Strike First. Block Everything. Runs before WordPress. Blocks before your server blinks.

WordPress security that works before WordPress even loads. Geo-blocking, IP protection, and brute-force defense that is fast, lean, and at a fraction of the cost. Get 30 days of Pro features completely free.

Trusted by WordPress Site Owners Who Refuse to Overpay

Strike First

Everything You Need. Nothing You Don't.

Focused WordPress security that does one thing and does it extremely well.

Login Shield

Rate limiting, lockouts, and honeypot traps help stop brute-force attacks cold.

IP Protection

Whitelist, blacklist, and range-block IPs. Auto-block repeat offenders before they escalate.

Country Blocking

Block entire countries with one click. Your site, your rules.

Lightweight Engine

6 focused tables. Not 24. Your site stays fast because we don't bloat it with features you'll never use.

Activity Log

Every blocked request, every login attempt, every flagged IP is logged and searchable. Know exactly what's hitting your site.

Real-Time Activity Feed

See attacks as they happen. Live dashboard shows where threats originate, what's being blocked, and your site's security status.

mu-plugin Architecture

Loads as a must-use plugin, intercepting requests before WordPress core, themes, or other plugins even initialize. Blocked requests skip 99% of the WordPress boot.

Blocks Threats Before WordPress Even Loads

ViperBlock installs as a mu-plugin, intercepting malicious requests before WordPress core, themes, or other plugins even initialize. Other security plugins wait until it's too late.

Built Different

Most security plugins bolt on after WordPress loads. ViperBlock takes a fundamentally different approach.

mu-plugin Early Interception

Loads before WordPress even boots. Blocks at the front of the request pipeline

Zero Bloat

A lean application firewall. No malware scanner, no 47 features you'll never use.

Real-Time Dashboard

Block stats, activity logs, and login attempts in one place. See what's hitting your site at a glance.

One-Click Setup

Install, activate, done. No manual, no wizards. Protection starts with sensible defaults.

Simple, Honest Pricing

Basic

Simple free protection solution

Free

What's Included:

Country geo-blocking (3 countries)
IP blacklist & whitelist (20 entries)
Early blocking (mu-plugin)
Login brute-force protection
Activity log (7 days / 200 entries)
Dashboard widget & email notifications
DNS-verified crawler allowlist
GeoIP updates (every 30 days)
Admin safety net
Community support

Pro

For sites that need more than the basics

$9.99/Year (normally $19.99)

$9.99/Year

What's Included:

Unlimited country geo-blocking
Block or Allow-only mode
Unlimited IP blacklist & whitelist
Fully configurable brute-force protection
Protected usernames (Smart + Strict)
Progressive escalation & auto-blacklist
Rate limiting with auto-block
Activity log (configurable / 100K entries)
CSV import & export
Daily GeoIP database updates
Dashboard widget & email notifications
Admin safety net
Priority support
Security hardening (XML-RPC, backdoor probes, PHP uploads)
Identity hardening (REST API, author enum, sitemap, versions)
Custom block response (redirect, HTML, status code)

Compare

Compare Features & Pricing

See exactly what you get with each plan. Every install starts with 30 days of full Pro access - no credit card required.

Features	Basic	Pro
Country Geo-Blocking	3 countries	Unlimited
Blocking Mode	Block selected	Block or Allow-only
IP Blacklist / Whitelist	20 entries per list	Unlimited
Early Blocking (mu-plugin)
Custom Block Response	Standard 403 page	Redirect, custom HTML, status code
Login Brute-Force Protection	Fixed (5 attempts / 30 min)	Fully configurable
Activity Log	7 days / 200 entries	Configurable / 100K entries
Login Log
Dashboard Widget
Email Notifications
Known Crawler Allowlist	DNS-verified (Googlebot, Bingbot, etc.)	DNS-verified (Googlebot, Bingbot, etc.)
GeoIP Database Updates	Every 30 days	Daily
Admin Safety Net
Protected Usernames		Smart + Strict modes
Progressive Escalation		Configurable ladder + permanent ban
Auto-Blacklist Persistent Offenders		Configurable threshold
Security Hardening		XML-RPC, backdoor probes, PHP uploads, sensitive files
Identity Hardening		REST API, author enum, sitemap, version stripping
Rate Limiting		Configurable requests/window + auto-block
CSV Import / Export

What WordPress Site Owners Are Saying

Real feedback from site owners who switched to ViperBlock for simpler, faster WordPress security.

"I was paying $149/year for Wordfence just for geo-blocking. ViperBlock gives me that for free. The Pro plan at $9.99/year is honestly a steal."

David R.

Digital Agency Manager

"My site went from 24 security-related database tables to 3. Page load times dropped noticeably. ViperBlock does exactly what I need and nothing more."

James K.

WooCommerce Store Owner

"The mu-plugin approach is brilliant. Threats get blocked before WordPress even starts loading. I wish I'd found this sooner."

Maria L.

Freelance Web Developer

"I manage 8 client sites. ViperBlock keeps them all secure without the bloat. My clients don't notice it's there â€” which is exactly the point."

Sarah M.

WordPress Agency Owner

"Setup took 2 minutes. Blocked traffic from 3 countries that were hammering my login page. Problem solved, site faster. Done."

Alex T.

Small Business Owner

Frequently Asked Questions

Everything you need to know about ViperBlock WordPress security.

How does geo-blocking work?

ViperBlock uses a local GeoIP Country database to look up the country of origin for each visitor's IP address. Lookups take 1-5 milliseconds and happen entirely on your server - no external API calls are made during request processing. You select which countries to block from a searchable list in the settings, and all traffic from those countries receives a 403 Forbidden response before WordPress finishes loading. The free tier allows blocking 3 countries; Pro allows unlimited.

What is the difference between Free and Pro?

The free version includes IP blacklist/whitelist management (20 entries per list), login brute-force protection with automatic lockouts, activity logging (7-day retention, 200 entries), a dashboard widget, email notifications, DNS-verified known crawler allowlist, and country blocking for 3 countries. Pro adds unlimited country blocking, protected username blocking (Smart + Strict modes), security and identity hardening, progressive escalation, request rate limiting, auto-blacklist promotion, configurable lockout durations, custom crawler patterns, daily GeoIP updates, and CSV import/export. Pro is $9.99/year.

How does brute-force protection work?

ViperBlock tracks failed login attempts per IP address. After a configurable number of failures (default: 5), the IP is temporarily locked out. Repeated lockouts trigger progressively longer blocks. On Pro, progressive escalation can automatically promote repeat offenders from temporary blocks to permanent bans. On Pro, you can also configure protected usernames (like "admin") - any IP attempting to log in with a protected username is immediately blocked.

Can I block specific IP addresses?

Yes. You can manually add individual IP addresses or CIDR ranges (e.g., 192.168.1.0/24) to the blacklist, up to 20 entries per list on Free (unlimited on Pro). You can also whitelist trusted IPs that should always be allowed through. Pro adds CSV import and export for bulk management. IPs that trigger blocking rules are also automatically added to a temporary auto-block list.

Is ViperBlock a firewall?

Yes. ViperBlock functions as an application-level firewall for WordPress. It intercepts and filters incoming requests based on IP address, country of origin, request patterns, and login behavior. The Pro version adds security hardening rules that block common attack vectors like XML-RPC abuse, directory traversal attempts, backdoor probes, sensitive file access, and PHP execution in the uploads directory.

What is the mu-plugin and why does ViperBlock need it?

The mu-plugin (must-use plugin) is a small PHP file that WordPress loads very early - before regular plugins, themes, or most of the WordPress core. This lets ViperBlock block malicious requests before they consume server resources loading the full WordPress stack. It is the same approach used by other WordPress security plugins. The mu-plugin is installed and removed automatically; you never need to manage it manually.

Does ViperBlock slow down my site?

No. ViperBlock is designed for minimal performance impact. GeoIP lookups use a local database file (1-5ms per lookup) with transient caching, so repeated lookups for the same IP take less than 1 millisecond. Blocked requests are terminated before WordPress fully loads, which actually reduces server load from hostile traffic. The plugin uses only 6 focused database tables instead of the 20+ that bloated security plugins create.

Is my data sent to external servers?

ViperBlock contacts viperblock.com only for two things: license validation (if you activate a trial or Pro license — every 72 hours) and GeoIP database updates (every 30 days on Free, daily on Pro). The mu-plugin that handles actual request blocking never contacts external servers — all blocking decisions happen locally using the GeoIP database on your server. No visitor data, activity logs, or site content is ever transmitted. See our Privacy Policy for full details.

How do I upgrade to Pro?

Go to ViperBlock > License in your WordPress admin. You can start a free 30-day Pro trial to test all features, or purchase a license by clicking here.

What happens when my Pro license expires?

The plugin gracefully downgrades to the free tier. Pro-only features (unlimited country blocking, security hardening, rate limiting, progressive escalation) are disabled at runtime - no settings are deleted, so everything is restored instantly if you renew. You receive email reminders at 30 days and 7 days before expiration. Country blocking reverts to the 3-country free tier limit, and GeoIP updates switch from daily to every 30 days.

Stay Inspired with Instagram