Published Monday 23rd October 2023

QWeb Ltd launches WordPress Admin Country Allowlist plugin

We host a number of WordPress websites, and we manage servers for other agencies hosting WordPress websites too. Out of the box, WordPress isn't exactly the most secure of frameworks, so we have a go-to set of plugins to help lock these websites down, as well as a number of server-side mechanics that secure both WordPress and other websites from attack.

One of the best things that you can do to help secure a WordPress website, or any website really, is restrict admin panel access to a specific country allowlist. Strong passwords and use of 2FA mechanisms can really help to keep individual logins safe, but most WordPress attacks work by exploiting security holes which allow them to create entirely new administrator accounts, so securing the legitimate accounts is only half of the battle. If your legitimate administrators only ever log in from within a couple of countries, then there's absolutely no point in opening the login mechanics up to the remaining 240+ countries. Disable login for the majority of the world, and you'll make it much more difficult for malicious bots to find their entry point.

Our go-to toolkit of security plugins already included plugins for restricting the WordPress admin panel to specific countries, but all of the available plugins for this which we've been using require manual management of an IP to country database. License restrictions prevent the plugin developers from shipping a copy of this database with the WordPress plugin, and since IPs move around all of the time, these databases quickly become outdated and thus need replacing regularly. Furthermore, most of the available plugins are, in our view, too cumbersome. Adding all sorts of features and settings which most websites don't really need. We prefer plugins that add minimal footprint to a website, and do their job with minimal set-up or maintenance.

Since we already host an IP lookup API which returns, among other things, the country an IP belongs to, and since this API already updates its own databases often, it seemed a no-brainer to build our own Admin Country Allowlist plugin for WordPress, using this API and local caching to quickly determine the country that an individual is from before presenting them with a login page. Results are remembered for 7 days, and the API was built to be super responsive anyway, so this approach doesn't add any noticeable delay to the login process or actual admin panel usage.

The plugin cleans up its own cache too, deleting files after 7 days to prevent excessive growth, and the plugin itself consists only a single 17kb script, making it potentially the most lightweight and efficient WordPress admin country allowlist plugin available.

Simply install and activate our Admin Country Allowlist plugin, generate an access key for it via our API Console, and you're done! The plugin will automatically determine your own country and prevent access to both the admin panel and the WordPress XMLRPC mechanism to anybody outside of your country, and you can easily add other countries to the list.

If there's any issue with API communication or your access key, the plugin will email you and allow access to the login page as normal. Otherwise, if the country can be determined and isn't a country in your allowlist, the plugin will respond with a HTTP 403 Forbidden response, and the login form won't be presented. For requests where the country can be determined, and is in your allowlist, the login page will show as normal.

There's an almost 3 month wait list on new plugin submissions so we're not yet in the official WordPress plugins repository, but if this sounds like the perfect plugin for you, you can already download it for free from Github, and grab a free access key from our API portal.

6th February update:

Our plugin was accepted into the official WordPress plugins repository a few days ago so can now be installed and updated via WordPress automatically. The Github link is still available too, but you're encouraged to now install from the WordPress repository instead.

Photo of Ric


Ric is a senior web and game programmer with nearly 30 years industry experience and countless programming languages in his skillset. He's worked for and with a number of design and development agencies, and is the proprietor of QWeb Ltd. Ric is also a Linux server technician and an advocate of free, open-source technologies. He can be found on Mastodon where he often posts about the projects he's working on both for and outside of QWeb Ltd, or you can follow and support his indie game project on Kofi. Ric also maintains our Github page of useful scripts.

Blog posts are written by individuals and do not necessarily depict the opinions or beliefs of QWeb Ltd or its current employees. Any information provided here might be biased or subjective, and might become out of date.

Discuss this post

Nobody has commented yet.

Leave a comment

Your email address is used to notify you of new comments to this thread, and also to pull your Gravatar image. Your name, email address, and message are stored as encrypted text. You won't be added to any mailing list, and your details won't be shared with any third party.

This site is protected by reCAPTCHA and the Google Privacy Policy & Terms of Service apply.