How to Block Countries in WordPress with WP Ghost Geo Security
June 5, 2024
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Block access to your entire WordPress site, or specific paths like login and checkout pages, from selected countries using WP Ghost’s Geo Security. This Premium feature uses IP geolocation to restrict traffic from high-risk regions before it reaches your site.
What Is Geo Security in WP Ghost
Geo Security uses IP geolocation to identify each visitor’s country and enforce access rules based on geographic location. WP Ghost uses a geolocation database with over 99% accuracy to map IP addresses to countries. The feature provides two levels of control: entire website blocking (visitors from selected countries can not access any page) and path-based blocking (visitors from selected countries can browse your site but can not access specific paths).
This is a WP Ghost Premium feature designed for sites that serve specific geographic markets and want to eliminate malicious traffic from regions they do not operate in.
Why Country Blocking Matters for Hack Prevention
Country blocking is a targeted defense that complements WP Ghost’s path security and firewall. Here is why it matters:
Most attacks come from a small number of countries. If your Security Threats Log shows repeated brute force attempts, injection attacks, or scanner activity from countries where you have no customers, blocking those countries eliminates the traffic entirely. You are not just blocking individual attacks – you are removing entire sources of malicious traffic.
Path-based blocking protects critical endpoints without losing international visitors. Not every site can block entire countries. If you have international visitors but only serve specific regions for e-commerce, path-based blocking lets you restrict access to sensitive pages like /login, /my-account, and /checkout from high-risk countries while keeping the rest of your content accessible worldwide.
It reduces server load from unwanted traffic. Malicious requests consume server resources even when they are blocked by the firewall. Country blocking rejects these requests before they reach the firewall or WordPress, freeing resources for legitimate visitors.
It works alongside other security layers. Country blocking handles the geographic source of attacks. The 8G Firewall handles attack patterns. Brute Force Protection handles repeated login attempts. Path security makes your WordPress installation invisible. Each layer catches what the others do not.
Entire Website Blocking vs. Path-Based Blocking
| Feature | Entire Website Blocking | Path-Based Blocking |
|---|---|---|
| What it does | Blocks all access from selected countries | Blocks specific URLs from selected countries |
| Best for | Single-country markets, no international visitors | International sites protecting login, account, checkout |
| Content visibility | Fully blocked for selected countries | Content accessible, sensitive paths restricted |
| SEO impact | Minimal (unless blocking US where crawlers operate) | None (content pages remain accessible) |
| WooCommerce use case | Block countries you do not ship to entirely | Block checkout and account from non-shipping countries |
How to Enable Country Blocking
Step 1 – Activate Country Blocking
1. Go to WP Ghost > Firewall > Geo Security.
2. Switch on Country Blocking.
3. Click Save.
Step 2 – Block Entire Countries
4. In the Blocked Countries section, search and select the countries you want to block.
5. Click Save.
Visitors from the selected countries will see an access denied page when they try to visit any URL on your site. All other visitors are unaffected.
Best practice: Only block countries that actively generate malicious traffic. Check your Security Threats Log to identify which countries produce the most attacks against your site. Review your blocks periodically and remove countries that are no longer sources of attacks. Over-blocking limits legitimate international access.
Step 3 – Block Specific Paths by Country (Recommended for International Sites)
Instead of blocking entire countries from your site, restrict only specific paths. This is the recommended approach for sites with international visitors.
6. In the Blocked Paths field, add the paths you want to restrict. Common paths to block include: /login (your custom login path), /my-account, /checkout, /register.
7. Select the countries you want to restrict from those paths.
8. Click Save.
Visitors from the selected countries can still browse your content, read your blog, and view your products. They just can not access the restricted paths. This stops brute force login attempts and account fraud from specific regions without losing international visibility.
Leaving the Blocked Paths field blank blocks all access from the selected countries (entire website blocking). Add specific paths to restrict only those paths instead of the entire site.
Using Country Blocking with WooCommerce
Path-based blocking is particularly useful for WooCommerce stores. If you only ship to certain countries, you can block /checkout and /my-account from countries where you do not fulfill orders. This prevents fraudulent orders and fake account creation from those regions while keeping your product pages and catalog visible worldwide.
WP Ghost is fully compatible with WooCommerce. Cart, checkout, product pages, customer accounts, and AJAX-powered features all work normally with country blocking enabled.
Using Country Blocking with the GEO Threat Map
WP Ghost 9.0 introduced an interactive GEO Threat Map on the Overview dashboard that shows where your blocked threats originate. The map displays the top 5 threat countries with proportional markers. Clicking on any country opens the Security Threats Log filtered to that country for the last 7 days.
This makes it easy to identify which countries generate the most malicious traffic against your site and decide whether to enable Country Blocking for those regions. Use the GEO Threat Map as your data source, then enable blocking based on real attack patterns rather than assumptions.
Troubleshooting
Country blocking is not working – visitors from blocked countries can still access the site. This is usually a server cache issue. Caching plugins and external page caches (like Varnish) serve cached pages directly to visitors, bypassing WP Ghost’s country check. Configure your caching plugin to exclude geo-targeted pages from caching, or use a CDN with built-in geo-blocking (like Cloudflare’s country-level firewall rules) as a complementary layer.
Legitimate visitors from a blocked country can not access the site. IP geolocation is over 99% accurate but not perfect. Occasionally, an IP address may be mapped to the wrong country. This is more common with VPN users, corporate networks, and mobile carriers. If a legitimate user reports being blocked, they may be using a VPN that routes through a blocked country. Ask them to try without the VPN, or whitelist their specific IP in WP Ghost > Firewall > Whitelist IPs.
I blocked my own country by mistake. If you locked yourself out, add define('HMWP_DISABLE', true); to wp-config.php via sFTP. This disables WP Ghost temporarily so you can log in and fix the country blocking settings. See the emergency disable guide for more recovery options.
Frequently Asked Questions
Should I block entire countries or specific paths?
It depends on your audience. If you serve a single-country market and have no international customers, blocking entire countries is effective and simple. If you have international visitors but want to protect sensitive endpoints, use path-based blocking. Restrict /login, /my-account, and /checkout from high-risk countries while keeping your content accessible worldwide.
Is this a free or Premium feature?
Geo Security with Country Blocking is a WP Ghost Premium feature. The free version includes the 8G Firewall, brute force protection, 2FA, path security, and security headers – which already block the majority of automated bot attacks.
Does country blocking affect SEO?
Usually not. Search engine crawlers (Googlebot, Bingbot) typically crawl from US-based or globally distributed IP addresses. Blocking a specific country does not usually affect crawling unless you block the US, where most major crawler infrastructure is located. Path-based blocking has no SEO impact at all because your content pages remain accessible.
Does this work with WooCommerce?
Yes. Path-based blocking is particularly useful for WooCommerce. Block /checkout and /my-account from countries where you do not ship to prevent fraudulent orders and fake account creation. WP Ghost is fully compatible with WooCommerce.
Can visitors bypass country blocking with a VPN?
Yes. A VPN routes traffic through a server in a different country, making the visitor appear to be from that country instead. However, bots and automated attacks rarely use VPNs. Country blocking is effective against bot traffic, which is the primary threat for most WordPress sites.
Does WP Ghost modify WordPress core files?
No. Country blocking operates through WordPress initialization hooks, checking each visitor’s IP against the geolocation database before serving the page. No files are modified. Disabling the feature restores full access from all countries instantly.
