Block requests to a site
The VIP_Request_Block
utility class can be used to block unwanted requests to a site such as those from a bot crawling the site or a malicious IP address. The VIP_Request_Block
is able to block requests by
- IP address
- User-Agent
- HTTP header
- custom logic
Considerations
- Code to block a request should be added to vip-config/vip-config.php to ensure that requests that are intended to be blocked are blocked early.
- Be careful not to block legitimate traffic (e.g., Googlebot, a reverse proxy, or a CDN). Always take time to confirm that an IP address, User-Agent, or HTTP header is suspicious before blocking it.
- Requests blocked via
VIP_Request_Block
are blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be blocked by this class. - The
VIP_Request_Block
class is loaded very early via wp-config.php on VIP Platform environments, before WordPress Core is loaded. When developing on a local development environment the load order might differ from the VIP Platform, so it is recommended to wrap statements in anif ( class_exists( 'VIP_Request_Block' ) )
check to avoid errors.
Block by IP
The whois
terminal command can be used to query an IP addresses in order to make a more educated decision about which IP addresses are suitable to be blocked.
Use caution to avoid blocking a reverse proxy IP instead of the client’s IP. Blocking a reverse proxy IP will result in legitimate traffic being blocked.
// Example VIP_Request_Block::ip( string $value );
VIP_Request_Block::ip( '13.37.13.37' );
Block by User-Agent
Take care not to block common browser User-Agents, or User-Agents that look similar. Blocking requests from common browser User-Agents can result in blocking real user requests. Blocking by User-Agent can be useful in cases where a tool or bot that is sending suspicious requests moves from one IP to another but retains the same User-Agent.
// Example VIP_Request_Block::ua( string $user_agent );
VIP_Request_Block::ua( 'SuspiciousBot/1.1' );
Block by HTTP Header
When blocking by HTTP header, $header
is case-insensitive, but $value
is case-sensitive.
// Example VIP_Request_Block::header( string $header, string $value );
VIP_Request_Block::header( 'x-my-header', 'my-header-value' );
Block by other logic
If the above methods are insufficient, a request can be blocked based on custom logic with the VIP_Request_Block::block_and_log()
method:
// Example VIP_Request_Block::block_and_log( string $value, string $criteria );
VIP_Request_Block::block_and_log( 'my value', 'my criteria' );
This method blocks a request and logs a message to the error_log
:
VIP Request Block: request was blocked based on "my criteria" with value of "my value"
The following is an example of blocking a request to a specific URL:
if ( '/disallowed-path' === $_SERVER['REQUEST_URI'] ) {
VIP_Request_Block::block_and_log( '/disallowed-path', 'REQUEST URI' );
}
A request made to /disallowed-path
will produce the following message in the error_log
:
VIP Request Block: request was blocked based on "REQUEST_URI" with value of "/disallowed-path"