A malicious bot spoofing his User-Agent header to one in the plugin’s allowlist can bypass the plugin’s full functionality.

An attacker can use IP spoofing to ban legitimate users, search-engine crawlers, or a site’s reverse proxy. This becomes possible as soon as a site owner changes the default IP source of the plugin by using the “blackhole_ip_keys” filter.