PBJ Geo Viewer Changelog (v1.2.0): Traveling-Admin Fix and a Built-In User Guide
PBJ Geo Viewer makes a WordPress site view-only for visitors outside the countries you allow. Everyone can still browse every page — great for SEO, since crawlers always see the full site — but visitors from non-allowed regions can’t purchase, submit forms, comment, or register. Here’s the full release history.
Version 1.2.0
- Built-in User Guide — a new tab on Settings → Geo Viewer with the full guide: how requests are decided, every setting, recipes, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.
Version 1.1.0
- Fixed the traveling-admin lockout. The login page is no longer blocked outright; sign-ins are gated at the
authenticatefilter instead. Administrators and editors can always sign in from blocked regions, plus anyone on the new “Login username allowlist” setting. Registration remains fully blocked. - Fixed a cache-poisoning edge: blocked-region page variants (banner, blocking CSS, disabled buttons) can no longer be stored by page/edge caches. Previously a blocked-region visitor could prime a public cache and every visitor worldwide got the view-only page until the cache expired.
- Fixed: crawler requests no longer trigger ip-api.com lookups — bot/admin status resolves before any country lookup.
- Added a
pbj_geo_viewer_trust_proxy_headersfilter for hosts not behind Cloudflare (where geo headers are spoofable), and a filter to disable theX-PBJ-Geodiagnostic header. - Cleanup: uninstall removes all plugin data; dead code and
sslverify => falseremoved.
Version 1.0.5
- Fixed: form submissions from blocked regions could still leak through plugins posting to
admin-post.phpwith an action not on the hardcoded allowlist. The POST interceptor now blocks by endpoint — every action onadmin-post.php,wp-comments-post.php, and the signup/registration endpoints is covered automatically.admin-ajax.phpkeeps a narrow action allowlist since it carries site features like search and lazy-load. - Added: blocked responses now pick JSON vs HTML intelligently, so non-AJAX form POSTs get a readable 451 page instead of raw JSON.
Version 1.0.4
- Fixed: WooCommerce My Account / checkout registration and REST API user creation (
POST /wp/v2/users) were not blocked; both now are, along with WP core’swp-login.php?action=register, multisite signup, and BuddyPress/bbPress signups. - Added: an
X-PBJ-Geodiagnostic header on every front-end and REST response — check DevTools → Network to see the plugin’s decision per request. - Changed: unknown-country behavior is now fail-closed in both allowlist and blocklist modes, with a new
fail_open_on_unknownsetting to opt back out.
Version 1.0.3
- Fixed: form submissions from blocked regions were leaking through. Form/comment/login filters now register on
initinstead ofwp, so they fire on REST API and admin-ajax requests too — not just full front-end page loads. - Added: a REST gate returning HTTP 451 for known form-plugin routes (Contact Form 7, WPForms, Gravity Forms, Ninja Forms, Fluent Forms, Formidable, native comments, PBJ Form Builder), plus detection of non-AJAX Gravity Forms and classic Contact Form 7 POSTs, and integrations for the Formidable and Fluent Forms validation pipelines.
Version 1.0.2
- Fixed the WordPress 6.7+
_load_textdomain_just_in_timenotice on activation by moving translation loading to theinitaction.
Version 1.0.1
- Added an
Update URIheader so the plugin is never auto-replaced by a same-slug WordPress.org plugin, settings schema versioning with idempotent migrations, and a self-hosted updater for auto-updates from your own server.
Version 1.0.0
- Initial release: allowlist/blocklist country modes, Cloudflare
CF-IPCountryand reverse-proxy header detection with an ip-api.com fallback, WooCommerce purchase blocking, form/comment/login/registration blocking, and always-on exemptions for search engines and admins.
July 4, 2026
PBJ Geo Viewer makes a WordPress site view-only for visitors outside the countries you allow. Everyone can still browse every page — great for SEO, since crawlers always see the full site — but visitors from non-allowed regions can’t purchase, submit forms, comment, or register. Here’s the full release history.
Version 1.2.0
- Built-in User Guide — a new tab on Settings → Geo Viewer with the full guide: how requests are decided, every setting, recipes, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.
Version 1.1.0
- Fixed the traveling-admin lockout. The login page is no longer blocked outright; sign-ins are gated at the
authenticatefilter instead. Administrators and editors can always sign in from blocked regions, plus anyone on the new “Login username allowlist” setting. Registration remains fully blocked. - Fixed a cache-poisoning edge: blocked-region page variants (banner, blocking CSS, disabled buttons) can no longer be stored by page/edge caches. Previously a blocked-region visitor could prime a public cache and every visitor worldwide got the view-only page until the cache expired.
- Fixed: crawler requests no longer trigger ip-api.com lookups — bot/admin status resolves before any country lookup.
- Added a
pbj_geo_viewer_trust_proxy_headersfilter for hosts not behind Cloudflare (where geo headers are spoofable), and a filter to disable theX-PBJ-Geodiagnostic header. - Cleanup: uninstall removes all plugin data; dead code and
sslverify => falseremoved.
Version 1.0.5
- Fixed: form submissions from blocked regions could still leak through plugins posting to
admin-post.phpwith an action not on the hardcoded allowlist. The POST interceptor now blocks by endpoint — every action onadmin-post.php,wp-comments-post.php, and the signup/registration endpoints is covered automatically.admin-ajax.phpkeeps a narrow action allowlist since it carries site features like search and lazy-load. - Added: blocked responses now pick JSON vs HTML intelligently, so non-AJAX form POSTs get a readable 451 page instead of raw JSON.
Version 1.0.4
- Fixed: WooCommerce My Account / checkout registration and REST API user creation (
POST /wp/v2/users) were not blocked; both now are, along with WP core’swp-login.php?action=register, multisite signup, and BuddyPress/bbPress signups. - Added: an
X-PBJ-Geodiagnostic header on every front-end and REST response — check DevTools → Network to see the plugin’s decision per request. - Changed: unknown-country behavior is now fail-closed in both allowlist and blocklist modes, with a new
fail_open_on_unknownsetting to opt back out.
Version 1.0.3
- Fixed: form submissions from blocked regions were leaking through. Form/comment/login filters now register on
initinstead ofwp, so they fire on REST API and admin-ajax requests too — not just full front-end page loads. - Added: a REST gate returning HTTP 451 for known form-plugin routes (Contact Form 7, WPForms, Gravity Forms, Ninja Forms, Fluent Forms, Formidable, native comments, PBJ Form Builder), plus detection of non-AJAX Gravity Forms and classic Contact Form 7 POSTs, and integrations for the Formidable and Fluent Forms validation pipelines.
Version 1.0.2
- Fixed the WordPress 6.7+
_load_textdomain_just_in_timenotice on activation by moving translation loading to theinitaction.
Version 1.0.1
- Added an
Update URIheader so the plugin is never auto-replaced by a same-slug WordPress.org plugin, settings schema versioning with idempotent migrations, and a self-hosted updater for auto-updates from your own server.
Version 1.0.0
- Initial release: allowlist/blocklist country modes, Cloudflare
CF-IPCountryand reverse-proxy header detection with an ip-api.com fallback, WooCommerce purchase blocking, form/comment/login/registration blocking, and always-on exemptions for search engines and admins.