Advanced IP Blocker

FAQ

How does the Vulnerability Scanner work?

The scanner checks your site in two ways:
Local Scan: Checks for outdated PHP versions, WordPress core updates, debug mode risks, and SSL status. This runs locally and instantly.
Deep Scan (Vulnerability Audit): Checks your installed plugins and themes against our central database of known security vulnerabilities (CVEs). This process is manual (you click a button) to ensure it never slows down your site during normal operation.

What is the new Audit Log?

The Audit Log is your site’s “black box”. It records critical administrative actions such as plugin activations, settings changes, and file modifications. This helps you identify “who did what and when,” which is essential for troubleshooting and security forensics.

How does the File Integrity Monitor (FIM) work?

The FIM scans your critical core files (wp-config.php, .htaccess, index.php) and specific plugin files daily. It takes a “fingerprint” (hash) of the file. If the file changes (e.g., malware adds a line of code), the fingerprint changes, and the plugin alerts you immediately via email.

Why did you move the Community Blocklist to a custom table?

To ensure maximum performance as the network grows. Storing thousands of IPs in standard WordPress options (wp_options) can slow down a site. By moving this data to a dedicated, indexed database table (wp_advaipbl_community_ips), we ensure that lookups are lightning-fast (O(1) complexity) and consume negligible memory, regardless of how many threats we track.

What is the Community Defense Network?

It is a collaborative security feature where users share anonymized data about verified attacks (like SQL injections caught by the WAF or IPs flagged by AbuseIPDB). Our central server aggregates this data to create a global blocklist of active threats. You can choose to contribute data (“Join”) and/or use the global list to protect your site (“Enable Blocking”).

Does the Community Network slow down my site?

No. The data sharing happens in the background via a low-priority scheduled task (Cron) just a few times a day. The global blocklist is downloaded locally and cached, so checking an IP against it is instant (microseconds) and does not require external API calls.

How do I set up Cloud Edge Defense (Cloudflare)?

You need a free Cloudflare account and your domain must be using Cloudflare’s nameservers.
1. Go to Security > Settings > Cloud Edge Defense.
2. Enter your Cloudflare API Token (with “Zone > Firewall Services > Edit” permissions) and Zone ID.
3. Click “Verify” and save.
The plugin will now automatically push your blocked IPs to Cloudflare’s Firewall. For a step-by-step guide with screenshots, click the help icon in the settings or visit our website.

Is the Server-Level Firewall (.htaccess) safe?

Yes. Safety is our priority.
1. Backups: The plugin automatically creates a timestamped backup of your .htaccess file in a protected folder every time it writes new rules.
2. Compatibility: It automatically detects your server type and generates valid syntax for Apache 2.2 or 2.4.
3. Safety Limit: It includes a safety limit on the number of IPs written to the file to prevent server memory issues.

What if I use Nginx instead of Apache?

The “Server-Level Firewall (.htaccess)” feature relies on Apache/LiteSpeed specific files. If you use Nginx (without Apache), these local rules will be ignored by the server.
Recommendation: For Nginx users, we strongly recommend enabling the Cloud Edge Defense (Cloudflare) feature. It provides the same “pre-execution” blocking benefits but works on any server environment since the blocking happens in the cloud.

How should I configure the plugin for my specific website?

While every website’s security needs are unique, here is a general guide to get you started based on your site’s profile. For a deep dive into every feature, please consult our Comprehensive Feature Guide.

1. Essential First Steps (For ALL Websites)

No matter your site type, do these three things immediately after installation to ensure a strong baseline security without locking yourself out:

• Whitelist Your IPs: Go to Security > Dashboard > System Status and use the one-click buttons to add your current IP and your server’s IP to the whitelist. This is the most critical step.
• Activate Trap Defenses: Go to Security > Blocking Rules, and in the “User Agents” and “Honeypot URLs” tabs, copy the suggested lists into the active blocklist text areas. This provides immediate protection from thousands of common bots.
• Enable Logging: Go to Security > Settings > General and ensure “Enable Logging” is turned on. This gives you the visibility you need to understand what is happening on your site.

2. Recommended Profiles

Once the essentials are done, tailor the configuration to your site type:

For a Standard Blog or Business Website:
Your main goal is to block automated threats without affecting administrators.
* Enable the IP Trust & Threat Scoring System: This is the smartest way to block bad actors contextually. The default point values are an excellent starting point. (Found in Settings > IP Trust & Threat Scoring).
* Enable the WAF and Rate Limiting: These are powerful proactive defenses. (Found in Settings > Core Protections and Threshold Blocking).
* Enable Spamhaus ASN Protection: Let the plugin automatically block thousands of known malicious networks for you. (Found in Settings > Core Protections).

For an E-commerce or Membership Site (WooCommerce, etc.):
You need to protect your site while ensuring legitimate customers from around the world are never blocked.
* Enable Two-Factor Authentication (2FA): This is the single best way to protect administrator and shop manager accounts. Enforce it for these roles in Settings > Login & User Protection.
* Use Geo-Challenge Instead of Geoblocking: If you receive attacks from a specific country but also have customers there, use the Geo-Challenge feature instead of a hard block. This will stop bots without affecting human users.
* CRITICAL: DO NOT USE “Whitelist Login Access”. This feature will lock out your customers.
* WAF Exclusions: Double-check that URLs for your payment gateways (like Stripe or PayPal webhooks) are in the WAF exclusion list to ensure payments are processed correctly.

For Any Site Using a CDN or Reverse Proxy (like Cloudflare):
Your top priority is ensuring the plugin detects the correct visitor IP address.
* Configure Trusted Proxies: Go to Security > Settings > IP Detection. Add the IPs or, even better, the ASNs of your CDN/proxy service to this list. For Cloudflare, simply add AS13335 on a new line. This is essential for the accuracy of all other security features.

What is AbuseIPDB Protection and how does it work?

AbuseIPDB is a global, crowdsourced project that tracks and reports malicious IP addresses in real-time. Our new integration allows the plugin to check the reputation of a new, unknown visitor against this database on their first visit. If the IP has been recently reported by others for activities like hacking, spam, or brute-force attacks, and its “abuse confidence score” is above your configured threshold, the plugin will block it instantly. This acts as a proactive shield against known bad actors, stopping them before they even have a chance to test your defenses. You can enable it and add your free API key under Security > Settings > Threat Intelligence.

What is “Known Bot Verification”?

This is an advanced security feature that checks if visitors claiming to be from major search engines (like Googlebot) are legitimate. It performs a DNS lookup to verify their IP address. If the check fails, the visitor is identified as an “impersonator” and receives a high threat score, preventing them from exploiting the trust given to real crawlers. This feature is enabled by default under Settings > Core Protections.

What is “Trusted Proxies” and why do I need it?

This is a critical security feature that prevents IP spoofing. If your site is behind a service like Cloudflare, Varnish, or another reverse proxy, the server’s direct connection IP (REMOTE_ADDR) will always be the proxy’s IP, not the visitor’s. The real visitor IP is sent in an HTTP header (e.g., CF-Connecting-IP). An attacker can fake this header. The “Trusted Proxies” setting tells the plugin: “Only trust these headers if the request comes from an IP address I know is my proxy.” You can add IPs, CIDR ranges, or ASNs (like AS13335 for Cloudflare) to this list under Security > Settings > IP Detection.

What is Geo-Challenge? How is it different from Geoblocking?

Geoblocking is a hard block. It shows a “403 Access Denied” page to visitors from selected countries.
Geo-Challenge is a soft block. It shows a quick, automated JavaScript test to visitors from selected countries. Legitimate humans pass instantly, while most bots are stopped. This is useful for regions you are suspicious of but do not want to block entirely. You can, for example, block Country A and challenge Country B. You can configure it in Security > Settings > Core Protections.

How do I solve issues with the JavaScript challenge and caching plugins?

The JavaScript challenge (used by Geo-Challenge, Signature Engine, and Endpoint Lockdown) requires dynamic content. Aggressive page caching can interfere with it. If you experience issues (like a challenge loop or a “Verification failed” error), you must configure your caching plugin (e.g., WP Rocket, WP Fastest Cache, LiteSpeed Cache) to NOT cache pages for visitors who do not have the advaipbl_js_verified cookie. Most caching plugins have a setting like “Never cache pages that use this cookie.”

How do I solve issues with the JavaScript challenge and cookie consent (RGPD/GDPR) plugins?

Cookie consent plugins (like CookieYes) may block our security cookie from being set. To fix this, you must go into your cookie plugin’s settings and classify the cookie named advaipbl_js_verified as “Strictly Necessary” or “Essential”. This will allow the security challenge to function correctly.

What is the new “Local Database” Geolocation Method?

For maximum performance, the plugin offers two ways to identify an IP’s location (Security > Settings > Geolocation):
1. Real-time API (Default): Easy to set up and great for most websites.
2. Local Database (Highest Performance): Downloads the MaxMind GeoLite2 database to your server for instant, offline lookups with zero external API calls. Recommended for high-traffic sites. Requires a free MaxMind license key.

How do I set up Two-Factor Authentication (2FA)?

1. Admin: Go to Security > Settings > Login & User Protection and enable 2FA globally. You can also enforce it for specific user roles.
2. User: Go to your WordPress Profile page. You will find a new section to set up 2FA by scanning a QR code with an authenticator app and saving your backup codes.

What is the “Attack Signature Engine”?

This is an advanced defense that stops botnets by blocking the attacker’s “fingerprint” (signature), not just their IP. It works in three phases you can enable in Security > Settings > Signature Engine: Logging, Analysis (a background task that finds patterns), and Blocking (presents a JS challenge to malicious signatures). You can manage detected signatures in IP Management > Blocked Signatures.

What is the difference between the WAF, Signature Engine, and Advanced Rules?

Think of them as three layers of defense:
1. WAF (Web Application Firewall): The simplest layer. It blocks requests based on simple malicious patterns (e.g., union select). It’s fast and stops common, generic attacks.
2. Attack Signature Engine: The automated layer. It looks for patterns of attack from many different IPs (botnets) and blocks the attack’s “fingerprint” (signature) for all visitors. You don’t create these rules; the plugin does.
3. Advanced Rules Engine: The manual control layer. This is where you build your own specific, multi-conditional rules. For example: “IF the visitor is from China AND is trying to access /wp-admin/ THEN Block them permanently.” It gives you the ultimate power to create a security policy tailored exactly to your site’s needs.

How can I protect a non-WordPress folder on my site?

This plugin includes an advanced “Edge Firewall Mode” that allows you to extend its protection to any PHP script on your server. This is perfect for securing custom applications or directories that are not managed by WordPress. To enable it, you need to add a single line of code to the beginning of the PHP file you want to protect. This manual step ensures that the protection is explicit and works on any server environment. For a complete step-by-step guide, please see our documentation: How to Protect Non-WordPress Folders.

What are HTTP Security Headers and why do I need them?

HTTP Security Headers are instructions sent by your website to the visitor’s browser. They tell the browser how to behave to prevent specific types of attacks.
* HSTS: Forces the browser to use a secure HTTPS connection.
* X-Frame-Options: Prevents other sites from embedding your site in an iframe (Clickjacking protection).
* X-Content-Type-Options: Prevents the browser from “guessing” the file type (MIME sniffing protection).
* Permissions-Policy: Controls which features (camera, mic, etc.) legitimate sites can use.
You can configure all of these (and more!) in Security > Settings > Security Headers.

What does the “Username Blocking” feature do?

It allows you to create aggressive, targeted rules to block login attempts based on the username provided. For example, if you know you never use the username “admin”, you can create a rule: IF Username IS “admin” THEN Block. This stops brute-force attacks instantly before they can even guess a password.

Why was the “Direct File Access” warning added for the loader file?

We improved our security compliance checks. The advaipbl-loader.php file is a special file designed to run outside of WordPress in “Edge Mode”. We added a specific security check to ensure it can only be run via the auto_prepend_file mechanism and cannot be accessed directly by a browser, further hardening the plugin against probing.