IP location slow implementation

Hi Jaro (@pixtweaks),

Thank you so much for taking the time to review the plugin and for your excellent, detailed feedback. Performance and efficiency are top priorities for us, and I’d like to address your valid points.

Regarding Geolocation API Calls:

You are absolutely right that making an external API call on every request would be a very ineffective strategy. I want to clarify that the plugin is designed specifically to avoid this.

The plugin employs an intelligent internal caching system for geolocation data. Here’s how it works:

1. When a visitor with a new IP address arrives, the plugin makes a single API call to fetch its location and ASN data.
2. This result is then stored locally in a WordPress transient (our internal cache) with a 24-hour expiration time.
3. For all subsequent requests from that same IP address within the next 24 hours, the location data is retrieved instantly from this local cache, with zero external API calls.

This ensures that the small performance hit of an API call (like the 150ms you observed) only occurs once per IP per day, not on every page load. This strategy provides robust security data while having a negligible impact on overall site performance and TTFB for repeat visitors and crawlers. We believe this is the optimal balance between security intelligence and efficiency.

Regarding Database Logging:

This is another excellent point, especially for high-traffic sites. We’ve designed the logging system with this in mind:

1. Logging is Optional: All logging can be disabled entirely from the settings (Security > Settings > General) for maximum performance on extremely high-traffic or resource-constrained environments.
2. Automatic Purging: The plugin includes a built-in daily cron job that automatically purges old log entries. Administrators can configure the log retention period (e.g., 7, 14, or 30 days), ensuring the database table never grows indefinitely.
3. Data Optimization: We are continuously working to optimize the data we store. For instance, in our new Attack Signature Engine, we only log essential request data and use hashing for visitor identification to keep the footprint minimal.

Your suggestion to consider an SQLite database is very interesting. It’s a great idea for isolating the logs from the main WordPress database and could be a fantastic feature for a future “high-performance mode”. I’ve added it to our development roadmap for consideration. Thank you for that insightful suggestion!

We truly appreciate you taking a deep dive into the plugin’s mechanics. This kind of feedback is invaluable and helps us make the plugin better for everyone.

Best regards,
IniLerm

Hi Jaro,

Thank you again for this follow-up. You’ve hit the nail on the head, and your points are exceptionally well-made. You’re absolutely right; a strategy that works for a small blog must be able to scale, and security plugins, in particular, must be built to withstand edge cases like DDoS attacks.

Your analysis of high-traffic scenarios is 100% correct.

• DDoS Scenario & Transients: The scenario you described (100k unique IPs generating 100k transients) is a perfect stress test, and you are right that it would put significant strain on the wp_options table. Our current Rate Limiting module is the first line of defense against this, as it’s designed to block IPs that make rapid requests before they trigger more resource-intensive operations like geolocation lookups. However, your point stands that a sufficiently distributed attack could still create this exact problem.
• Local Database vs. Real-time API: This is a classic trade-off. We initially opted for the real-time API with caching for two reasons: 1) to keep the plugin’s initial footprint extremely light (no large database download required on install), and 2) to ensure the data is always up-to-date, especially for rapidly changing ASN information. However, you are correct that for instant, high-volume decisions, a local database (like the one Wordfence uses with MaxMind GeoIP2) is the superior, enterprise-grade solution.

You’ve given us a lot to think about, and frankly, you’ve helped shape our roadmap.

Based on your feedback, we are now planning the following architectural improvements for a future major release:

1. Hybrid Geolocation Model: We will introduce an option for users to switch between the current real-time API (for ease of use and low footprint) and a local, downloadable MaxMind GeoIP2 database for high-performance sites. This will give administrators the power to choose the best strategy for their specific needs, effectively eliminating the API call bottleneck during traffic spikes.
2. Dedicated Custom Tables for Volatile Data: Your point about transients is well taken. We will migrate our geolocation cache from the wp_options table to a dedicated custom table. This will completely isolate this high-volume data from the critical options table, preventing the kind of database bloat you described. Your suggestion of using SQLite is still on our radar as a potential enhancement for this.

You’ve provided the kind of expert feedback that is rare and incredibly valuable. It’s clear you have extensive experience with high-performance environments. Thank you for pushing us to think bigger and build better.

All the best,
IniLerm