{"id":132325,"date":"2020-12-01T10:46:02","date_gmt":"2020-12-01T10:46:02","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/ip-vault-wp-firewall\/"},"modified":"2023-06-06T10:47:34","modified_gmt":"2023-06-06T10:47:34","slug":"ip-vault-wp-firewall","status":"publish","type":"plugin","link":"https:\/\/li.wordpress.org\/plugins\/ip-vault-wp-firewall\/","author":3963369,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.1","stable_tag":"trunk","tested":"6.2.9","requires":"4.0","requires_php":"7.0","requires_plugins":null,"header_name":"Two-factor authentication (formerly IP Vault)","header_author":"Paul C. Schroeder","header_description":"IP Vault protects your WordPress administration from Brute Force Attacks. It is limiting access to your WordPress Administration to authorized IP address only. IP Vault is working on .htaccess level, before WP core is loaded. This saves your server's bandwith.","assets_banners_color":"0d2327","last_updated":"2023-06-06 10:47:34","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/www.paypal.com\/donate\/?hosted_button_id=Y7VNAG4WC8YMC","header_plugin_uri":"https:\/\/youtag.lu\/ip-vault","header_author_uri":"https:\/\/youtag.lu\/","rating":0,"author_block_rating":0,"active_installs":20,"downloads":1410,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","changelog"],"tags":[],"upgrade_notice":{"":"<p>Update normally via the plugins dashboard. Logs and Settings are preserved on deactivation. All settings and logs are removed on uninstall. Changes to <code>.htaccess<\/code> file are restored on deactivation and on uninstall.<\/p>"},"ratings":[],"assets_icons":{"icon.svg":{"filename":"icon.svg","revision":2442466,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":2442466,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":2442466,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":2442466,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":2442466,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":2442466,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":2442466,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":2442466,"resolution":"5","location":"assets","locale":""}},"screenshots":{"1":"Authentication Page","2":"Dashboard Widget","3":"Which files and folders should be protected ?","4":"IP Address Whitelist","5":"Blocked connection logs &amp; stats"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2439,1493,2085,1178,600],"plugin_category":[54],"plugin_contributors":[81585],"plugin_business_model":[],"class_list":["post-132325","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-ip","plugin_tags-lock","plugin_tags-protection","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-youtag","plugin_committers-youtag"],"banners":{"banner":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/banner-772x250.jpg?rev=2442466","banner_2x":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/banner-1544x500.jpg?rev=2442466","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/icon.svg?rev=2442466","icon":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/icon.svg?rev=2442466","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/screenshot-1.png?rev=2442466","caption":"Authentication Page"},{"src":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/screenshot-2.png?rev=2442466","caption":"Dashboard Widget"},{"src":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/screenshot-3.png?rev=2442466","caption":"Which files and folders should be protected ?"},{"src":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/screenshot-4.png?rev=2442466","caption":"IP Address Whitelist"},{"src":"https:\/\/ps.w.org\/ip-vault-wp-firewall\/assets\/screenshot-5.png?rev=2442466","caption":"Blocked connection logs &amp; stats"}],"raw_content":"<!--section=description-->\n<p>IP Vault lets you protect your WordPress backend \u2013 and any other part of your website \u2013 from non verified users.<\/p>\n\n<p>IP Vault Firewall also preserves your server ressources and bandwidth by blocking hacking attempts before they reach your site.<\/p>\n\n<h3>How does it work ?<\/h3>\n\n<p>Requests to protected files and folders are redirected to the <em>Authentication Page<\/em>. IP Vault unlocks user's IP addresses using a key\nthat is emailed for authentication. Once users verify their account, they can access all restricted areas. Users are automatically verified on registration.<\/p>\n\n<h3>What is protected ?<\/h3>\n\n<p>Out-of-the box, IP Vault restricts access to <code>.php<\/code> and <code>.phtml<\/code> files, as well as <code>wp-admin<\/code> folder, which are frequently exploited by bad bots and hackers.\nYou can choose which part of your site to protect. Need to make the whole website private ? No problem, just restrict access to <code>\/<\/code>.<\/p>\n\n<h3>The story behind this plugin<\/h3>\n\n<p>In the past 20 years, I have been monitoring a few dozen client sites to prevent malicious access. I have also helped a great number of people to clean their website from malware.\nI noticed that even marginal WordPress sites or non-wordpress PHP based sites are constantly exposed to hacking attempts.<\/p>\n\n<p>Almost all exploits I have seen work by either calling a vulnerable PHP script already on the server, by adding such a script or by injecting their own code into an existing script.<\/p>\n\n<p>I have tried and tested quite a few security plugins. They can be quite complex to set up and to maintain. Some security plugins try to block access to vulnerable files by comparing requests to a blacklist.\nThese tend to become quite large and need frequent updates to be efficient. Others use geo-blocking services to block requests from certain countries. However in my experience, hacking attempts can come from just about any location.<\/p>\n\n<p>I thought there must be a better way using whitelists for verified users instead. And that's how the idea for IP Vault was born.<\/p>\n\n<h3>To Dos<\/h3>\n\n<ul>\n<li>add option to get auth code by SMS (requires users to register phone number)<\/li>\n<\/ul>\n\n<h3>I love this plugin. How can I contribute ?<\/h3>\n\n<ul>\n<li><a href=\"https:\/\/wordpress.org\/support\/plugin\/ip-vault-wp-firewall\/reviews\/#new-post\">Rate plugin<\/a> and leave feedback on WordPress.org<\/li>\n<li>Help resolve questions in support forums<\/li>\n<li>Help with translations<\/li>\n<li><a href=\"https:\/\/www.paypal.com\/donate\/?hosted_button_id=Y7VNAG4WC8YMC\">Donate<\/a><\/li>\n<\/ul>\n\n<h3>Disclaimer<\/h3>\n\n<p>This plugin uses the following <strong>3rd Party services<\/strong> :<\/p>\n\n<ul>\n<li><p><a href=\"https:\/\/ip-api.com\">ip-api.com<\/a> - used to offer insights into IP addresses, namely country and city information. <a href=\"https:\/\/ip-api.com\/docs\/legal\">Terms and Policies<\/a><\/p><\/li>\n<li><p><a href=\"https:\/\/www.ipify.org\">ipify.org<\/a> - used to map IPv6 addresses to IPv4. <a href=\"https:\/\/geo.ipify.org\/terms-of-service\">Terms and Policies<\/a><\/p><\/li>\n<\/ul>\n\n<!--section=changelog-->\n<h4>2.1<\/h4>\n\n<ul>\n<li>optimization : added a 404 header to disallowed requests, in order to discourage bots from returning<\/li>\n<li>optimization : mapping (frequently changing) IPv6 addresses to IPv4 using third party service <em>ipify<\/em><\/li>\n<li>fixed potential XSS vulnerabilities<\/li>\n<\/ul>\n\n<h4>2.0<\/h4>\n\n<ul>\n<li>optimization : complete rewrite of authentication method : replaced secret URL by a 4-digit pin code<\/li>\n<li>various small fixes<\/li>\n<\/ul>\n\n<h4>1.1<\/h4>\n\n<ul>\n<li>optimization : set transient for api calls (cache results for 1 week)<\/li>\n<li>experimental feature : use ASN for authentication (useful if your public IP changes often)<\/li>\n<\/ul>\n\n<h4>1.0.2.1<\/h4>\n\n<ul>\n<li>optimisation : limit requests to ip-api to unknown IP addresses (IPs not yet logged)<\/li>\n<li>optimisation : settings link added to plugin screen<\/li>\n<li>optimisation : allow custom comments for whitelisted IPs<\/li>\n<li>fixed minor bug : title on stats screen displays correct date<\/li>\n<li>fixed minor bug : removing IP addresses with backslashes from whitelist<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>fixed minor bug : missing envelope.svg<\/li>\n<li>tested up to WP version 5.7.2<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>redesigned bar chart and added daily tables in statistics<\/li>\n<li>authentication mail back to plain text to optimise deliverability<\/li>\n<li>various small fixes<\/li>\n<\/ul>\n\n<h4>0.7<\/h4>\n\n<ul>\n<li>added a <code>soft rewrite<\/code> mode, as <code>.htaccess<\/code> mode can be tricky on some installs<\/li>\n<li>cosmetic changes to authentication mails, now using html<\/li>\n<li>improved logging and statistics, database cleaned through daily cron job<\/li>\n<\/ul>\n\n<h4>0.5<\/h4>\n\n<ul>\n<li>Reengineered auth page (no longer depending on frontend page)<\/li>\n<li>New logo and redesigned auth page<\/li>\n<li>Improved style and optimised ressource usage<\/li>\n<li><em>a lot<\/em> of small changes<\/li>\n<\/ul>\n\n<h4>0.4.1<\/h4>\n\n<p>Fixed issue where settings were not properly removed on uninstall<\/p>\n\n<h4>0.4<\/h4>\n\n<p>First release.<\/p>","raw_excerpt":"Protect your website against Brute Force Attacks and other malicious requests that have potential to jeopardise the website\u2019s safety or hijacking your &hellip;","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/132325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=132325"}],"author":[{"embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/youtag"}],"wp:attachment":[{"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=132325"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=132325"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=132325"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=132325"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=132325"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/li.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=132325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}