WordPress Block Proxy Visits

I’ve covered a lot of techniques for controlling proxy access. And I’m not done yet. This post expands on the block tough proxies technique by making it plug-&-play with WordPress.

Update: Also check out Block Proxy Visits with PHP for more advanced PHP-based proxy-blocking techniques.

Block Proxy Visits with WordPress

Here is the magic bullet, add via functions.php or plugin:

// block proxy visits @ https://m0n.co/05
function shapeSpace_block_proxy_visits() {
	if (!is_user_logged_in()) {
		if (@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) {
			die('Proxy access not allowed');
		}
	}
}
add_action('after_setup_theme', 'shapeSpace_block_proxy_visits');

As explained in the original article, this code snippet isn’t enough to block all proxies, but it works great at stopping a LOT of them. Over the years, proxy services and scripts have mushroomed in terms of functionality, complexity, and effectiveness. So there’s not really a one-size-fits-all, plug-&-play technique for blocking 100% all proxies. This script is meant to give devs a simple way to knock out a wide range of proxy services in order to free up precious resources for legit traffic.

How does it work?

Here’s the basic logic behind this technique:

  1. Checks that current user is not logged in to WordPress
  2. Blocks the request if port 80 is open on the remote machine
  3. Hooks the function into WP’s after_setup_theme

So it’s very simple logic-wise, but does require a quick connection to the remote machine. This is why the technique is better employed as a temporary solution, as explained in the next section.

Usage example

This script is nice because it’s simple and about as lightweight as you can get via PHP (you can get better performance using one of the .htaccess techniques linked at the beginning of this post). A good use example: when I notice my sites getting scanned or spammed by some automated d-bag, I can slap this proxy-block script into functions.php to quell the storm and save some server resources. Then after a few hours, I can remove the script without any fuss. It’s really best used as a short-term deterrent as opposed to a permanent proxy-block solution.