⚠️ Status: untested. This extension is provided as-is and has not been tested in production. Please feel free to fork, modify, improve, and open pull requests.Licensed under GNU GPLv3 (see LICENSE).
Integrates the ip-block.com IP screening service into Magento Open Source. Every storefront request is checked against ip-block.com before any page renders; flagged visitors are redirected to the ip-block.com block page (or shown a local 403).
Stores → Configuration → IP Block → Protection (ip-block.com)
| Field | Purpose |
|---|---|
| Enable IP Protection | Master on/off switch |
| Site ID | Your 12-character ip-block.com site identifier |
| API Key | Your 48-character key (stored encrypted) |
| API Endpoint URL | Defaults to https://api.ip-block.com/v1/check |
| If service is unreachable | Fail open (allow) or closed (block) — vendor recommends open |
| Decision Cache Lifetime | Seconds a decision is cached; 0 = check every request |
| When a visitor is blocked | Redirect to ip-block.com block page, or show a local 403 message |
| Block Message | Local 403 text (only when "show message" is chosen) |
| Allowlisted IPs | One IP per line — never blocked |
Credentials come from the API Keys page of your ip-block.com dashboard.
Copy this module to app/code/IPBlock/Protection/ in your Magento installation, then from the Magento root run:
php bin/magento module:enable IPBlock_Protection
php bin/magento setup:upgrade
php bin/magento setup:di:compile # production mode only
php bin/magento cache:flush
API contract (from https://api.ip-block.com/v1)
POST /check — JSON body:
{ "api_key": "...", "site_id": "...", "ip": "203.0.113.42",
"user_agent": "...", "referrer": "..." }Response: {"action":"allow"} or {"action":"block"}. The api_key is sent in the
body (not an Authorization header). 1-second timeout, fail open on error.
etc/frontend/events.xmlhookscontroller_action_predispatch(storefront only).Observer/CheckVisitorIpgets the visitor IP/UA/referrer, asksService/IpChecker, and on a block redirects (or renders a 403) and halts dispatch.Service/IpCheckerhandles allowlisting, per-request caching, fail-open/closed.Model/Api/Client::isBlocked()speaks the ip-block.com wire format.
- Behind a proxy/CDN? Configure Magento's trusted proxies so
RemoteAddressreturns the real client IP (X-Forwarded-For/CF-Connecting-IP) rather than the proxy's, otherwise every visitor looks like the proxy. - Allowlist your own office IP before enabling, so you cannot lock yourself out of the storefront while testing.