WP-Safety

IP Geo Block Security & Risk Analysis

wordpress.org/plugins/ip-geo-block

It blocks spam posts, login attempts and malicious access to the back-end requested from the specific countries, and also prevents zero-day exploit.

9K active installs v3.0.17.4 PHP + WP 3.7+ Updated Jan 22, 2019
brute-forcefirewallloginsecurityvulnerability
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is IP Geo Block Safe to Use in 2026?

Generally Safe

Score 85/100

IP Geo Block has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The ip-geo-block plugin version 3.0.17.4 presents a mixed security posture. While it demonstrates some good practices like a high percentage of prepared SQL statements and a decent number of capability checks, there are significant concerns. The presence of a single AJAX handler without authentication checks, coupled with 100% of analyzed taint flows having unsanitized paths with high severity, indicates a potentially exploitable attack surface. The use of dangerous functions like 'assert' and 'unserialize' further amplifies these risks. The absence of any recorded vulnerabilities historically is a positive sign, suggesting the plugin might not have a history of exploitable flaws. However, this does not negate the immediate risks identified in the static and taint analysis. The plugin's strengths lie in its SQL query preparation and some use of capability checks. Its weaknesses are the unprotected AJAX endpoint, critical taint flows, and the use of dangerous functions, which introduce significant potential for compromise.

Key Concerns

  • AJAX handler without authentication
  • 4 high severity unsanitized taint flows
  • Dangerous functions: assert, unserialize
  • 56% of outputs properly escaped
Vulnerabilities
None known

IP Geo Block Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

IP Geo Block Release Timeline

v3.0.17.4Current
v3.0.17.3
v3.0.17.2
v3.0.17.1
v3.0.17
v3.0.16
v3.0.15
v3.0.14
v3.0.13
v3.0.12.1
v3.0.11
v3.0.10.4
v3.0.9
v3.0.8
v3.0.7.2
v3.0.6.1
v3.0.5
v3.0.4.6
v3.0.3.4
v3.0.2.2
Code Analysis
Analyzed Mar 16, 2026

IP Geo Block Code Analysis

Dangerous Functions
2
Raw SQL Queries
19
55 prepared
Unescaped Output
92
118 escaped
Nonce Checks
1
Capability Checks
6
File Operations
32
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

assertdefined( 'IP_GEO_BLOCK_DEBUG' ) and IP_GEO_BLOCK_DEBUG and assert( is_main_site(), 'Not main blog.' admin\class-ip-geo-block-admin.php:172
unserializereturn empty( $data ) ? self::$default : unserialize( $data[0]['data'] ) + self::$default;classes\class-ip-geo-block-logs.php:283

Bundled Libraries

DataTables

SQL Query Safety

74% prepared74 total queries

Output Escaping

56% escaped210 total outputs
Data Flows · Security
11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths
export_logs (admin\includes\class-admin-ajax.php:101)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

IP Geo Block Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_ip_geo_blockadmin\class-ip-geo-block-admin.php:68
WordPress Hooks 68
actioninitadmin\class-ip-geo-block-admin.php:39
filterwp_redirectadmin\class-ip-geo-block-admin.php:45
actionadmin_menuadmin\class-ip-geo-block-admin.php:66
actionadmin_post_ip_geo_blockadmin\class-ip-geo-block-admin.php:67
filterwp_prepare_revision_for_jsadmin\class-ip-geo-block-admin.php:69
actionnetwork_admin_menuadmin\class-ip-geo-block-admin.php:76
actionwpmu_new_blogadmin\class-ip-geo-block-admin.php:77
actiondelete_blogadmin\class-ip-geo-block-admin.php:78
filteradmin_body_classadmin\class-ip-geo-block-admin.php:89
filteradmin_body_classadmin\class-ip-geo-block-admin.php:94
filtergoogle-chartsadmin\class-ip-geo-block-admin.php:246
filtergoogle-mapsadmin\class-ip-geo-block-admin.php:247
filtergoogle-maps-nokeyadmin\class-ip-geo-block-admin.php:248
filterplugin_row_metaadmin\class-ip-geo-block-admin.php:653
actionadmin_enqueue_scriptsadmin\class-ip-geo-block-admin.php:658
actionadmin_noticesadmin\class-ip-geo-block-admin.php:661
actionnetwork_admin_noticesadmin\class-ip-geo-block-admin.php:662
actionshutdownclasses\class-ip-geo-block-actv.php:93
actioninitclasses\class-ip-geo-block.php:101
actionadmin_initclasses\class-ip-geo-block.php:103
actioninitclasses\class-ip-geo-block.php:109
actioninitclasses\class-ip-geo-block.php:115
actioninitclasses\class-ip-geo-block.php:121
actionpre_comment_on_postclasses\class-ip-geo-block.php:130
actionpre_trackback_postclasses\class-ip-geo-block.php:131
filterpreprocess_commentclasses\class-ip-geo-block.php:132
actionbbp_post_request_bbp-new-topicclasses\class-ip-geo-block.php:135
actionbbp_post_request_bbp-new-replyclasses\class-ip-geo-block.php:136
filterbbp_current_user_can_access_create_topic_formclasses\class-ip-geo-block.php:137
filterbbp_current_user_can_access_create_reply_formclasses\class-ip-geo-block.php:138
actionlogin_initclasses\class-ip-geo-block.php:143
actionbp_core_screen_signupclasses\class-ip-geo-block.php:147
actionbp_signup_pre_validateclasses\class-ip-geo-block.php:148
actionwp_enqueue_scriptsclasses\class-ip-geo-block.php:158
filterwp_redirectclasses\class-ip-geo-block.php:162
filterhttp_request_argsclasses\class-ip-geo-block.php:163
filterdocument_title_partsclasses\class-ip-geo-block.php:494
filterxmlrpc_login_errorclasses\class-ip-geo-block.php:609
actionwp_login_failedclasses\class-ip-geo-block.php:643
filtersite_urlclasses\class-ip-geo-block.php:652
actionwpclasses\class-ip-geo-block.php:999
actionplugins_loadedip-geo-block.php:80
actionplugins_loadedip-geo-block.php:86
actionplugins_loadedip-geo-block.php:98
filterip-geo-block-ip-addrsamples.php:29
filterip-geo-block-ip-addrsamples.php:51
filterip-geo-block-loginsamples.php:65
filterip-geo-block-adminsamples.php:66
filterip-geo-block-commentsamples.php:92
filterip-geo-block-loginsamples.php:117
filterip-geo-block-xmlrpcsamples.php:118
filterip-geo-block-adminsamples.php:141
filterip-geo-block-extra-ipssamples.php:189
filterip-geo-block-xmlrpc-statussamples.php:203
filterip-geo-block-login-statussamples.php:204
filterip-geo-block-login-reasonsamples.php:205
filterip-geo-block-bypass-adminssamples.php:227
filterip-geo-block-bypass-pluginssamples.php:245
filterip-geo-block-bypass-themessamples.php:263
filterip-geo-block-headerssamples.php:279
filterip-geo-block-maxmind-dirsamples.php:294
filterip-geo-block-maxmind-zip-ipv4samples.php:312
filterip-geo-block-maxmind-zip-ipv6samples.php:313
filterip-geo-block-ip2location-pathsamples.php:327
filterip-geo-block-backup-dirsamples.php:345
filterip-geo-block-record-logssamples.php:404
filterip-geo-block-dnssamples.php:418
actionadmin_noticeswp-content\mu-plugins\ip-geo-block-mu.php:58
Maintenance & Trust

IP Geo Block Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedJan 22, 2019
PHP min version
Downloads778K

Community Trust

Rating82/100
Number of ratings96
Active installs9K
Alternatives

IP Geo Block Alternatives

WP Ghost (Hide My WP Ghost) – Security & Firewall

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

A
86

Hide and Secure WP paths with the complete WP security suite for Site Hardening. Includes 8G Firewall, Brute Force protection, and Passkeys.

100K 8 CVEs
Ultimate Security – Login Protection, 2FA, CAPTCHA & Hardening

Ultimate Security – Login Protection, 2FA, CAPTCHA & Hardening

ultimate-security

A
100

Protect your WordPress site with 2FA, brute force protection, CAPTCHA, custom login URL, and security hardening.

10 No CVEs
Block Logins with Cloudflare

Block Logins with Cloudflare

block-logins-cf

A
100

Block brute-force login attempts by integrating with Cloudflare's firewall to automatically block IPs after failed logins.

0 No CVEs
Dotsquares Custom Login URL & Security Suite

Dotsquares Custom Login URL & Security Suite

custom-login-url-login-designer

A
100

Change your WordPress login URL, design the login page, and enhance your site's security with built-in protection tools.

0 No CVEs
Cyber Smart Defence

Cyber Smart Defence

cyber-smart-defence

A
100

Lightweight WordPress security firewall with login protection and threat monitoring.

0 No CVEs
Developer Profile

IP Geo Block Developer Profile

tokkonopapa

1 plugin · 9K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect IP Geo Block

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ip-geo-block/assets/css/admin.css/wp-content/plugins/ip-geo-block/assets/css/common.css/wp-content/plugins/ip-geo-block/assets/js/admin.js/wp-content/plugins/ip-geo-block/assets/js/common.js
Script Paths
/wp-content/plugins/ip-geo-block/assets/js/admin.js/wp-content/plugins/ip-geo-block/assets/js/common.js
Version Parameters
ip-geo-block/assets/css/admin.css?ver=ip-geo-block/assets/css/common.css?ver=ip-geo-block/assets/js/admin.js?ver=ip-geo-block/assets/js/common.js?ver=

HTML / DOM Fingerprints

CSS Classes
ip-geo-block
HTML Comments
<!-- ADD `/` TO THE TOP OR END OF THIS LINE TO ACTIVATE THE FOLLOWINGS -->
FAQ

Frequently Asked Questions about IP Geo Block