Skip to main content

PBJ Geo Viewer Changelog (v1.2.0): Traveling-Admin Fix and a Built-In User Guide

PBJ Geo Viewer makes a WordPress site view-only for visitors outside the countries you allow. Everyone can still browse every page — great for SEO, since crawlers always see the full site — but visitors from non-allowed regions can’t purchase, submit forms, comment, or register. Here’s the full release history.

Version 1.2.0

  • Built-in User Guide — a new tab on Settings → Geo Viewer with the full guide: how requests are decided, every setting, recipes, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.

Version 1.1.0

  • Fixed the traveling-admin lockout. The login page is no longer blocked outright; sign-ins are gated at the authenticate filter instead. Administrators and editors can always sign in from blocked regions, plus anyone on the new “Login username allowlist” setting. Registration remains fully blocked.
  • Fixed a cache-poisoning edge: blocked-region page variants (banner, blocking CSS, disabled buttons) can no longer be stored by page/edge caches. Previously a blocked-region visitor could prime a public cache and every visitor worldwide got the view-only page until the cache expired.
  • Fixed: crawler requests no longer trigger ip-api.com lookups — bot/admin status resolves before any country lookup.
  • Added a pbj_geo_viewer_trust_proxy_headers filter for hosts not behind Cloudflare (where geo headers are spoofable), and a filter to disable the X-PBJ-Geo diagnostic header.
  • Cleanup: uninstall removes all plugin data; dead code and sslverify => false removed.

Version 1.0.5

  • Fixed: form submissions from blocked regions could still leak through plugins posting to admin-post.php with an action not on the hardcoded allowlist. The POST interceptor now blocks by endpoint — every action on admin-post.php, wp-comments-post.php, and the signup/registration endpoints is covered automatically. admin-ajax.php keeps a narrow action allowlist since it carries site features like search and lazy-load.
  • Added: blocked responses now pick JSON vs HTML intelligently, so non-AJAX form POSTs get a readable 451 page instead of raw JSON.

Version 1.0.4

  • Fixed: WooCommerce My Account / checkout registration and REST API user creation (POST /wp/v2/users) were not blocked; both now are, along with WP core’s wp-login.php?action=register, multisite signup, and BuddyPress/bbPress signups.
  • Added: an X-PBJ-Geo diagnostic header on every front-end and REST response — check DevTools → Network to see the plugin’s decision per request.
  • Changed: unknown-country behavior is now fail-closed in both allowlist and blocklist modes, with a new fail_open_on_unknown setting to opt back out.

Version 1.0.3

  • Fixed: form submissions from blocked regions were leaking through. Form/comment/login filters now register on init instead of wp, so they fire on REST API and admin-ajax requests too — not just full front-end page loads.
  • Added: a REST gate returning HTTP 451 for known form-plugin routes (Contact Form 7, WPForms, Gravity Forms, Ninja Forms, Fluent Forms, Formidable, native comments, PBJ Form Builder), plus detection of non-AJAX Gravity Forms and classic Contact Form 7 POSTs, and integrations for the Formidable and Fluent Forms validation pipelines.

Version 1.0.2

  • Fixed the WordPress 6.7+ _load_textdomain_just_in_time notice on activation by moving translation loading to the init action.

Version 1.0.1

  • Added an Update URI header so the plugin is never auto-replaced by a same-slug WordPress.org plugin, settings schema versioning with idempotent migrations, and a self-hosted updater for auto-updates from your own server.

Version 1.0.0

  • Initial release: allowlist/blocklist country modes, Cloudflare CF-IPCountry and reverse-proxy header detection with an ip-api.com fallback, WooCommerce purchase blocking, form/comment/login/registration blocking, and always-on exemptions for search engines and admins.
July 4, 2026

PBJ Geo Viewer makes a WordPress site view-only for visitors outside the countries you allow. Everyone can still browse every page — great for SEO, since crawlers always see the full site — but visitors from non-allowed regions can’t purchase, submit forms, comment, or register. Here’s the full release history.

Version 1.2.0

  • Built-in User Guide — a new tab on Settings → Geo Viewer with the full guide: how requests are decided, every setting, recipes, verification, troubleshooting, and a quick reference. Also linked from the Plugins list row.

Version 1.1.0

  • Fixed the traveling-admin lockout. The login page is no longer blocked outright; sign-ins are gated at the authenticate filter instead. Administrators and editors can always sign in from blocked regions, plus anyone on the new “Login username allowlist” setting. Registration remains fully blocked.
  • Fixed a cache-poisoning edge: blocked-region page variants (banner, blocking CSS, disabled buttons) can no longer be stored by page/edge caches. Previously a blocked-region visitor could prime a public cache and every visitor worldwide got the view-only page until the cache expired.
  • Fixed: crawler requests no longer trigger ip-api.com lookups — bot/admin status resolves before any country lookup.
  • Added a pbj_geo_viewer_trust_proxy_headers filter for hosts not behind Cloudflare (where geo headers are spoofable), and a filter to disable the X-PBJ-Geo diagnostic header.
  • Cleanup: uninstall removes all plugin data; dead code and sslverify => false removed.

Version 1.0.5

  • Fixed: form submissions from blocked regions could still leak through plugins posting to admin-post.php with an action not on the hardcoded allowlist. The POST interceptor now blocks by endpoint — every action on admin-post.php, wp-comments-post.php, and the signup/registration endpoints is covered automatically. admin-ajax.php keeps a narrow action allowlist since it carries site features like search and lazy-load.
  • Added: blocked responses now pick JSON vs HTML intelligently, so non-AJAX form POSTs get a readable 451 page instead of raw JSON.

Version 1.0.4

  • Fixed: WooCommerce My Account / checkout registration and REST API user creation (POST /wp/v2/users) were not blocked; both now are, along with WP core’s wp-login.php?action=register, multisite signup, and BuddyPress/bbPress signups.
  • Added: an X-PBJ-Geo diagnostic header on every front-end and REST response — check DevTools → Network to see the plugin’s decision per request.
  • Changed: unknown-country behavior is now fail-closed in both allowlist and blocklist modes, with a new fail_open_on_unknown setting to opt back out.

Version 1.0.3

  • Fixed: form submissions from blocked regions were leaking through. Form/comment/login filters now register on init instead of wp, so they fire on REST API and admin-ajax requests too — not just full front-end page loads.
  • Added: a REST gate returning HTTP 451 for known form-plugin routes (Contact Form 7, WPForms, Gravity Forms, Ninja Forms, Fluent Forms, Formidable, native comments, PBJ Form Builder), plus detection of non-AJAX Gravity Forms and classic Contact Form 7 POSTs, and integrations for the Formidable and Fluent Forms validation pipelines.

Version 1.0.2

  • Fixed the WordPress 6.7+ _load_textdomain_just_in_time notice on activation by moving translation loading to the init action.

Version 1.0.1

  • Added an Update URI header so the plugin is never auto-replaced by a same-slug WordPress.org plugin, settings schema versioning with idempotent migrations, and a self-hosted updater for auto-updates from your own server.

Version 1.0.0

  • Initial release: allowlist/blocklist country modes, Cloudflare CF-IPCountry and reverse-proxy header detection with an ip-api.com fallback, WooCommerce purchase blocking, form/comment/login/registration blocking, and always-on exemptions for search engines and admins.

Latest Articles