Block unwanted requests to a site
The VIP_Request_Block utility class can be used to block unwanted requests to a site such as those from a bot crawling the site or a malicious IP address. The VIP_Request_Block is able to block requests by
- IP address
- User-Agent
- HTTP header
- custom logic
Considerations
- Code to block a request should be added to vip-config/vip-config.php to ensure that requests that are intended to be blocked are blocked early.
- Be careful not to block legitimate traffic (e.g., Googlebot, a reverse proxy, or a CDN). Always take time to confirm that an IP address, User-Agent, or HTTP header is suspicious before blocking it.
- Requests blocked via
VIP_Request_Blockare blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be blocked by this class. - The
VIP_Request_Blockclass is loaded very early via wp-config.php on VIP Platform environments, before WordPress Core is loaded. When developing on a local development environment the load order might differ from the VIP Platform. It is therefore recommended to wrap statements in anif ( class_exists( 'VIP_Request_Block' ) )check to avoid errors.
Block by IP
Use the VIP_Request_Block::ip() method to block single IP addresses. IP ranges cannot be blocked with this method. If VIP_Request_Block::ip() is called with an invalid IP address, an error will be logged to the application’s Runtime Logs.
The whois terminal command can be used to query an IP address in order to make a more educated decision about which IP addresses are suitable to be blocked.
Use caution to avoid blocking a reverse proxy IP instead of the client’s IP. Blocking a reverse proxy IP will result in legitimate traffic being blocked.
// Example VIP_Request_Block::ip( string $value );
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::ip( '13.37.13.37' );
VIP_Request_Block::ip( '13.37.13.38' );
}Block by User-Agent
The VIP_Request_Block::ua() method can be useful in cases where a tool or bot that is sending suspicious requests moves from one IP to another but retains the same User-Agent. When using this method, take care not to block common browser User-Agents, or User-Agents that look similar. Blocking requests from common browser User-Agents can result in blocking real user requests.
// Example VIP_Request_Block::ua( string $user_agent );
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::ua( 'SuspiciousBot/1.1' );
VIP_Request_Block::ua( 'AnotherBot/2.1' );
}Block by HTTP header
When blocking by HTTP header, $header is case-insensitive, but $value is case-sensitive.
// Example VIP_Request_Block::header( string $header, string $value );
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::header( 'x-my-header', 'my-header-value' );
}Block by other logic
If the above methods are insufficient, a request can be blocked based on custom logic with the VIP_Request_Block::block_and_log() method. This method blocks a request and logs a message to the error_log. The condition in which a given request will be blocked must be defined using custom logic.
Error output can be retrieved with VIP-CLI Runtime Logs.
The following is an example of blocking a request to a specific URL:
// Example VIP_Request_Block::block_and_log( string $value, string $criteria );
if ( '/disallowed-path' === $_SERVER['REQUEST_URI'] ) {
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::block_and_log( '/disallowed-path', 'REQUEST URI' );
}
}A request made to /disallowed-path will produce the following message in the error_log:
VIP Request Block: request was blocked based on "REQUEST_URI" with value of "/disallowed-path"