Skip to content

Block unwanted origin requests with PHP

The VIP_Request_Block utility class provides a programmatic way to block unwanted requests at the application level based on IP addresses, user agent strings, and other parameters using PHP.

If an incoming request is blocked by VIP_Request_Block, VIP’s CDN will return a 403 Forbidden error response for that request.

Considerations

  • Be careful not to block legitimate traffic (e.g., Googlebot, a reverse proxy, or a CDN). Always take time to confirm that an IP address, User Agent, or HTTP header is suspicious before blocking it.
  • Requests that are blocked with VIP_Request_Block are blocked at the origin, not the edge (load balancer). If a request is served from the cache at the edge, it does not reach the origin and cannot be blocked by this class.
  • The VIP_Request_Block utility class is only effective for requests that require WordPress to be loaded (e.g. example.com/blog/post-name). The utility class is ineffective for direct file requests (e.g. example.com/wp-includes/blocks/index.php).
  • Code to block a request should be added to vip-config/vip-config.php. This ensures that on VIP Platform environments, requests that are intended to be blocked are blocked early before WordPress Core is loaded.
  • Requests that are blocked by a VIP_Request_Block are chargeable requests.
  • When developing on a local development environment the load order might differ from VIP Platform environments. It is therefore recommended to wrap statements in an if ( class_exists( 'VIP_Request_Block' ) ) check to avoid errors.

Logs for blocked requests

Requests that are blocked with the VIP_Request_Block class are logged in the environment’s Runtime Logs. Any errors that occur related to the VIP_Request_Block class in custom code are also logged in the environment’s Runtime Logs.

Error output in Runtime Logs can be retrieved either in the VIP Dashboard or with VIP-CLI.

For example, if VIP_Request_Block::ip() is called with an invalid IP address, an error will be logged in Runtime Logs.

Disable logging

Logging can be disabled for requests blocked by VIP_Request_Block methods with the disable_logging() function.

Call disable_logging() just before calling the VIP_Request_Block method(s) that should not be logged. Re-enable logging for additional methods by calling enable_logging() then call the methods that should have logging enabled.

In this code example, logging is disabled for blocked requests from the IP address 13.37.13.37 and enabled for requests from User Agent SuspiciousBot/1.1:

vip-config/vip-config.php
// logging for blocked requests is enabled by default
if ( class_exists( 'VIP_Request_Block' ) ) {
   // disable logging
   VIP_Request_Block::disable_logging();
   VIP_Request_Block::ip( '13.37.13.37' );
   // enable logging
   VIP_Request_Block::enable_logging();
   VIP_Request_Block::ua( 'SuspiciousBot/1.1' );
}

Last updated: December 31, 2025

Relevant to

  • WordPress