Skip to content

Block unwanted requests to a site

The VIP_Request_Block utility class can be used to block unwanted requests to a site such as those from a bot crawling the site or a malicious IP address. The VIP_Request_Block is able to block requests by

Considerations

  • Code to block a request should be added to vip-config/vip-config.php to ensure that requests that are intended to be blocked are blocked early.
  • Be careful not to block legitimate traffic (e.g., Googlebot, a reverse proxy, or a CDN). Always take time to confirm that an IP address, User-Agent, or HTTP header is suspicious before blocking it.
  • Requests blocked via VIP_Request_Block are blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be blocked by this class.
  • The VIP_Request_Block class is loaded very early via wp-config.php on VIP Platform environments, before WordPress Core is loaded. When developing on a local development environment the load order might differ from the VIP Platform, so it is recommended to wrap statements in an if ( class_exists( 'VIP_Request_Block' ) ) check to avoid errors.

Block by IP

The whois terminal command can be used to query an IP addresses in order to make a more educated decision about which IP addresses are suitable to be blocked.

Use caution to avoid blocking a reverse proxy IP instead of the client’s IP. Blocking a reverse proxy IP will result in legitimate traffic being blocked.

// Example VIP_Request_Block::ip( string $value );
if ( class_exists( 'VIP_Request_Block' ) ) {
   VIP_Request_Block::ip( '13.37.13.37' );
   VIP_Request_Block::ip( '13.37.13.38' );
}

Block by User-Agent

Take care not to block common browser User-Agents, or User-Agents that look similar. Blocking requests from common browser User-Agents can result in blocking real user requests. Blocking by User-Agent can be useful in cases where a tool or bot that is sending suspicious requests moves from one IP to another but retains the same User-Agent.

// Example VIP_Request_Block::ua( string $user_agent );
if ( class_exists( 'VIP_Request_Block' ) ) {
   VIP_Request_Block::ua( 'SuspiciousBot/1.1' );
   VIP_Request_Block::ua( 'AnotherBot/2.1' );
}

Block by HTTP header

When blocking by HTTP header, $header is case-insensitive, but $value is case-sensitive.

// Example VIP_Request_Block::header( string $header, string $value );
if ( class_exists( 'VIP_Request_Block' ) ) {
   VIP_Request_Block::header( 'x-my-header', 'my-header-value' );
}

Block by other logic

If the above methods are insufficient, a request can be blocked based on custom logic with the VIP_Request_Block::block_and_log() method. This method blocks a request and logs a message to the error_log. The condition in which a given request will be blocked must be defined using custom logic.

Error output can be retrieved with VIP-CLI Runtime Logs.

The following is an example of blocking a request to a specific URL:

// Example VIP_Request_Block::block_and_log( string $value, string $criteria );
if ( '/disallowed-path' === $_SERVER['REQUEST_URI'] ) {
   if ( class_exists( 'VIP_Request_Block' ) ) {
     VIP_Request_Block::block_and_log( '/disallowed-path', 'REQUEST URI' );
   }
}

A request made to /disallowed-path will produce the following message in the error_log:

VIP Request Block: request was blocked based on "REQUEST_URI" with value of "/disallowed-path"

Last updated: May 06, 2022