{"id":128,"date":"2021-05-11T00:41:08","date_gmt":"2021-05-11T00:41:08","guid":{"rendered":"http:\/\/iplocationblock.test\/codex\/using-vpn-browser-addon\/"},"modified":"2021-05-11T11:55:32","modified_gmt":"2021-05-11T11:55:32","slug":"using-vpn-browser-addon","status":"publish","type":"codex","link":"https:\/\/iplocationblock.com\/codex\/using-vpn-browser-addon\/","title":{"rendered":"Using VPN browser addon"},"content":{"rendered":"<p>You may want to test the blocking behavior of this plugin. This document  shows you how to do it especially arround the admin, plugins and themes  area based on <a href=\"https:\/\/iplocationblock.com\/changelog\/0-2-2-2-release-note\/\" title=\"0.2.2.1 Release Note | IP Location Block\">version 0.2.2.2<\/a> and later.<\/p>\n<p><!--more--><\/p>\n<h3 id=\"preparation\">Preparation<\/h3>\n<p>The most easy way to simulate submitting a request from outside of your  country is using the browser addon for VPN service.<\/p>\n<ul>\n<li><a href=\"https:\/\/addons.mozilla.org\/firefox\/search\/?q=vpn\" title=\"vpn :: Searcg :: Add-ons for Firefox\">VPN addon for Firefox<\/a><\/li>\n<li><a href=\"https:\/\/chrome.google.com\/webstore\/search\/vpn\" title=\"Chrome Web Store\">VPN addon for Chrome<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/iplocationblock.com\/wp-content\/uploads\/2021\/05\/VPN-Addon.png\" alt=\"VPN addon\" title=\"VPN addon\" \/><\/p>\n<p>You can also find <a href=\"https:\/\/www.google.co.jp\/search?q=browser+addon+vpn+service\" title=\"browser addon vpn service - Google search\">many articles<\/a> that recommend which one is better.<\/p>\n<h3 id=\"how-to-test-on-back-end\">How to test on back-end<\/h3>\n<p>After turning on your VPN addon and select the country you need to test, simple  visit to your back-end e.g. <code class=\"highlighter-rouge\">\/wp-login.php<\/code>, <code class=\"highlighter-rouge\">\/wp-admin\/<\/code> or <code class=\"highlighter-rouge\">\/xmlrpc.php<\/code> with  your browser.<\/p>\n<p>Note that accessing to <code class=\"highlighter-rouge\">\/xmlrpc.php<\/code> with browser returns a simple message  because this script needs to be accessed by not <strong>GET<\/strong> method but <strong>POST<\/strong>  method.<\/p>\n<blockquote>\n<p>XML-RPC server accepts POST requests only.<\/p>\n<\/blockquote>\n<p>But it doesn\u2019t matter. Your test access would be recorded in <strong>Logs<\/strong> tab of  IP Location Block dashboard.<\/p>\n<p>Testing the blocking behavior on <strong>Admin ajax\/post<\/strong>, <strong>Plugins area<\/strong> and  <strong>Themes area<\/strong> would be a bit complicated. Please submit the following links  to your post. The first 2 lines are for admin ajax, and the last 4 lines are  for direct access to the PHP file in plugins area. In particular, the last 2  lines will include <code class=\"highlighter-rouge\">wp-load.php<\/code> to load the WordPress core functions.<\/p>\n<p>Ensure that <code class=\"highlighter-rouge\">http:\/\/example.com<\/code> is replaced to your WordPress home.<\/p>\n<figure class=\"highlight\">\n<pre><code class=\"language-html\" data-lang=\"html\"><span class=\"nt\">&lt;ol&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-admin\/admin-ajax.php?action=my-ajax\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-admin\/admin-ajax-php?action=my-ajax<span class=\"nt\">&lt;\/a&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-admin\/admin-ajax.php?action=my-ajax&amp;file=..\/..\/..\/wp-config.php\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-admin\/admin-ajax-php?action=my-ajax<span class=\"err\">&amp;<\/span>file=..\/..\/..\/wp-config.php<span class=\"nt\">&lt;\/a&gt;&lt;\/li&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-content\/plugins\/ip-location-block\/samples.php\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-content\/plugins\/ip-location-block\/samples.php<span class=\"nt\">&lt;\/a&gt;&lt;\/li&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-content\/plugins\/ip-location-block\/samples.php?file=..\/..\/..\/wp-config.php\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-content\/plugins\/ip-location-block\/samples.php?file=..\/..\/..\/wp-config.php<span class=\"nt\">&lt;\/a&gt;&lt;\/li&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-content\/plugins\/ip-location-block\/samples.php?wp-load=1\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-content\/plugins\/ip-location-block\/samples.php?wp-load=1<span class=\"nt\">&lt;\/a&gt;&lt;\/li&gt;<\/span>\n    <span class=\"nt\">&lt;li&gt;&lt;a<\/span> <span class=\"na\">href=<\/span><span class=\"s\">\"http:\/\/example.com\/wp-content\/plugins\/ip-location-block\/samples.php?wp-load=1&amp;file=..\/..\/..\/wp-config.php\"<\/span><span class=\"nt\">&gt;<\/span>\/wp-content\/plugins\/ip-location-block\/samples.php?wp-load=1<span class=\"err\">&amp;<\/span>file=..\/..\/..\/wp-config.php<span class=\"nt\">&lt;\/a&gt;&lt;\/li&gt;<\/span>\n<span class=\"nt\">&lt;\/ol&gt;<\/span><\/code><\/pre>\n<\/figure>\n<p>As you can see, an even line is a malicious request to attempt to expose  <code class=\"highlighter-rouge\">wp-config.php<\/code>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/iplocationblock.com\/wp-content\/uploads\/2021\/05\/TestSamplePage.png\" alt=\"Sample page\" title=\"Sample page\" \/><\/p>\n<p>Also to handle a ajax request properly, put the following code into your  <code class=\"highlighter-rouge\">functions.php<\/code>.<\/p>\n<figure class=\"highlight\">\n<pre><code class=\"language-php\" data-lang=\"php\"><span class=\"sr\">\/**\n * Ajax for non privileged user\n *\n *\/<\/span>\n<span class=\"n\">add_action<\/span><span class=\"p\">(<\/span> <span class=\"s1\">'wp_ajax_nopriv_my-ajax'<\/span><span class=\"p\">,<\/span> <span class=\"s1\">'my_ajax_handler'<\/span> <span class=\"p\">);<\/span>\n<span class=\"n\">function<\/span> <span class=\"n\">my_ajax_handler<\/span><span class=\"p\">()<\/span> <span class=\"p\">{<\/span>\n    <span class=\"p\">;<\/span>\n<span class=\"p\">}<\/span><\/code><\/pre>\n<\/figure>\n<h4 id=\"blocking-malicious-request\">Blocking malicious request<\/h4>\n<p>Now at first, uncheck and disable all the settings for \u201c<strong>Admin ajax\/post<\/strong>\u201d  and \u201c<strong>Plugins area<\/strong>\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/iplocationblock.com\/wp-content\/uploads\/2021\/05\/TestAdminPluginsOff.png\" alt=\"Setting for admin and plugins\" title=\"Setting for admin and plugins\" \/><\/p>\n<p>When you assess the above links as a visitor on the public facing page, you\u2019ll  see <code class=\"highlighter-rouge\">0<\/code> in case your request are success, otherwise you\u2019ll be blocked.<\/p>\n<div class=\"alert alert-warning\">   <strong>Important:<\/strong>   If you click the 4th link and see <code>0<\/code> (means success), then you    should properly configure the `.htaccess` in your plugins area. Please refer    to <a href=\"\/article\/exposure-of-wp-config-php.html\" title=\"Prevent exposure of wp-config.php | IP Location Block\">this article<\/a>. <\/div>\n<h4 id=\"block-by-country\">Block by country<\/h4>\n<p>OK then, check and enable \u201c<strong>Block by country<\/strong>\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/iplocationblock.com\/wp-content\/uploads\/2021\/05\/TestBlockCountryOn.png\" alt=\"Block by country\" title=\"Block by country\" \/><\/p>\n<p>All the links will be blocked when you\u2019re behind the VPN proxy and <code class=\"highlighter-rouge\">.htaccess<\/code>  is set properly. And when you turn off the VPN addon, then only the malicious  links at even lines will be blocked.<\/p>\n<h4 id=\"prevent-zero-day-exploit\">Prevent Zero-day Exploit<\/h4>\n<p>Yeah, the last one is \u201c<strong>Prevent Zero-day Exploit<\/strong>\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/iplocationblock.com\/wp-content\/uploads\/2021\/05\/TestWPZepOn.png\" alt=\"Prevent Zero-day Exploit\" title=\"Prevent Zero-day Exploit\" \/><\/p>\n<p>All the links except the 1st one will be blocked. It is because the 1st link  is a service for the visitors. If you add the action hook for the admin as  follows, then the 1st link is also blocked.<\/p>\n<figure class=\"highlight\">\n<pre><code class=\"language-php\" data-lang=\"php\"><span class=\"sr\">\/**\n * Ajax for admin\n *\n *\/<\/span>\n<span class=\"n\">add_action<\/span><span class=\"p\">(<\/span> <span class=\"s1\">'wp_ajax_my-ajax'<\/span><span class=\"p\">,<\/span> <span class=\"s1\">'my_ajax_admin_handler'<\/span> <span class=\"p\">);<\/span>\n<span class=\"n\">function<\/span> <span class=\"n\">my_ajax_admin_handler<\/span><span class=\"p\">()<\/span> <span class=\"p\">{<\/span>\n    <span class=\"p\">;<\/span>\n<span class=\"p\">}<\/span><\/code><\/pre>\n<\/figure>\n<p>It means that non privileged user never succeed zero-day attacks via Admin  ajax and plugins \/ themes area. On the other hand, if you\u2019re logged in as an  admin, all the links at odd lines will not be blocked.<\/p>\n<div class=\"alert alert-warning\">   <strong>Important:<\/strong>   If the links are submitted as comments, then the WordPress commenting system    will add <code>rel=\"nofollow\"<\/code> into each anchor tag. In this case,    WP-ZEP will block every link to prevent   <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" title=\"Cross-site request forgery - Wikipedia, the free encyclopedia\">CSRF<\/a>. <\/div>\n","protected":false},"comment_status":"open","ping_status":"closed","template":"","class_list":["post-128","codex","type-codex","status-publish","hentry","codex-category-test-prevention-of-attacks"],"_links":{"self":[{"href":"https:\/\/iplocationblock.com\/wp-json\/wp\/v2\/codex\/128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iplocationblock.com\/wp-json\/wp\/v2\/codex"}],"about":[{"href":"https:\/\/iplocationblock.com\/wp-json\/wp\/v2\/types\/codex"}],"replies":[{"embeddable":true,"href":"https:\/\/iplocationblock.com\/wp-json\/wp\/v2\/comments?post=128"}],"wp:attachment":[{"href":"https:\/\/iplocationblock.com\/wp-json\/wp\/v2\/media?parent=128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}