Does HTACCESS IP Blocker have any unpatched vulnerabilities?

Yes — HTACCESS IP Blocker currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is HTACCESS IP Blocker compatible with WordPress 5.4.19?

According to WordPress.org data, HTACCESS IP Blocker 1.0 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

Is HTACCESS IP Blocker compatible with PHP 7.0+?

HTACCESS IP Blocker requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is HTACCESS IP Blocker updated?

HTACCESS IP Blocker was last updated on Jul 21, 2020. Frequent updates are generally a positive security signal.

What is HTACCESS IP Blocker's security score?

HTACCESS IP Blocker has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTACCESS IP Blocker Security & Risk Analysis

wordpress.org/plugins/htaccess-ip-blocker

Blocks failed attempted IPs in htaccess

70 active installs v1.0 PHP 7.0+ WP 5.4+ Updated Jul 21, 2020

blockhtaccessipip-blockerlogin

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 26, 2025

Download

Safety Verdict

Is HTACCESS IP Blocker Safe to Use in 2026?

Use With Caution

Score 63/100

HTACCESS IP Blocker has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 26, 2025Updated 5yr ago

Risk Assessment

The "htaccess-ip-blocker" v1.0 plugin exhibits a concerning security posture despite a seemingly small attack surface. While there are no direct AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication or proper checks, the presence of the "unserialize" function is a significant red flag. This function is notorious for its potential to lead to Remote Code Execution (RCE) if user-supplied data is unserialized without proper sanitization and validation. The taint analysis revealing flows with unsanitized paths, even without critical or high severity, suggests that data intended for unserialization might not be sufficiently validated before being processed, posing a risk.

Key Concerns

Unpatched Medium severity CVE
Dangerous function: unserialize
All outputs unescaped
Taint flows with unsanitized paths
No nonce checks
No capability checks

Vulnerabilities

HTACCESS IP Blocker Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-60170medium · 4.3Cross-Site Request Forgery (CSRF)

HTACCESS IP Blocker <= 1.0 - Cross-Site Request Forgery

Sep 26, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

HTACCESS IP Blocker Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$lines = ($lines_str != '') ? unserialize($lines_str) : [];functions.php:71

unserialize$_ipblock_ips_arr = ($_ipblock_ips != '') ? unserialize($_ipblock_ips) : [];functions.php:118

Output Escaping

0% escaped3 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

ipblockersettings_callback (functions.php:97)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

HTACCESS IP Blocker Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 2

actionwp_login_failedfunctions.php:32

actionadmin_menufunctions.php:176

Maintenance & Trust

HTACCESS IP Blocker Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedJul 21, 2020

PHP min version7.0

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs70

Alternatives

HTACCESS IP Blocker Alternatives

IP & Country Blocker Lite

ip-blocker-lite

100

Advanced WordPress security plugin with IP/country blocking and two-factor authentication for comprehensive website protection.

300 No CVEs

Login IP & Country Restriction

100

Tighten your website security and fight against dictionary bot attacks originating from other countries, by denying access.

7K No CVEs

CrowdSec

crowdsec

100

This plugin blocks detected attackers or displays them a captcha to check they are not bots.

2K No CVEs

Advanced IP Blocker

advanced-ip-blocker

100

A complete WordPress security firewall: blocks IPs, bots & countries. Includes an intelligent WAF, Threat Scoring, Geo-Challenge, 2FA, and Anti-Sp …

1K No CVEs

Geo Blocker – Control Site Access by Region and IP

geo-blocker

100

🔐 Block or allow visitors by country. Track access attempts. View analytics. Stay in control — effortlessly.

700 No CVEs

Developer Profile

HTACCESS IP Blocker Developer Profile

Taraprasad Swain

1 plugin · 70 total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect HTACCESS IP Blocker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Data Attributes

name="_ipblock_enabled"value="1"name="_ipblock_enabled"value="0"name="_ipblock_maxcount"name="_ipblock_interval"+1 more

FAQ