[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fplKKw18k3UDjAdhA-5ea4znMeJLo8RJPDUbHiGzzjjE":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":14,"unpatched_count":14,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":45,"crawl_stats":36,"alternatives":50,"analysis":153,"fingerprints":265},"htaccess-ip-blocker","HTACCESS IP Blocker","1.0","Taraprasad Swain","https:\u002F\u002Fprofiles.wordpress.org\u002Fswaintara\u002F","\u003Cp>Blocks failed attempted IPs in htaccess\u003C\u002Fp>\n","Blocks failed attempted IPs in htaccess",70,2459,100,1,"2020-07-21T19:07:00.000Z","5.4.19","5.4","7.0",[20,21,22,23,24],"block","htaccess","ip","ip-blocker","login","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhtaccess-ip-blocker.zip",63,"2025-09-26 00:00:00","2026-03-15T15:16:48.613Z",[31],{"id":32,"url_slug":33,"title":34,"description":35,"plugin_slug":4,"theme_slug":36,"affected_versions":37,"patched_in_version":36,"severity":38,"cvss_score":39,"cvss_vector":40,"vuln_type":41,"published_date":28,"updated_date":42,"references":43,"days_to_patch":36},"CVE-2025-60170","htaccess-ip-blocker-cross-site-request-forgery","HTACCESS IP Blocker \u003C= 1.0 - Cross-Site Request Forgery","The HTACCESS IP Blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2025-09-29 21:09:42",[44],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65a3a9b7-b7ca-41f4-b808-7d955205a104?source=api-prod",{"slug":46,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":47,"trust_score":48,"computed_at":49},"swaintara",30,68,"2026-04-04T19:07:29.538Z",[51,71,94,113,134],{"slug":52,"name":53,"version":54,"author":55,"author_profile":56,"description":57,"short_description":58,"active_installs":59,"downloaded":60,"rating":13,"num_ratings":14,"last_updated":61,"tested_up_to":62,"requires_at_least":63,"requires_php":18,"tags":64,"homepage":25,"download_link":69,"security_score":13,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"ip-blocker-lite","IP & Country Blocker Lite","3.0.0","Nurul Islam","https:\u002F\u002Fprofiles.wordpress.org\u002Ffaqnurul\u002F","\u003Cp>IP & Country Blocker Lite is a comprehensive WordPress security plugin that provides multiple layers of protection for your website. Block unwanted visitors based on IP addresses or countries, and add an extra layer of security with two-factor authentication (2FA).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Features:\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>IP Address Blocking\u003C\u002Fstrong>: Block or allow specific IP addresses, IP ranges, or subnets\u003Cbr \u002F>\n* \u003Cstrong>Country-Based Blocking\u003C\u002Fstrong>: Restrict access based on visitors’ countries\u003Cbr \u002F>\n* \u003Cstrong>Two-Factor Authentication\u003C\u002Fstrong>: Secure admin logins with email-based 2FA or authenticator apps\u003Cbr \u002F>\n* \u003Cstrong>Recovery Codes\u003C\u002Fstrong>: Backup access codes for account recovery\u003Cbr \u002F>\n* \u003Cstrong>Emergency Recovery\u003C\u002Fstrong>: Generate secure recovery URLs to disable the plugin if locked out\u003Cbr \u002F>\n* \u003Cstrong>Advanced Security Dashboard\u003C\u002Fstrong>: Monitor blocked attempts and security events\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Benefits:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Protect against spam, bots, and malicious traffic\u003Cbr \u002F>\n* Prevent brute force attacks on admin login\u003Cbr \u002F>\n* Block entire countries or regions\u003Cbr \u002F>\n* Easy-to-use admin interface with real-time monitoring\u003Cbr \u002F>\n* Lightweight and fast performance\u003Cbr \u002F>\n* No external dependencies for core functionality\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Easy Management:\u003C\u002Fstrong>\u003Cbr \u002F>\n* One-click blocking\u002Funblocking\u003Cbr \u002F>\n* Intuitive admin panel with tabbed interface\u003Cbr \u002F>\n* Real-time activity logs\u003Cbr \u002F>\n* Bulk operations support\u003Cbr \u002F>\n* Custom blocked page templates\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Monitoring & Analytics:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Track blocked IP attempts\u003Cbr \u002F>\n* View country-wise access statistics\u003Cbr \u002F>\n* Monitor security events\u003Cbr \u002F>\n* Export blocking rules\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy & Compliance:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Uses free IP-API.com service for geolocation\u003Cbr \u002F>\n* No personal data storage\u003Cbr \u002F>\n* GDPR compliant\u003Cbr \u002F>\n* Respects user privacy\u003C\u002Fp>\n\u003Ch3>Data Collection & Privacy\u003C\u002Fh3>\n\u003Cp>For transparency, here’s what data the plugin collects and why:\u003C\u002Fp>\n\u003Ch3>\u003Cstrong>Essential Data Collection (Always Required for Functionality):\u003C\u002Fstrong>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>IP Addresses\u003C\u002Fstrong>: Collected for security blocking and geolocation features\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Enable IP\u002Fcountry blocking, security monitoring, and access control\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Storage\u003C\u002Fstrong>: Temporary (not stored in database, only processed in memory)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Third Parties\u003C\u002Fstrong>: Sent to IP-API.com for country lookup (free service)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Country Information\u003C\u002Fstrong>: Derived from IP addresses via geolocation\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Enable country-based blocking and access statistics\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Storage\u003C\u002Fstrong>: Not stored permanently (only used for blocking decisions)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Third Parties\u003C\u002Fstrong>: Retrieved from IP-API.com (free geolocation service)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>\u003Cstrong>Optional Data Collection (Only with User Consent):\u003C\u002Fstrong>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Plugin Usage Statistics\u003C\u002Fstrong>: Anonymous plugin performance data\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Improve plugin quality and fix bugs\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data Collected\u003C\u002Fstrong>: Plugin version, WordPress version, PHP version, activation date\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Storage\u003C\u002Fstrong>: Remote server (only if user consents)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy\u003C\u002Fstrong>: Completely anonymous, no personal identifiers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>User Feedback\u003C\u002Fstrong>: Plugin reviews and feedback submissions\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Understand user needs and improve features\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data Collected\u003C\u002Fstrong>: Feedback text, rating, plugin version, PHP version\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Storage\u003C\u002Fstrong>: Remote server (only if user consents)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy\u003C\u002Fstrong>: Anonymous feedback, no personal data required\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Policy\u003C\u002Fstrong>: http:\u002F\u002Fcodecanvasbd\u002Fprivacy-policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>\u003Cstrong>Data Collection Controls:\u003C\u002Fstrong>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Consent Required\u003C\u002Fstrong>: Optional data collection requires explicit user consent\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Easy Opt-out\u003C\u002Fstrong>: Users can decline consent at any time\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No Automatic Collection\u003C\u002Fstrong>: No data sent without user permission\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Transparent Process\u003C\u002Fstrong>: Clear consent modal explains what data is collected\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>\u003Cstrong>Third-Party Services:\u003C\u002Fstrong>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>IP-API.com\u003C\u002Fstrong>: Free geolocation service for country detection\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Data sent: Visitor IP addresses\u003C\u002Fli>\n\u003Cli>Purpose: Determine visitor country for blocking features\u003C\u002Fli>\n\u003Cli>Privacy: IP-API.com privacy policy applies\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Remote Analytics Server\u003C\u002Fstrong> (optional, consent required):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Data sent: Anonymous usage statistics\u003C\u002Fli>\n\u003Cli>Purpose: Plugin improvement and support\u003C\u002Fli>\n\u003Cli>Privacy: No personal data, fully anonymous\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>\u003Cstrong>GDPR Compliance:\u003C\u002Fstrong>\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>✅ No personal data storage without consent\u003C\u002Fli>\n\u003Cli>✅ Clear consent mechanisms\u003C\u002Fli>\n\u003Cli>✅ Easy opt-out options\u003C\u002Fli>\n\u003Cli>✅ Transparent data practices\u003C\u002Fli>\n\u003Cli>✅ Data minimization principles\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Main Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>IP & Country Blocking:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Block specific IP addresses or ranges (CIDR notation supported)\u003Cbr \u002F>\n* Block entire countries or allow only specific countries\u003Cbr \u002F>\n* Whitelist important IPs for access\u003Cbr \u002F>\n* Real-time blocking with immediate effect\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Two-Factor Authentication (2FA):\u003C\u002Fstrong>\u003Cbr \u002F>\n* Email-based 2FA for easy setup\u003Cbr \u002F>\n* Authenticator app support (Google Authenticator, Authy, etc.)\u003Cbr \u002F>\n* Recovery codes for account access\u003Cbr \u002F>\n* Secure code generation and validation\u003Cbr \u002F>\n* Admin email verification\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Emergency Recovery System:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generate secure recovery URLs to disable plugin if locked out\u003Cbr \u002F>\n* Time-limited recovery hashes (24 hours expiration)\u003Cbr \u002F>\n* One-click plugin deactivation via recovery URL\u003Cbr \u002F>\n* Secure hash verification to prevent unauthorized access\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Admin Interface:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Modern, responsive dashboard\u003Cbr \u002F>\n* Tabbed navigation for easy access\u003Cbr \u002F>\n* Real-time statistics and charts\u003Cbr \u002F>\n* Activity logs with filtering\u003Cbr \u002F>\n* Bulk operations for efficiency\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Monitoring:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Track blocked access attempts\u003Cbr \u002F>\n* Country-wise visitor statistics\u003Cbr \u002F>\n* Failed login monitoring\u003Cbr \u002F>\n* Security event logging\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Performance Optimized:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Lightweight codebase\u003Cbr \u002F>\n* Minimal database queries\u003Cbr \u002F>\n* Fast IP lookups\u003Cbr \u002F>\n* Caching support\u003C\u002Fp>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin uses the IP-API.com service to detect the user’s location based on their IP address.\u003Cbr \u002F>\n– \u003Cstrong>Service\u003C\u002Fstrong>: IP-API.com (http:\u002F\u002Fip-api.com)\u003Cbr \u002F>\n– \u003Cstrong>Purpose\u003C\u002Fstrong>: IP geolocation for country-based blocking\u003Cbr \u002F>\n– \u003Cstrong>Data Sent\u003C\u002Fstrong>: User’s IP address only\u003Cbr \u002F>\n– \u003Cstrong>Privacy Policy\u003C\u002Fstrong>: http:\u002F\u002Fip-api.com\u002Fdocs\u002Flegal\u003Cbr \u002F>\n– \u003Cstrong>Data Storage\u003C\u002Fstrong>: No personal data is stored by this plugin\u003C\u002Fp>\n\u003Cp>The plugin works without this service but country blocking features will be limited.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, bug reports, or feature requests:\u003Cbr \u002F>\n– \u003Cstrong>WordPress.org Support Forum\u003C\u002Fstrong>: https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fip-blocker-lite\u002F\u003Cbr \u002F>\n– \u003Cstrong>GitHub Issues\u003C\u002Fstrong>: Report bugs and request features\u003Cbr \u002F>\n– \u003Cstrong>Email\u003C\u002Fstrong>: Contact through WordPress.org profile\u003C\u002Fp>\n\u003Ch3>Contributing\u003C\u002Fh3>\n\u003Cp>Contributions are welcome! Please feel free to submit pull requests or open issues on GitHub.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Developer\u003C\u002Fstrong>: Nurul Islam (faqnurul)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Icons\u003C\u002Fstrong>: Dashicons (WordPress)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Geolocation\u003C\u002Fstrong>: IP-API.com (free tier)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Charts\u003C\u002Fstrong>: Chart.js library\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003Cbr \u002F>\nLicense URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\u003C\u002Fp>\n\u003Cp>Take control of your website’s security and protect it from unwanted visitors with IP & Country Blocker Lite!\u003C\u002Fp>\n","Advanced WordPress security plugin with IP\u002Fcountry blocking and two-factor authentication for comprehensive website protection.",300,1883,"2026-01-05T16:17:00.000Z","6.9.4","4.0",[65,23,66,67,68],"country-blocker","login-security","two-factor-authentication","website-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fip-blocker-lite.zip",0,{"slug":72,"name":73,"version":74,"author":75,"author_profile":76,"description":77,"short_description":78,"active_installs":79,"downloaded":80,"rating":81,"num_ratings":82,"last_updated":83,"tested_up_to":62,"requires_at_least":84,"requires_php":85,"tags":86,"homepage":92,"download_link":93,"security_score":13,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"login-ip-country-restriction","Login IP & Country Restriction","6.8.1","Iulia Cazan","https:\u002F\u002Fprofiles.wordpress.org\u002Fiulia-cazan\u002F","\u003Cp>This plugin hooks in the authenticate filter. By default, the plugin is set to allow all access and you can configure the plugin to allow the login only from some specified IPs or the specified countries. PLEASE MAKE SURE THAT YOU CONFIGURE THE PLUGIN TO ALLOW YOUR OWN ACCESS. If you set a restriction by IP, then you have to add your own IP (if you are using the plugin in a local setup the IP is 127.0.0.1 or ::1, this is added in your list by default). If you set a restriction by country, then you have to select from the list of countries at least your country. Both types of restrictions work independent, so you can set only one type of restriction or both if you want. Also, you can configure the redirects to frontpage when the URLs are accessed by someone that has a restriction. The restriction is either by country, or not in the specified IPs list.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\u003C\u002Fp>\n","Tighten your website security and fight against dictionary bot attacks originating from other countries, by denying access.",7000,112297,92,51,"2025-11-22T14:06:00.000Z","5.1","7.2",[87,88,89,90,91],"block-country","block-ip","country-firewall","country-restriction","login-restriction","https:\u002F\u002Fiuliacazan.ro\u002Flogin-ip-country-restriction\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-ip-country-restriction.6.8.1.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":13,"num_ratings":104,"last_updated":105,"tested_up_to":62,"requires_at_least":106,"requires_php":85,"tags":107,"homepage":111,"download_link":112,"security_score":13,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"crowdsec","CrowdSec","2.13.1","CrowdSec - lightweight and collaborative security engine","https:\u002F\u002Fprofiles.wordpress.org\u002Fcrowdsec\u002F","\u003Cp>The CrowdSec plugin proactively blocks requests coming from known attackers.\u003Cbr \u002F>\nIt does so by either directly using CrowdSec Blocklists Integration or by connecting to your CrowdSec Security Engine.\u003C\u002Fp>\n\u003Ch4>Key Features:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Instant CrowdSec Blocklist\u003C\u002Fstrong>: Quickly block known WordPress attackers in a few clicks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detect and block\u003C\u002Fstrong> admin bruteforce attempts and scans of your WordPress Site.\u003C\u002Fli>\n\u003Cli>Remediation metrics: Enabling you to see the efficiency of the protection.\u003C\u002Fli>\n\u003Cli>(Console Users) Plug any of your existing Blocklist Integrations.\u003C\u002Fli>\n\u003Cli>(CrowdSec Security Engine Users) Apply decisions and subscribed blocklist of your security engine within WordPress.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Block aggressive IPs\u003C\u002Fli>\n\u003Cli>Display a captcha for less aggressive IPs\u003C\u002Fli>\n\u003C\u002Fol>\n","This plugin blocks detected attackers or displays them a captcha to check they are not bots.",2000,58196,5,"2026-01-09T01:11:00.000Z","4.9",[108,95,109,23,110],"captcha","hacker-protection","security","https:\u002F\u002Fgithub.com\u002Fcrowdsecurity\u002Fcs-wordpress-bouncer","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcrowdsec.2.13.1.zip",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":121,"downloaded":122,"rating":123,"num_ratings":124,"last_updated":125,"tested_up_to":62,"requires_at_least":126,"requires_php":127,"tags":128,"homepage":132,"download_link":133,"security_score":13,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"advanced-ip-blocker","Advanced IP Blocker","8.9.2","IniLerm","https:\u002F\u002Fprofiles.wordpress.org\u002Finilerm\u002F","\u003Cp>\u003Cstrong>Advanced IP Blocker\u003C\u002Fstrong> is your all-in-one security solution to safeguard your WordPress website from a wide range of threats. This plugin provides a comprehensive suite of tools to automatically detect and block malicious activity, including brute-force attacks, vulnerability scanning, and spam bots. With its intuitive interface, you can easily manage whitelists, blocklists, and view detailed security logs to understand exactly how your site is being protected.\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>Important Note on PHP Version:\u003C\u002Fstrong>\u003Cbr \u002F>\n  To ensure maximum security and access to all features, we strongly recommend using \u003Cstrong>PHP 8.1 or higher\u003C\u002Fstrong>. Some advanced features (like the local MaxMind database or full 2FA management via WP-CLI) require PHP 8.1.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) Country Selector Copy\u002FPaste:\u003C\u002Fstrong> Say goodbye to manually selecting 50+ countries. You can now instantly copy and paste a raw list of 2-letter country codes directly into Geoblocking, Geo-Challenge, and Whitelist Login fields.\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) AIB Cloud Network V3:\u003C\u002Fstrong> Upgrade to the next-generation distributed threat intelligence network. The new API V3 provides secure, individual API Keys per site, drastically improving synchronization reliability, threat telemetry, and global network stability.\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) Whitelist Login Countries:\u003C\u002Fstrong> Take absolute control over administrative access. Easily restrict your WordPress login page and XML-RPC to only allow connections from specific, whitelisted countries, instantly blocking unauthorized foreign login attempts.\u003Cbr \u002F>\n*   \u003Cstrong>(IMPROVED) Bulk Import\u002FExport for Blocked IPs & Whitelist:\u003C\u002Fstrong> Seamlessly import massive lists of IPs via CSV or manual entry. The system now features a bulletproof “Bulk Import” type, strict duration inheritance, and intelligent conflict resolution.\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) Internal Security & Forensics:\u003C\u002Fstrong> A complete audit suite solely for WordPress. Track every sensitive event (plugin installs, settings changes, user logins) and monitor your critical files for unauthorized modifications with the integrated File Integrity Monitor.\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) Activity Audit Log:\u003C\u002Fstrong> Gain complete visibility into what’s happening on your site. Who deactivated a plugin? Who changed a setting? The Audit Log answers these questions with timestamped, immutable records.\u003Cbr \u002F>\n*   \u003Cstrong>(NEW) Deep Scan Email Reports:\u003C\u002Fstrong> Get a weekly security summary delivered to your inbox, detailing pending updates, vulnerability status, and recent attack trends.\u003Cbr \u002F>\n*   \u003Cstrong>Username Blocking & Rules:\u003C\u002Fstrong> Gain granular control over login security. Creating Advanced Rules to block, challenge, or score specific usernames (e.g., “admin”, “test”).\u003Cbr \u002F>\n*   \u003Cstrong>Enhanced Lockdown Notifications:\u003C\u002Fstrong> Distributed Lockdowns (404\u002F403) now fully support Email and Push notifications, ensuring you never miss a critical security event.\u003Cbr \u002F>\n*   \u003Cstrong>Improved Logging:\u003C\u002Fstrong> New “Endpoint Challenge” event type provides deeper visibility into challenges served during automated lockdowns.\u003Cbr \u002F>\n*   \u003Cstrong>Server IP Reputation Check. Instantly audit your web server’s IP address against major blacklists (Spamhaus, AbuseIPDB) to diagnose SEO and email delivery issues.\u003Cbr \u002F>\n*   **HTTP Security Headers.\u003C\u002Fstrong> Easily configure essential security headers like HSTS, X-Frame-Options, and Permissions-Policy to harden your site against clickjacking, sniffing, and other browser-based attacks. Includes a “Report-Only” mode for CSP.\u003Cbr \u002F>\n*   \u003Cstrong>Site Health & Vulnerability Scanner. Audit your WordPress environment instantly. Detects outdated plugins, insecure PHP versions, and checks your installed plugins against a database of 30,000+ known vulnerabilities.\u003Cbr \u002F>\n*   **PERFORMANCE BOOST: High-Speed Community Database. Migrated the “Community Defense Network” blocklist to a dedicated, indexed database table. This allows checking thousands of malicious IPs in microseconds with zero impact on site memory usage.\u003Cbr \u002F>\n*   **WordPress 6.9 Ready. Fully tested and compatible with the latest WordPress core update.\u003Cbr \u002F>\n*   **Community Defense Network. Join forces with other WordPress admins. The plugin now shares anonymous attack data to build a global, real-time blocklist of verified threats. Protect your site with community-powered intelligence.\u003Cbr \u002F>\n*   **Auto-Cleaning Logic. Smart expiration handling ensures your blocklists stay fresh and performant, automatically removing stale IPs from both the database and external firewalls (Cloudflare\u002F.htaccess).\u003Cbr \u002F>\n*   **Cloud Edge Defense (Cloudflare). Connect your site directly to Cloudflare’s global network. Automatically sync your blocklists to the cloud to stop attackers before they reach your server. Zero server load protection.\u003Cbr \u002F>\n*   **Server-Level Firewall (.htaccess). Extreme performance upgrade. Write blocking rules and file hardening protections directly to your .htaccess file. Blocks threats instantly without loading PHP or WordPress.\u003Cbr \u002F>\n*   **IMPROVED: Smart Bot Verification. Enhanced logic to correctly identify legitimate traffic from iOS devices (iCloud Private Relay) and social media previews, eliminating false positives while keeping impostors out.\u003Cbr \u002F>\n*   **File Hardening.\u003C\u002Fstrong> Protect your most sensitive files (\u003Ccode>wp-config.php\u003C\u002Fcode>, \u003Ccode>readme.html\u003C\u002Fcode>, \u003Ccode>.git\u003C\u002Fcode>) at the server level with a single click.\u003Cbr \u002F>\n*   \u003Cstrong>AbuseIPDB Integration.\u003C\u002Fstrong> Proactively block attackers before they strike. The plugin can now check visitor IPs against AbuseIPDB’s real-time, crowdsourced database of malicious IPs and block those with a high abuse score on their very first request.\u003Cbr \u002F>\n*   \u003Cstrong>Edge Firewall Mode!\u003C\u002Fstrong> Protect any PHP file or standalone application within your WordPress directory (even if it’s not part of WordPress). Ideal for securing custom scripts, legacy applications, or folders like \u003Ccode>\u002Fscan\u002F\u003C\u002Fcode>. (Requires manual configuration).\u003Cbr \u002F>\n*   \u003Cstrong>Advanced Rules Engine!\u003C\u002Fstrong> Create powerful, custom security rules with multiple conditions (IP, Country, ASN, URI, User-Agent) and actions (Block, Challenge, or add Threat Score).\u003Cbr \u002F>\n*   \u003Cstrong>Known Bot Verification.\u003C\u002Fstrong> A powerful new security layer that uses reverse DNS lookups to verify legitimate crawlers like Googlebot and Bingbot. This completely neutralizes attackers who try to bypass security rules by faking their User-Agent, assigning high threat scores to impostors.\u003Cbr \u002F>\n*   \u003Cstrong>Onboarding Setup Wizard.\u003C\u002Fstrong> A brand new step-by-step wizard that guides new users through the essential security configurations (IP whitelisting, WAF, and bot traps) in under a minute, ensuring a strong security posture from day one.\u003Cbr \u002F>\n*   \u003Cstrong>Major Refactor: Codebase Modernization.\u003C\u002Fstrong> The entire plugin architecture has been refactored into a modern, modular structure. Logic for admin pages, AJAX, actions, and settings is now handled by dedicated classes, making the plugin more stable, performant, and easier to maintain and extend in the future.\u003Cbr \u002F>\n*   \u003Cstrong>Advanced IP Spoofing Protection.\u003C\u002Fstrong> A zero-trust “Trusted Proxies” system ensures the plugin always identifies the true visitor IP, even behind complex setups like Cloudflare or a custom reverse proxy. It neutralizes attacks that attempt to fake their IP, preventing block evasion and the framing of innocent users.\u003Cbr \u002F>\n*   \u003Cstrong>Geo-Challenge.\u003C\u002Fstrong> A smarter way to handle traffic from high-risk countries. Instead of a hard block, it presents a quick, invisible JavaScript challenge that stops bots but is seamless for human visitors. This reduces unwanted traffic without affecting potential legitimate users.\u003Cbr \u002F>\n*   \u003Cstrong>ENHANCEMENT: Full Bulk-Action Support.\u003C\u002Fstrong> IP management is now faster than ever. Both the Whitelist and the Blocked IPs list now support full bulk actions, allowing you to select and remove multiple entries at once, or unblock all IPs with a single click.\u003Cbr \u002F>\n*   \u003Cstrong>Endpoint Lockdown Mode:\u003C\u002Fstrong> Automatically shields \u003Ccode>wp-login.php\u003C\u002Fcode> and \u003Ccode>xmlrpc.php\u003C\u002Fcode> with a JavaScript challenge during sustained distributed attacks, preventing server overload.\u003Cbr \u002F>\n*   \u003Cstrong>Two-Factor Authentication (2FA):\u003C\u002Fstrong> Secure user accounts with industry-standard TOTP authentication, backup codes, role enforcement, and a central admin management dashboard.\u003Cbr \u002F>\n*   \u003Cstrong>IP Trust & Threat Scoring System:\u003C\u002Fstrong> An intelligent defense that assigns “threat points” to IPs for malicious actions, blocking them only when they reach a configurable score. More accurate and context-aware than simple rules.\u003Cbr \u002F>\n*   \u003Cstrong>Attack Signature Engine (Beta):\u003C\u002Fstrong> Proactively stops distributed botnet attacks by identifying and blocking the attacker’s “fingerprint” (signature) instead of just individual IPs.\u003Cbr \u002F>\n*   \u003Cstrong>Web Application Firewall (WAF):\u003C\u002Fstrong> Block malicious requests (SQLi, XSS, etc.) with a customizable ruleset.\u003Cbr \u002F>\n*   \u003Cstrong>And much more:\u003C\u002Fstrong> Rate Limiting, Country & ASN Blocking (with Spamhaus support), ASN Whitelisting, Push Notifications, Google reCAPTCHA, Honeypots, Active User Session Management, and Full WP-CLI Support.\u003C\u002Fp>\n","A complete WordPress security firewall: blocks IPs, bots & countries. Includes an intelligent WAF, Threat Scoring, Geo-Challenge, 2FA, and Anti-Sp &hellip;",1000,20374,94,15,"2026-03-15T09:30:00.000Z","6.7","8.1",[129,130,23,110,131],"country-block","firewall","waf","https:\u002F\u002Fadvaipbl.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-ip-blocker.8.9.2.zip",{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":142,"downloaded":143,"rating":13,"num_ratings":14,"last_updated":144,"tested_up_to":145,"requires_at_least":146,"requires_php":85,"tags":147,"homepage":151,"download_link":152,"security_score":13,"vuln_count":70,"unpatched_count":70,"last_vuln_date":36,"fetched_at":29},"geo-blocker","Geo Blocker – Control Site Access by Region and IP","1.0.0","Mohamed Shili","https:\u002F\u002Fprofiles.wordpress.org\u002Fmedshi8\u002F","\u003Cp>🔐 Block or allow visitors by country. Track access attempts. View analytics. Stay in control — effortlessly.\u003C\u002Fp>\n\u003Ch3>🧠 Description\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Geo Blocker\u003C\u002Fstrong> gives you full control over who can access your WordPress site — based on visitor country and IP. Whether you’re protecting content, reducing attack surface, or managing regional access, this plugin does it with precision and clarity.\u003C\u002Fp>\n\u003Cp>🎯 Designed for performance, security, and ease of use.\u003Cbr \u002F>\n📊 Built-in analytics and access logs.\u003Cbr \u002F>\n🧭 Never get locked out — admin-safe bypass included.\u003C\u002Fp>\n\u003Ch3>🚀 Features\u003C\u002Fh3>\n\u003Ch3>✅ Access Control That Makes Sense\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Block Selected Countries\u003C\u002Fstrong> – deny access to specific regions  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Allow Selected Countries\u003C\u002Fstrong> – restrict site only to approved countries  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🧩 Smart Blocking Actions\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>📜 Show custom message  \u003C\u002Fli>\n\u003Cli>🔁 Redirect to a URL  \u003C\u002Fli>\n\u003Cli>🚫 Send HTTP 403 Forbidden response  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌐 Visual Country Selector\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Flag icons & search bar for quick targeting  \u003C\u002Fli>\n\u003Cli>Filter by continent (Africa, Asia, Europe, etc.)  \u003C\u002Fli>\n\u003Cli>One-click select\u002Fdeselect all  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📈 Analytics Dashboard\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Summary cards: total visits, blocks, IPs  \u003C\u002Fli>\n\u003Cli>Hourly charts for real-time insights  \u003C\u002Fli>\n\u003Cli>Filter by date range & data type (accesses, unique IPs, etc.)  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📋 Detailed Logs\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>See IP, country, URL, status, user agent  \u003C\u002Fli>\n\u003Cli>Filters out common junk (favicon, robots.txt)  \u003C\u002Fli>\n\u003Cli>Admin visits are auto-ignored to reduce noise  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛠️ Admin-Proof Bypass URL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Special URL with bypass parameter to access login anytime  \u003C\u002Fli>\n\u003Cli>Prevents accidental lockouts  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔄 Data Export & Log Management\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Export logs in CSV or JSON  \u003C\u002Fli>\n\u003Cli>Clear logs with a single click  \u003C\u002Fli>\n\u003Cli>Sort & search logs in the UI\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌐 External Services\u003C\u002Fh3>\n\u003Cp>This plugin uses a third-party API to determine the visitor’s country based on their IP address.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Service used:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fipwho.is\" rel=\"nofollow ugc\">IPWho.is\u003C\u002Fa>  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose:\u003C\u002Fstrong> To perform IP geolocation and detect the country of each visitor, allowing the plugin to block or allow access accordingly.  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Data sent:\u003C\u002Fstrong> The visitor’s IP address is sent to the IPWho.is API on page load when geo-blocking is active.  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Terms of Service:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fipwhois.io\u002Fterms\" rel=\"nofollow ugc\">https:\u002F\u002Fipwhois.io\u002Fterms\u003C\u002Fa>  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Policy:\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fipwhois.io\u002Fprivacy\" rel=\"nofollow ugc\">https:\u002F\u002Fipwhois.io\u002Fprivacy\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🖥️ Screenshots\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>📊 Dashboard Overview\u003C\u002Fstrong> – See country blocks, allowed hits & total attempts   \u003C\u002Fli>\n\u003Cli>\u003Cstrong>🔧 Blocking Rules\u003C\u002Fstrong> – Choose block mode, action type, and targets. Enable or disable countries visually\u003C\u002Fli>\n\u003Cli>\u003Cstrong>📉 Analytics Graphs\u003C\u002Fstrong> – View access by time, state, and IP 5. \u003Cstrong>📑 Logs Table\u003C\u002Fstrong> – Deep insights with full logs of visitor attempts. Export CSV\u002FJSON logs with one click\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>📦 Installation\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Upload the plugin folder to \u003Ccode>\u002Fwp-content\u002Fplugins\u002Fgeo-blocker\u003C\u002Fcode>  \u003C\u002Fli>\n\u003Cli>Activate via \u003Cstrong>Plugins \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Installed Plugins\u003C\u002Fstrong>  \u003C\u002Fli>\n\u003Cli>Go to \u003Cstrong>Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Geo Blocker\u003C\u002Fstrong>  \u003C\u002Fli>\n\u003Cli>Enable Geo Blocking using the toggle  \u003C\u002Fli>\n\u003Cli>Choose between \u003Cstrong>block\u003C\u002Fstrong> or \u003Cstrong>allow\u003C\u002Fstrong> mode  \u003C\u002Fli>\n\u003Cli>Select countries using the visual interface  \u003C\u002Fli>\n\u003Cli>Pick your blocking action (message, redirect, or 403)  \u003C\u002Fli>\n\u003Cli>Save settings — done!\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>❓ Frequently Asked Questions\u003C\u002Fh3>\n\u003Ch3>How does Geo Blocker detect country?\u003C\u002Fh3>\n\u003Cp>It uses the reliable \u003Cstrong>IpWhoIs API\u003C\u002Fstrong> to fetch country data based on the visitor’s IP.\u003C\u002Fp>\n\u003Ch3>Will it slow down my site?\u003C\u002Fh3>\n\u003Cp>Nope. It’s optimized with \u003Cstrong>transient caching\u003C\u002Fstrong> and smart triggers — no unnecessary lookups.\u003C\u002Fp>\n\u003Ch3>Can I lock myself out?\u003C\u002Fh3>\n\u003Cp>No. There’s a \u003Cstrong>login bypass URL\u003C\u002Fstrong> generated for administrators — shown right on the dashboard.\u003C\u002Fp>\n\u003Ch3>Can I block specific pages?\u003C\u002Fh3>\n\u003Cp>Not yet — current version works site-wide. Per-page rules may come in a future update.\u003C\u002Fp>\n\u003Ch3>Can I export visitor logs?\u003C\u002Fh3>\n\u003Cp>Yes. Logs can be exported in \u003Cstrong>CSV or JSON\u003C\u002Fstrong> format directly from the Logs tab.\u003C\u002Fp>\n\u003Ch3>Does it work with caching plugins?\u003C\u002Fh3>\n\u003Cp>Yes, but you may need to \u003Cstrong>exclude the plugin’s logic\u003C\u002Fstrong> from caching. Dynamic geo checks should not be cached.\u003C\u002Fp>\n\u003Ch3>🗂️ Changelog\u003C\u002Fh3>\n\u003Ch4>1.0.0\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>🎉 Initial release with all core features\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛡️ Additional Notes\u003C\u002Fh3>\n\u003Ch3>Emergency Bypass\u003C\u002Fh3>\n\u003Cp>Every admin gets a custom bypass link to avoid accidental lockouts. It’s always visible in the dashboard.\u003C\u002Fp>\n\u003Ch3>Blocking Actions\u003C\u002Fh3>\n\u003Cp>Choose the experience blocked users receive:\u003Cbr \u002F>\n– Custom message\u003Cbr \u002F>\n– Redirect to another URL\u003Cbr \u002F>\n– Send 403 Forbidden header\u003C\u002Fp>\n\u003Ch3>Logs & Privacy\u003C\u002Fh3>\n\u003Cp>Logs are stored locally in your WordPress database. The plugin sends only the visitor’s IP to IPWho.is — no personally identifiable information is shared or stored externally.\u003C\u002Fp>\n\u003Ch3>💡 Enjoying Geo Blocker? Try Our Other Free Plugins\u003C\u002Fh3>\n\u003Cp>Looking for even more control and peace of mind? Check out our other tools:\u003C\u002Fp>\n\u003Cp>🔕 \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fnotification-blocker\u002F\" rel=\"ugc\">Notification Blocker\u003C\u002Fa>\u003C\u002Fstrong> – Hide annoying plugin notices from your dashboard without hacking core files.\u003C\u002Fp>\n\u003Cp>🛡️ \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ffortress-login-pro\u002F\" rel=\"ugc\">Fortress Login Pro\u003C\u002Fa>\u003C\u002Fstrong> – Obscure your login page, add brute-force protection, and block unauthorized access attempts with ease.\u003C\u002Fp>\n\u003Cp>If you like Geo Blocker, you’ll probably find these just as helpful. Try them out!\u003C\u002Fp>\n","🔐 Block or allow visitors by country. Track access attempts. View analytics. Stay in control — effortlessly.",700,1677,"2025-05-18T22:09:00.000Z","6.8.5","5.0",[148,90,149,150,23],"access-control","geo-blocking","geolocation","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fgeo-blocker\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-blocker.1.0.0.zip",{"attackSurface":154,"codeSignals":170,"taintFlows":192,"riskAssessment":247,"analyzedAt":264},{"hooks":155,"ajaxHandlers":166,"restRoutes":167,"shortcodes":168,"cronEvents":169,"entryPointCount":70,"unprotectedCount":70},[156,162],{"type":157,"name":158,"callback":159,"file":160,"line":161},"action","wp_login_failed","ipblock_wp_login_failed","functions.php",32,{"type":157,"name":163,"callback":164,"file":160,"line":165},"admin_menu","ipblock_setting_page",176,[],[],[],[],{"dangerousFunctions":171,"sqlUsage":179,"outputEscaping":181,"fileOperations":70,"externalRequests":70,"nonceChecks":70,"capabilityChecks":70,"bundledLibraries":191},[172,176],{"fn":173,"file":160,"line":174,"context":175},"unserialize",71,"$lines = ($lines_str != '') ? unserialize($lines_str) : [];",{"fn":173,"file":160,"line":177,"context":178},118,"$_ipblock_ips_arr = ($_ipblock_ips != '') ? unserialize($_ipblock_ips) : [];",{"prepared":70,"raw":70,"locations":180},[],{"escaped":70,"rawEcho":182,"locations":183},3,[184,187,189],{"file":160,"line":185,"context":186},148,"raw output",{"file":160,"line":188,"context":186},154,{"file":160,"line":190,"context":186},162,[],[193,219,231],{"entryPoint":194,"graph":195,"unsanitizedCount":218,"severity":38},"ipblockersettings_callback (functions.php:97)",{"nodes":196,"edges":214},[197,202,208,210],{"id":198,"type":199,"label":200,"file":160,"line":201},"n0","source","$_POST",102,{"id":203,"type":204,"label":205,"file":160,"line":206,"wp_function":207},"n1","sink","update_option() [Settings Manipulation]",112,"update_option",{"id":209,"type":199,"label":200,"file":160,"line":201},"n2",{"id":211,"type":204,"label":212,"file":160,"line":190,"wp_function":213},"n3","echo() [XSS]","echo",[215,217],{"from":198,"to":203,"sanitized":216},false,{"from":209,"to":211,"sanitized":216},2,{"entryPoint":220,"graph":221,"unsanitizedCount":182,"severity":230},"ipblock_wp_login_failed (functions.php:34)",{"nodes":222,"edges":228},[223,226],{"id":198,"type":199,"label":224,"file":160,"line":225},"$_SERVER (x3)",40,{"id":203,"type":204,"label":205,"file":160,"line":227,"wp_function":207},59,[229],{"from":198,"to":203,"sanitized":216},"low",{"entryPoint":232,"graph":233,"unsanitizedCount":104,"severity":230},"\u003Cfunctions> (functions.php:0)",{"nodes":234,"edges":243},[235,236,237,238,239,241],{"id":198,"type":199,"label":224,"file":160,"line":225},{"id":203,"type":204,"label":205,"file":160,"line":227,"wp_function":207},{"id":209,"type":199,"label":200,"file":160,"line":201},{"id":211,"type":204,"label":205,"file":160,"line":206,"wp_function":207},{"id":240,"type":199,"label":200,"file":160,"line":201},"n4",{"id":242,"type":204,"label":212,"file":160,"line":190,"wp_function":213},"n5",[244,245,246],{"from":198,"to":203,"sanitized":216},{"from":209,"to":211,"sanitized":216},{"from":240,"to":242,"sanitized":216},{"summary":248,"deductions":249},"The \"htaccess-ip-blocker\" v1.0 plugin exhibits a concerning security posture despite a seemingly small attack surface. While there are no direct AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication or proper checks, the presence of the \"unserialize\" function is a significant red flag. This function is notorious for its potential to lead to Remote Code Execution (RCE) if user-supplied data is unserialized without proper sanitization and validation. The taint analysis revealing flows with unsanitized paths, even without critical or high severity, suggests that data intended for unserialization might not be sufficiently validated before being processed, posing a risk.",[250,252,254,257,260,262],{"reason":251,"points":124},"Unpatched Medium severity CVE",{"reason":253,"points":124},"Dangerous function: unserialize",{"reason":255,"points":256},"All outputs unescaped",6,{"reason":258,"points":259},"Taint flows with unsanitized paths",8,{"reason":261,"points":104},"No nonce checks",{"reason":263,"points":104},"No capability checks","2026-03-16T21:35:56.701Z",{"wat":266,"direct":271},{"assetPaths":267,"generatorPatterns":268,"scriptPaths":269,"versionParams":270},[],[],[],[],{"cssClasses":272,"htmlComments":273,"htmlAttributes":274,"restEndpoints":281,"jsGlobals":282,"shortcodeOutput":283},[],[],[275,276,275,277,278,279,280],"name=\"_ipblock_enabled\"","value=\"1\"","value=\"0\"","name=\"_ipblock_maxcount\"","name=\"_ipblock_interval\"","name=\"_ipblock_ips\"",[],[],[]]