SSP Documentation
Block Website Access by Region Pro
Admin Screens
The plugin adds a new menu item in your WordPress admin sidebar called Block Website Access. Inside are three tabs:
Control tab
- Enable or disable blocking globally.
- Option to allow search crawlers like Googlebot.
- Pick background color for the block page.
- Enter MaxMind license key to enable local database lookups.
- Select which states or countries are blocked.
Message tab
- Set the heading of the block page.
- Customize the body message, supports tokens like
{STATE}. - Use plain text or simple HTML for styling.
Logs tab
- View past access attempts with location & decision.
- Entries include hashed IP, state/country code, reason, and timestamp.
- Option to clear logs with one click.
- Automatic pruning runs daily based on retention settings.
Navigation
| Menu Location | Block Website Access (shield icon) in the WP admin sidebar. |
|---|---|
| Permissions | Only roles with manage_options can see and change settings. |
How It Works
This plugin enforces regional access restrictions as early as possible in WordPress load:
- Early gate: Runs during
plugins_loadedbefore theme output. - Geo sources: Uses local MaxMind DB if available. Falls back to Cloudflare headers or multiple public APIs for redundancy.
- ASN screening: Detects suspicious Autonomous Systems (cloud/VPN/proxy providers). These can be blocked silently.
- Cookie bypass: Approved visitors get a signed short-lived cookie, avoiding repeated lookups.
- No-cache headers: Block pages include
no-storeheaders so proxies/CDNs never cache them. - Role exemptions: Admins and other exempt roles skip the gate entirely.
Privacy & Data
The plugin is designed with GDPR and privacy compliance in mind:
- Logs Table:
wp_bsas_logsstores hashed IP, optional binary IP (disabled by default), location, decision, reason, and timestamp. - IP Hashing: By default, IPs are stored as SHA-256 hashes salted with WordPress keys.
- Retention: Logs older than the configured retention (default 30 days) are automatically deleted daily.
- Rate limiting: Prevents excessive log rows from single IPs by default (20/day).
- Accuracy: Adding a MaxMind license key improves accuracy to ~99% and reduces calls to third-party APIs.
Troubleshooting
Visitors from a blocked place still get through
- Check the status bar in the settings page to see what IP/country/state the plugin detects.
- Verify your host is passing the real visitor IP (Cloudflare, Nginx, and load balancers may need header adjustments).
- For higher accuracy, add a MaxMind license key and let the updater refresh the database.
Everyone is blocked or showing as “Unknown”
- Ensure your server can make outbound HTTP(S) requests to API endpoints.
- Confirm you are not forcing private IPs (like
127.0.0.1) in server configs. - If using strict ASN blocking, try disabling temporarily for corporate/VPN traffic.
Logs not updating
- Log entries are rate-limited per IP (default 20/day).
- Search crawlers may be skipped if “Allow Crawlers” is enabled.
- Suspicious ASN decisions are enforced but not logged by design.
MaxMind DB fails to download
- Confirm your MaxMind license key is valid.
- Check folder permissions for
/wp-content/uploads/GeoLite2-City.mmdb. - Remember the updater runs weekly via WP-Cron — ensure WP-Cron is running or trigger manually.
Test / Verification
Follow these steps to confirm the plugin is configured correctly:
- Go to plugin settings → verify your detected IP, country, and state.
- Block your own state or country temporarily. Open the site in an incognito/private window and confirm you see the block page.
- Unblock and reload. You should be granted access and see a signed bypass cookie issued in your browser.
- Check the Logs tab to confirm a “blocked” and then “bypassed” entry for your IP.
- If using a CDN (Cloudflare, Akamai, etc.), test from different networks or with geolocation testing tools.
Tip: Use VPNs or proxy tools to simulate different regions and confirm blocking behavior matches your configuration.