, AU State, DE State, IN State, or CN Province), a Value (the location to match), and a URL. Click + Add Rule for more. Redirect rules are checked before the normal block page; the first match wins and is independent of your blocked list.

Blocking Schedules

Create time-based profiles, each with a name, the days it's active, and a start/end hour (24-hour format, overnight spans supported). Blocking is active when any enabled schedule matches the current day and time; if no schedules are enabled, blocking runs 24/7. Times follow your WordPress timezone.

Page-Level Blocking

Restrict blocking to specific pages instead of the whole site. Add pages from the selector, then choose Block ONLY these pages or Block all EXCEPT these pages (handy for keeping a landing page or legal notice open to everyone).

Automation Tab

Auto-Block Repeat Offenders

Automatically blacklist IPs that keep hitting the block page. Set a Threshold (number of blocked hits) and a Period (Per Hour or Per Day). When an IP exceeds the threshold within the period it's added to the IP blacklist automatically.

WooCommerce Integration

Prevent CheckoutVisitors from blocked locations are stopped from completing checkout
Prevent Cart AccessVisitors from blocked locations see the block page when opening the cart
This lets blocked visitors browse and view products while preventing purchases — useful for export controls or regional licensing.

IP Lists Tab

IP Whitelist

IPs or ranges that always bypass blocking, regardless of location. Whitelisted visitors are logged as “bypassed.”

IP Blacklist

IPs or ranges that are always blocked, regardless of location, with no geo lookup.

Both fields accept IPv4, IPv6, and CIDR notation, one entry per line — e.g. 192.168.1.1, 2001:db8::1, 192.168.1.0/24. Lines starting with # are treated as comments.

Use the whitelist for your office IPs, staging servers, or monitoring services. Use the blacklist for known bad actors.

Block Page Tab

Redirect (Optional)

Enter a URL to send all blocked visitors to instead of showing the block page. When set, the design settings below are ignored.

Block Page Colors

BackgroundPage background color (default dark navy #0f172a)
TextText color
AccentIcon gradient / accent color

Block Page Content

HeadingMain title (default “Access Restricted”)
Message BodyDescription text below the heading

Custom CSS

Add CSS to further style the block page. Available classes include .bsas-block-body, .bsas-panel, .bsas-icon, plus h1 and p.

Live Preview

A real-time preview shows exactly how your block page looks as you adjust colors and text.

The block page is a standalone HTML page served with a 403 status. It does not load your theme, keeping it fast and lightweight.

Logs Tab

A paginated table of access log entries, newest first. Each row shows the detected country and region, the decision (Blocked, Allowed, Bypassed, or Error), the reason (e.g. country_blocked, region_blocked, whitelisted, vpn_datacenter, ai_bot, redirect_rule), the requested URI, and the timestamp.

Log Retention Settings

Retention Days (0 = forever)How many days to keep entries. Default 30. A daily cron job removes older rows
Max Entries (0 = unlimited)Cap on stored entries. When exceeded, the oldest are deleted first

Log export is available on the Tools tab and the CSV is sanitized against spreadsheet formula injection.

Tools Tab

Export Settings

Download all plugin settings as a single JSON file — handy for backups or copying a configuration to another site.

Import Settings

Upload a previously exported JSON file to restore or clone your configuration.

IP Tester

Enter any IP address to preview the exact decision the plugin would make for it against your live rules — the same tester that appears on the General tab.

Support Tab

The Support tab links to priority support and help resources. For account or licensing questions, visit plugins-for-wp.com.

How Blocking Works

On each frontend request the plugin runs checks roughly in this order:

  1. Admin / cron / AJAX? — admin, WP-CLI, cron, and AJAX requests skip blocking entirely
  2. Plugin enabled? — if the master toggle is off, everyone is allowed
  3. REST API/wp-json/ is excluded unless Block REST API is on
  4. Bypass cookie — a recent allowed visitor passes through without a re-check
  5. IP whitelist / blacklist — whitelisted IPs are allowed; blacklisted IPs are blocked with no geo lookup
  6. Crawler check — verified search crawlers are allowed when that setting is on
  7. AI & bot check — AI scraper bots are blocked when that setting is on
  8. Schedule check — if no active schedule matches, blocking is paused
  9. Resolve visitor IP — the connection IP is used by default; proxy headers are only read if you've enabled them
  10. Geo lookup — country/region from cache or the free provider chain
  11. Unknown location — the allow/block policy applies if the country can't be determined
  12. Redirect rules — a matching rule 302-redirects the visitor
  13. Mode evaluation — the country/continent/region is evaluated against your Blocklist or Allowlist selections
  14. Hosting / VPN / ASN check — datacenter and custom-network rules apply
  15. Page-level check — if enabled, only the targeted pages are affected
  16. Allowed — a short bypass cookie is set so the next page load skips the work

Geo Lookup

The plugin determines a visitor's country and region from four free providers, in failover order, with no API keys:

  1. ipwhois.is
  2. ip-api.com
  3. ipapi.co
  4. ipinfo.io

All outbound lookups verify TLS certificates. Successful results are cached per IP so repeat visitors trigger no further calls, and failed lookups are cached only briefly — so a temporary provider outage clears quickly instead of lingering for a full day.

There is no MaxMind setup anymore. Country-level accuracy from the provider chain is high for most regions, and the automatic failover keeps lookups reliable even if one provider is down.

Privacy & Data

IP Hashing

Visitor IP addresses are stored as hashes by default, so raw IPs aren't kept. This supports GDPR and general privacy compliance.

What's Stored

wp_bsas_logsAccess logs: hashed IP, country code, region code, decision, reason, request URI, timestamp
bsas_* optionsAll plugin settings in wp_options
TransientsCached geo lookup results per visitor IP
CookieA short-lived bypass cookie set on allowed visitors to avoid repeated lookups

External Connections

The only data sent off-site is the visitor IP, to the geolocation providers listed above (over verified TLS). Optional, voluntary deactivation feedback is sent to plugins-for-wp.com only if you submit the form. No tracking scripts or third-party cookies are loaded.

Performance

  • Geo lookups are cached per IP — repeat visitors cause no extra API calls
  • Allowed visitors get a short bypass cookie, skipping the whole check on later page loads
  • Failed providers are skipped automatically and retried; failed lookups are cached only briefly
  • Outbound requests use short timeouts so a slow provider can't drag your site down
  • Admin, cron, AJAX, and (by default) REST API requests are always excluded
  • The world map and its assets are bundled locally and only load in the admin
  • A daily cron job trims logs by retention days and max-entry limits

Troubleshooting

Visitors from blocked countries are getting through
  • Confirm Enable Geoblocking is on (General tab)
  • Check the country, its continent, or the visitor's region is selected for your current Blocking Mode
  • The visitor may be on a VPN — enable Block VPNs & Data Centers
  • If using schedules, verify the current day/time falls in an active schedule
  • Cached geo results from before your change clear on their own shortly
  • A recent allowed visitor with a bypass cookie won't be re-checked for a little while
I'm blocking myself
  • /wp-admin/ is never blocked — log in there to change settings
  • Add your IP to the IP Whitelist on the IP Lists tab
  • If you enabled Allowlist mode, make sure your own country is on the allow list
  • Locked out of the frontend entirely? Rename the plugin folder via FTP/file manager to deactivate it
Region / state blocking isn't working
  • Region data depends on the provider returning subdivision info, which varies by provider and country
  • Check the Region column on the Logs tab to see whether region codes are detected
  • Some mobile and satellite ISPs don't resolve to an accurate region
My site is behind Cloudflare and everyone looks like the same IP
  • Enable Trust proxy headers on the General tab so the plugin reads the real visitor IP from CF-Connecting-IP / X-Forwarded-For
  • Only enable this when you actually run a proxy/CDN — otherwise it opens an IP-spoofing bypass
The logs table is getting large
  • Lower Retention Days (default 30)
  • Set a Max Entries cap
  • Switch Log Mode to Log blocked only or Disable logging
  • The daily cron job handles cleanup automatically
Scheduled cleanup isn't running on time
  • WordPress cron depends on traffic; low-traffic sites may fire late
  • Consider a real server cron hitting wp-cron.php on a schedule
  • Check that DISABLE_WP_CRON isn't set in wp-config.php