Problem with blocking a country

Hi @scruffy1,

Originally, a user can register through “wp-signup.php” or URL that returned by wp_registration_url().

But if some plugin or theme change the URL using register_url filter hook, or change the action name for registering, then I have to adapt it.

Do you use a plugin like these?

Currently, reregistration by BuddyPress is supported.

Thanks.

hi @tokkonopapa

I only have the theme and this YITH Custom Login

the theme is MediaCenterVersion: 2.7.4 By MadrasThemes

thanks tracey

Hi Tracey,

I read the documentation about “YITH Custom Login” plugin and “MediaCenter” theme, and found no functionality of customizing URL for login and registration.

Then I assume the user who seemed to be in Ukraine accessed your site via some proxy server. To block this type of users, please put HTTP_X_REAL_IP,HTTP_X_FORWARDED_FOR into “$_SERVER keys to retrieve extra IP addresses” in “Validation rule settings” section:

I leave it empty because some server configures this type of keys, and also those can be spoofed by users. But please feel safe because those keys may work on safety side, i.e. blocking.

And please note that those keys are also used in Wordfence and WF always starts prior than IP Geo Block. So please check both logs in WF and IPGB to confirm the IP might be blocked.

I hope you to feed back the results.

Thanks.

Hi Thanks for reply and suggestions

If they were using a proxy server then would the Ukraine IP not show up ?

Thanks Tracey

Hi,

If they were using a proxy server then would the Ukraine IP not show up ?

Wordfence will record the Ukraine IP in its “Live Traffic”. And IPGB also will record it in its “Logs” when it is blocked.

hi

Slimstat recorded the login and access from Ukraine, that was how I spotted the person registering and logging in to account.

Nothing showed it as blocked until I blocked that 1 IP, I am still wondering how the person did it.

Thanks Tracey

Hi

What type of the path did Slimstat report in its access log?

Here’s in my case (I’m in Japan), when I visited login page (the path was shown as /wp-login.php):

こんにちは ( I hope that says hello )

it showed account,
then wp login

then change of password

then I never saw it again other than I deleted the user who had logged in

Chrome Windows 10 Ukraine
movchan20091992 (178.215.160.42) PDF Viewer 1366×768
My Account

Hope this helps

Thanks Tracey

Googling the IP address shows a lot of abuse reports.

I’ll check how Slimstat detects it. Please forgive me to take some time.

Thanks for the information!

Hi

Thanks,

Tracey

Hi Tracey,

I’m very sorry to have kept you waiting for over 1 week, but I found the difference between slimstat and IPGB (which is based on the same way as Wordfence).

Slimstat will try to get all the possible server’s environment variables.

So would you try to setup the following symbols into “$_SERVER keys to retrieve extra IP addresses” and observe result:

X-Forwarded-For,HTTP_X_FORWARDED_FOR,CF-Connecting-IP,HTTP_CLIENT_IP,HTTP_X_REAL_IP,HTTP_FORWARDED,HTTP_X_FORWARDED

I think CF-Connecting-IP in http header should be HTTP_CF_CONNECTING_IP in PHP, but first of all, we should follow Slimstat.

References:

• What does Cloudflare IP Geolocation do?
• CloudFlare and logging visitor IP addresses via in PHP

I’d appreciate you to test the above symbols and observe for a while.
Thanks.

Hi @tokkonopapa

Thanks , I have entered the code you gave for “$_SERVER keys to retrieve extra IP addresses” , I will watch the results for a week,

thanks Tracey