NexiGuard – IP & Geo Access Control

NexiGuard – IP & Geo Access Control is a public WordPress access control plugin for administrators who need to restrict site access using local IP rules and optional GeoIP data.

Features include:

• Block List mode: visitors matching rules are blocked.
• Allow List mode: only visitors matching rules are allowed.
• Exact IP address rules.
• CIDR range rules for IPv4 and IPv6.
• Country and region/state rules when a GeoIP provider is configured.
• Optional blocking for the frontend, login page, REST API, and XML-RPC.
• 403, 404, or custom blocked responses.
• Custom blocked messages with plain text and basic safe HTML.
• Safe visitor IP detection using REMOTE_ADDR by default.
• Optional Cloudflare visitor IP detection.
• Optional trusted proxy header support.
• Bulk import for IP/CIDR rules.
• Export and import settings as JSON.
• Optional minimal blocked-attempt logs.
• Admin lockout protection and an emergency bypass constant.

Privacy and GeoIP

IP blocking works without any third-party service. Country and region blocking requires either a readable local GeoIP database or an explicitly configured API provider.

Visitor IP addresses are not sent externally unless an administrator selects API provider mode and configures an API endpoint. Optional logs store only date/time, IP address, matched rule type, and requested path.

Admin safety

NexiGuard is disabled by default after activation. Logged-in administrators are never blocked by default. The admin screen displays the detected admin IP and requires confirmation before adding an IP/CIDR rule that matches it.

Emergency bypass: define NEXIGUARD_DISABLE as true in wp-config.php to stop all blocking.

External Services

NexiGuard does not contact any external service by default.

If an administrator selects API provider mode and configures an API endpoint, NexiGuard sends a GET request to that administrator-configured endpoint to look up country and region data for visitor IP addresses. The visitor IP address is sent in the configured URL using the {ip} placeholder or as an ip query parameter. If an API key is configured, it is sent as a Bearer token in the Authorization header.

Because the API endpoint is entered by the site administrator, the site owner is responsible for reviewing that provider’s terms of service and privacy policy before enabling API provider mode.

Local IP and CIDR blocking do not use any external service. MaxMind mode reads a local database file and does not send visitor IPs externally.

License

NexiGuard – IP & Geo Access Control is licensed under GPL-2.0-or-later.