0

Recently I have been getting bombarded with form submissions from IP addresses outside of our scope of business. Is there a way to disable a form submit button based on a users location via IP?

We're currently using Wordpress utilizing Ninja forms, however I'm stuck on coming up with a solution to achieve this and am looking for any suggestions I can get.

D. Pardal
  • 6,173
  • 1
  • 17
  • 37
Nick
  • 1,471
  • 2
  • 21
  • 35
  • 1
    What about adding a CAPTCHA? – faerin May 26 '20 at 19:41
  • 2
    "_Is there a way to disable a form submit button based on a users location via IP?_" - Sure, until they realize that you've done this and they start using a VPN, meaning they could set their IP to pretty much any country they want. – GrumpyCrouton May 26 '20 at 19:42
  • We would like to completely restrict the form submissions to a specific country as the services provided are only provided in a specific country (for example the US) – Nick May 26 '20 at 19:42
  • @GrumpyCrouton I'd rather them have to go through the hassle of doing that than effortlessly letting them submit the forms normally. – Nick May 26 '20 at 19:43
  • https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php – Lain May 26 '20 at 19:43
  • 2
    @Nick Have you ever used a VPN? It's pretty much hassle free. You just choose the country and press "connect", and thats it. If it's bots that you are dealing with, the best solution is probably going to be a CAPTCHA. If not, maybe you need some sort of authentication system – GrumpyCrouton May 26 '20 at 19:43
  • @GrumpyCrouton I'm very familiar with a VPN. Though it's an extra step they would need to take to circumvent the system. – Nick May 26 '20 at 19:45
  • @Nick I mean, you're right, but it's an extra step one single time. I just don't think it will be effective, but that is obviously up to you to decide, trying to save you some time. But maybe [this](https://serverfault.com/questions/913766/how-to-block-website-for-all-countries-except-us-and-canada) can help you with blocking all except the US. – GrumpyCrouton May 26 '20 at 19:47
  • Also, here is an API that you can seemingly use to get the country of an IP address. Never used it before. https://ip-api.com/docs/api:json – GrumpyCrouton May 26 '20 at 19:49
  • 3
    This is 100% something that needs to be blocked at your server. Doing things to your actual page code is a waste of time; just don't let IP blocks you don't want into the application at all. As has been pointed out, if there's something you're trying to protect, assume an attacker will go to an amount of trouble to get it commensurate with the value. – Pointy May 26 '20 at 19:51
  • 1
    As @Pointy say, while you can block someone from your App in browser, you can't prevent him from using Cross Site Request Forgery, for example with Postman. And like you describe it, it doesn't even seems to be from the Webpage form. Your server should be responsible for this, allowing rules to block IP manually, but he might change IP. You can also block IP automaticalluy according to too much repeated requests in a short time, etc. Servers software like Apache can handle that greatly. Just find a way, but only on Server Side – KeitelDOG May 26 '20 at 19:57
  • 1
    And before blocking Range of IP, even on Server side, try not to PENALIZE a GOOD CUSTOMER because he's on vacation or working in another country. So it depends on your services, you only can know what or when to block. – KeitelDOG May 26 '20 at 20:13

1 Answers1

0

Maybe try to use something like Google reCaptcha?

Puk
  • 319
  • 1
  • 11