Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

WordPress Block Proxy Visits

I’ve covered a lot of techniques for controlling proxy access. And I’m not done yet. This post expands on the block tough proxies technique by making it plug-&-play with WordPress.

Update: Also check out Block Proxy Visits with PHP for more advanced PHP-based proxy-blocking techniques.

Block Proxy Visits with WordPress

Here is the magic bullet, add via functions.php or plugin:

// block proxy visits @ https://m0n.co/05
function shapeSpace_block_proxy_visits() {
	if (!is_user_logged_in()) {
		if (@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) {
			die('Proxy access not allowed');
		}
	}
}
add_action('after_setup_theme', 'shapeSpace_block_proxy_visits');

As explained in the original article, this code snippet isn’t enough to block all proxies, but it works great at stopping a LOT of them. Over the years, proxy services and scripts have mushroomed in terms of functionality, complexity, and effectiveness. So there’s not really a one-size-fits-all, plug-&-play technique for blocking 100% all proxies. This script is meant to give devs a simple way to knock out a wide range of proxy services in order to free up precious resources for legit traffic.

How does it work?

Here’s the basic logic behind this technique:

  1. Checks that current user is not logged in to WordPress
  2. Blocks the request if port 80 is open on the remote machine
  3. Hooks the function into WP’s after_setup_theme

So it’s very simple logic-wise, but does require a quick connection to the remote machine. This is why the technique is better employed as a temporary solution, as explained in the next section.

Usage example

This script is nice because it’s simple and about as lightweight as you can get via PHP (you can get better performance using one of the .htaccess techniques linked at the beginning of this post). A good use example: when I notice my sites getting scanned or spammed by some automated d-bag, I can slap this proxy-block script into functions.php to quell the storm and save some server resources. Then after a few hours, I can remove the script without any fuss. It’s really best used as a short-term deterrent as opposed to a permanent proxy-block solution.

Update: send response headers

If you are getting incorrect response headers (e.g., getting 200 “OK” for 404 “Not Found” pages). You can resolve by sending the desired header, for example to send 403 “Forbidden” response for any blocked proxy requests:

// block proxy visits @ https://m0n.co/05
function shapeSpace_block_proxy_visits() {
	if (!is_user_logged_in()) {
		if (@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) {

			header('HTTP/1.1 403 Forbidden'); // send response header
			die('Proxy access not allowed');
		}
	}
}
add_action('after_setup_theme', 'shapeSpace_block_proxy_visits');

You can change the header to whatever response, etc. Check the PHP documentation for more details.

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
GA Pro: Add Google Analytics to WordPress like a pro.

One response to “WordPress Block Proxy Visits”

  1. Works fine. I am happy!

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.