{"id":251503,"date":"2025-11-02T17:11:49","date_gmt":"2025-11-02T17:11:49","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/botblocker-security\/"},"modified":"2026-06-17T18:31:27","modified_gmt":"2026-06-17T18:31:27","slug":"botblocker-security","status":"publish","type":"plugin","link":"https:\/\/azb.wordpress.org\/plugins\/botblocker-security\/","author":21117379,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.6.21","stable_tag":"1.6.21","tested":"7.0","requires":"5.0","requires_php":"7.4","requires_plugins":null,"header_name":"BotBlocker Security - Firewall & Bot Protection","header_author":"Yevhen Leonidov","header_description":"BotBlocker Security is a powerful WordPress plugin designed to safeguard your website from unwanted bots and malicious activities. With advanced detection algorithms, BotBlocker identifies and blocks harmful bots, reducing spam and protecting your site's resources. The plugin provides real-time monitoring and customizable rules, allowing you to control access and enhance site security effortlessly. Easy to install and configure, BotBlocker ensures a smooth user experience while keeping your site safe from automated threats. Keep your WordPress site secure and running efficiently with BotBlocker.","assets_banners_color":"c9dceb","last_updated":"2026-06-17 18:31:27","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/botblocker.top\/","header_author_uri":"https:\/\/leonidov.dev\/","rating":5,"author_block_rating":0,"active_installs":3000,"downloads":7715,"num_ratings":9,"support_threads":6,"support_threads_resolved":6,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.6.10":{"tag":"1.6.10","author":"globusstudio","date":"2026-02-14 13:40:05"},"1.6.11":{"tag":"1.6.11","author":"globusstudio","date":"2026-03-02 22:58:29"},"1.6.12":{"tag":"1.6.12","author":"globusstudio","date":"2026-03-04 00:41:50"},"1.6.13":{"tag":"1.6.13","author":"globusstudio","date":"2026-03-06 23:33:59"},"1.6.14":{"tag":"1.6.14","author":"globusstudio","date":"2026-03-10 18:22:49"},"1.6.15":{"tag":"1.6.15","author":"globusstudio","date":"2026-03-25 15:52:45"},"1.6.16":{"tag":"1.6.16","author":"globusstudio","date":"2026-04-10 11:09:50"},"1.6.17":{"tag":"1.6.17","author":"globusstudio","date":"2026-04-12 09:26:41"},"1.6.18":{"tag":"1.6.18","author":"globusstudio","date":"2026-04-27 20:45:44"},"1.6.19":{"tag":"1.6.19","author":"globusstudio","date":"2026-05-08 23:23:17"},"1.6.20":{"tag":"1.6.20","author":"globusstudio","date":"2026-05-23 13:04:28"},"1.6.21":{"tag":"1.6.21","author":"globusstudio","date":"2026-06-17 18:31:27"},"1.6.3":{"tag":"1.6.3","author":"globusstudio","date":"2025-11-02 20:07:55"},"1.6.4":{"tag":"1.6.4","author":"globusstudio","date":"2025-11-04 14:16:18"},"1.6.5":{"tag":"1.6.5","author":"globusstudio","date":"2025-11-25 15:59:56"},"1.6.6":{"tag":"1.6.6","author":"globusstudio","date":"2025-12-04 01:37:19"},"1.6.7":{"tag":"1.6.7","author":"globusstudio","date":"2025-12-09 14:25:48"},"1.6.8":{"tag":"1.6.8","author":"globusstudio","date":"2025-12-15 15:33:07"},"1.6.9":{"tag":"1.6.9","author":"globusstudio","date":"2026-01-24 22:47:11"}},"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":9},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3405280,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3405280,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3405280,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3405280,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.16","1.6.17","1.6.18","1.6.19","1.6.20","1.6.21","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3446309,"resolution":"1","location":"assets","locale":"","width":1600,"height":1050},"screenshot-10.jpg":{"filename":"screenshot-10.jpg","revision":3446309,"resolution":"10","location":"assets","locale":"","width":1600,"height":1050},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3446309,"resolution":"2","location":"assets","locale":"","width":1600,"height":1050},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3446309,"resolution":"3","location":"assets","locale":"","width":1600,"height":1050},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3446309,"resolution":"4","location":"assets","locale":"","width":1600,"height":1050},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3446309,"resolution":"5","location":"assets","locale":"","width":1600,"height":1050},"screenshot-6.jpg":{"filename":"screenshot-6.jpg","revision":3446309,"resolution":"6","location":"assets","locale":"","width":1600,"height":1050},"screenshot-7.jpg":{"filename":"screenshot-7.jpg","revision":3446309,"resolution":"7","location":"assets","locale":"","width":1600,"height":1050},"screenshot-8.jpg":{"filename":"screenshot-8.jpg","revision":3446309,"resolution":"8","location":"assets","locale":"","width":1600,"height":1050},"screenshot-9.jpg":{"filename":"screenshot-9.jpg","revision":3446309,"resolution":"9","location":"assets","locale":"","width":1600,"height":1050}},"screenshots":{"1":"Dashboard with attack map, blocked-vs-allowed chart, and real-time statistics","2":"8-step Setup Wizard - from welcome to test attack in under 5 minutes","3":"Two-Factor Authentication setup with backup codes","4":"Live traffic monitor with full request context - IP, country, ASN, device, browser, block reason","5":"Rules manager - IP, IP range, ASN, country, User-Agent, Referer, hostname","6":"Settings panel with CAPTCHA mode selector, security presets, and detailed options","7":"Speed optimization settings (PRO)","8":"Integration settings for reCAPTCHA, Redis, Memcached and more","9":"Addon marketplace - one-click install for Security Headers, Hide Login, Speed Up, Malware Scanner","10":"Health Score gauge - 42 parameters, 5 security levels, real-time scoring"}},"plugin_section":[262246],"plugin_tags":[2656,2439,362,1174,600],"plugin_category":[54],"plugin_contributors":[250140,250139,250136],"plugin_business_model":[],"class_list":["post-251503","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-anti-spam","plugin_tags-brute-force","plugin_tags-captcha","plugin_tags-firewall","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-alexandrkinakh","plugin_contributors-alukashevych","plugin_contributors-globusstudio","plugin_committers-globusstudio"],"banners":{"banner":"https:\/\/ps.w.org\/botblocker-security\/assets\/banner-772x250.png?rev=3405280","banner_2x":"https:\/\/ps.w.org\/botblocker-security\/assets\/banner-1544x500.png?rev=3405280","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/botblocker-security\/assets\/icon-128x128.png?rev=3405280","icon_2x":"https:\/\/ps.w.org\/botblocker-security\/assets\/icon-256x256.png?rev=3405280","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-1.jpg?rev=3446309","caption":"Dashboard with attack map, blocked-vs-allowed chart, and real-time statistics"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-2.jpg?rev=3446309","caption":"8-step Setup Wizard - from welcome to test attack in under 5 minutes"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-3.jpg?rev=3446309","caption":"Two-Factor Authentication setup with backup codes"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-4.jpg?rev=3446309","caption":"Live traffic monitor with full request context - IP, country, ASN, device, browser, block reason"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-5.jpg?rev=3446309","caption":"Rules manager - IP, IP range, ASN, country, User-Agent, Referer, hostname"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-6.jpg?rev=3446309","caption":"Settings panel with CAPTCHA mode selector, security presets, and detailed options"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-7.jpg?rev=3446309","caption":"Speed optimization settings (PRO)"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-8.jpg?rev=3446309","caption":"Integration settings for reCAPTCHA, Redis, Memcached and more"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-9.jpg?rev=3446309","caption":"Addon marketplace - one-click install for Security Headers, Hide Login, Speed Up, Malware Scanner"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-10.jpg?rev=3446309","caption":"Health Score gauge - 42 parameters, 5 security levels, real-time scoring"}],"raw_content":"<!--section=description-->\n<p><strong>BotBlocker Security blocks 99% of automated attacks before WordPress even loads.<\/strong> No bloat, no slowdowns, no monthly fees for core protection.<\/p>\n\n<p>If your site is hit by login brute force, spam comments, fake Googlebots, content scrapers, or XML-RPC floods, you are not alone: bots generate over 47% of all web traffic. Most security plugins react after WordPress boots, wasting CPU and memory on every bad request. <strong>BotBlocker stops them at the door.<\/strong><\/p>\n\n<h4>Why site owners switch to BotBlocker<\/h4>\n\n<ul>\n<li><strong>Faster than the competition.<\/strong> Runs on early init through three interception layers, before themes and plugins load. Server load drops during attacks instead of spiking.<\/li>\n<li><strong>Smarter CAPTCHA.<\/strong> 9 modes including Silent Auto-Verify - zero clicks for humans, hard wall for bots. Proprietary CAPTCHAs defeat AI-based solvers that crack reCAPTCHA for $2-3 per 1 000.<\/li>\n<li><strong>Honest free version.<\/strong> Full firewall, all 9 CAPTCHA modes, full 2FA, full logging, full Multisite support. No nag screens, no crippled features.<\/li>\n<li><strong>Privacy-first.<\/strong> No visitor data leaves your server. GDPR and CCPA compliant out of the box.<\/li>\n<li><strong>Works with everything.<\/strong> Cloudflare, WP Rocket, LiteSpeed, WooCommerce, Elementor, multisite, IPv6, PHP 7.4 to 8.5.<\/li>\n<\/ul>\n\n<h4>\ud83d\udee1\ufe0f Core Firewall (Free)<\/h4>\n\n<ul>\n<li><strong>Three-Layer Architecture<\/strong> - intercepts traffic at wp-config.php (before WordPress), MU-plugin phase, and main shield. The first layer blocks known threats without loading WordPress at all, saving 30-100ms and 5-20MB RAM per blocked request.<\/li>\n<li><strong>Web Application Firewall (WAF)<\/strong> with real-time rule updates via the BotBlocker Threat Defense Feed<\/li>\n<li><strong>2 899 User-Agent signatures<\/strong> - largest blacklist among WordPress plugins - covering Scrapy, Selenium, Puppeteer, PhantomJS, curl, wget, Python, Java, Perl, and SQL injection tools<\/li>\n<li><strong>Brute force protection<\/strong> with progressive lockouts - 5 attempts per 15 minutes, escalating bans for repeat offenders<\/li>\n<li><strong>Anti-spam<\/strong> for comments, registration, contact forms - spammers blocked before they connect<\/li>\n<li><strong>XML-RPC and REST API<\/strong> locked down by default with allowlist for trusted services<\/li>\n<li><strong>Fake crawler detection<\/strong> via FCrDNS (dual-direction DNS verification), ASN tokens, and published IP ranges - 95% effective, impossible to spoof without controlling the provider's DNS zone<\/li>\n<li><strong>LLM \/ AI crawler management<\/strong> - allow or block GPTBot, ChatGPT-User, ClaudeBot, PerplexityBot, Bytespider via CIDR-verified IP ranges. Trusted crawlers verified, impersonators blocked.<\/li>\n<li><strong>Country, ASN, IP range, User-Agent, Referer<\/strong> blocking rules with instant enforcement<\/li>\n<li><strong>Cloudflare-aware<\/strong> real-IP resolution and origin bypass protection<\/li>\n<li><strong>Full IPv6 support<\/strong> - separate tables and logic for IPv4 and IPv6, every feature works with both<\/li>\n<li><strong>Live traffic monitor<\/strong> with attack map, country, ASN, device, browser, and exact block reason for every request<\/li>\n<li><strong>Built-in caching<\/strong> via Redis and Memcached - free, auto-disable on connection failure<\/li>\n<\/ul>\n\n<h4>\ud83d\udd12 Login Security &amp; 2FA (Free)<\/h4>\n\n<ul>\n<li><strong>Two-Factor Authentication<\/strong> compatible with Google Authenticator, Authy, 1Password, Bitwarden - TOTP standard with 10 backup codes<\/li>\n<li><strong>9 CAPTCHA modes<\/strong>: Silent Auto-Verify, Single Button, Color CAPTCHA, Images CAPTCHA, Shapes CAPTCHA (60fps Canvas), Digits CAPTCHA, Hold Button CAPTCHA, plus Google reCAPTCHA v2 and v3<\/li>\n<li><strong>Hybrid Mode<\/strong> - combine any internal CAPTCHA with reCAPTCHA v3 for two-layer invisible defense<\/li>\n<li><strong>Hide login URL<\/strong> <em>(PRO)<\/em><\/li>\n<li><strong>Configurable lockout durations<\/strong> with escalation for repeat offenders - failed CAPTCHA triggers short ban, repeated failure triggers 24-hour ban<\/li>\n<\/ul>\n\n<h4>\ud83d\udcb3 Payment Gateway Bypass (Free)<\/h4>\n\n<p>Auto-detects 25+ e-commerce platforms (WooCommerce, Easy Digital Downloads, SureCart, MemberPress, Paid Memberships Pro, Give, Dokan, CartFlows, FunnelKit, and more) and 150+ payment providers (Stripe, PayPal, Mollie, Adyen, Braintree, Square, Razorpay, Klarna, Paddle, Authorize.Net, 2Checkout, YooKassa, LiqPay, and more). <strong>Webhooks, IPN callbacks, and payment notifications never get blocked.<\/strong> Four detection layers ensure zero false positives on payment traffic.<\/p>\n\n<h4>\ud83d\udcca Visibility &amp; Control (Free)<\/h4>\n\n<ul>\n<li>Visual dashboard with attack map, top offenders, blocked-vs-allowed ratio, world traffic map<\/li>\n<li>Detailed event log with IP, country, ASN, User-Agent, and exact block reason - 54 unique event codes<\/li>\n<li>Health Score gauge - 42 parameters across 3 categories, 5 security levels from Critical to Secure<\/li>\n<li>3 security presets - Light, Strong, Full - one-click configuration<\/li>\n<li>Setup Wizard - 8 steps from welcome to test attack, setup in under 5 minutes<\/li>\n<li>8 interface languages - English, Deutsch, Espa\u00f1ol, Fran\u00e7ais, Polski, \u0420\u0443\u0441\u0441\u043a\u0438\u0439, \u0423\u043a\u0440\u0430\u0457\u043d\u0441\u044c\u043a\u0430 + POT template<\/li>\n<li>Configurable retention with timezone and DST awareness<\/li>\n<li>Clean uninstall - drops all 16 tables, removes 40+ options, clears cron hooks. Zero leftover data.<\/li>\n<\/ul>\n\n<h4>\ud83d\ude80 PRO Adds (Premium \/ Pro \/ Ultimate)<\/h4>\n\n<ul>\n<li>Real-time cloud threat intelligence cross-checked against global databases - 5M+ attack IPs, hundreds of thousands of bot signatures, updated daily<\/li>\n<li>Zero-day behavioral and heuristic detection - catches unknown attack patterns before signatures exist<\/li>\n<li>VPN, Tor, proxy, ASN, and hosting reputation checks<\/li>\n<li>Early Init Mode - filtering before WordPress Core loads, maximum resource savings during attacks<\/li>\n<li>Hide Login URL addon - custom admin URL, hardened wp-login.php protection<\/li>\n<li>Security Headers addon - HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy, X-Content-Type-Options<\/li>\n<li>Speed Up WordPress addon - 14 frontend and server optimizations<\/li>\n<li>Malware Scanner addon - 25 patterns scanning files + 7 database tables, detects webshells, eval injections, base64-obfuscated code hidden in wp_options and post_content<\/li>\n<li>Priority support - 24-hour response time<\/li>\n<\/ul>\n\n<p>Four plans to match your traffic: <strong>Premium<\/strong> ($12\/month, 25k cloud checks), <strong>Pro<\/strong> ($50\/month, 100k cloud checks), <strong>Ultimate<\/strong> ($100\/month, 250k cloud checks + emergency 24h support). Annual billing includes 1 month free. 30-day refund policy. Licensed per domain, billed securely via Freemius.<\/p>\n\n<p><a href=\"https:\/\/botblocker.top\/pricing\/\">Compare plans \u2192<\/a><\/p>\n\n<h4>\u26a1 Performance &amp; Compatibility<\/h4>\n\n<ul>\n<li><strong>Zero database queries<\/strong> for returning visitors - 9 runtime PHP files with SHA-256 integrity signatures, loaded via <code>include<\/code><\/li>\n<li>Measured overhead: <strong>+3-15ms<\/strong> TTFB for cached visitors, <strong>+50-200ms<\/strong> for first-time PTR lookups, <strong>+2-4MB<\/strong> memory<\/li>\n<li>Redis and Memcached support - free, auto-disables gracefully on connection failure<\/li>\n<li><strong>Cache plugin compatibility<\/strong> - automatic <code>DONOTCACHEPAGE<\/code> and <code>Cache-Control: no-store<\/code> on verification pages. Works with WP Super Cache, W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, WP Fastest Cache, Cache Enabler<\/li>\n<li><strong>CDN and WAF compatibility<\/strong> - Cloudflare, Sucuri, Incapsula, AWS CloudFront, Fastly, KeyCDN, StackPath. Multi-header real-IP resolution (CF-Connecting-IP, X-Forwarded-For, X-Real-IP)<\/li>\n<li><strong>DDoS Protection Compatibility<\/strong> - automatic detection of JS-challenges from DDoS-Guard, Stormwall, Qrator. HMAC-signed AJAX responses, Circuit Breaker with automatic retry and backoff. BotBlocker is the only WordPress plugin that works correctly behind aggressive DDoS protection without manual configuration.<\/li>\n<li><strong>Multisite Support<\/strong> - network activation, per-site data, per-site cleanup. Free on all plans.<\/li>\n<li><strong>PHP 7.4 \u2013 8.5<\/strong> - tested across 7 PHP versions. <strong>WordPress 5.0 \u2013 7.0+<\/strong>. Linux and Windows.<\/li>\n<li>GDPR and CCPA compliant - no PII collected, technical parameters only, Legitimate Interest basis (Art. 6(1)(f))<\/li>\n<\/ul>\n\n<h4>\ud83e\udd1d Trusted by<\/h4>\n\n<ul>\n<li>3 000+ active installations<\/li>\n<li>Translated into 8 languages<\/li>\n<li>Tested up to WordPress 7.0 and PHP 8.5<\/li>\n<li>Developed and maintained by GLOBUS.studio<\/li>\n<\/ul>\n\n<blockquote>\n  <p>\"Replaced two security plugins and a CAPTCHA plugin with one. Site is faster and the spam stopped overnight.\" - WordPress.org user<\/p>\n<\/blockquote>\n\n<h3>Privacy<\/h3>\n\n<p>BotBlocker Security does <strong>not<\/strong> collect or process personal data of your visitors. All cloud analysis is performed on technical parameters only (IP, headers, User-Agent). No personally identifiable information is collected, stored, or transmitted to any external service.<\/p>\n\n<h3>Support and Documentation<\/h3>\n\n<ul>\n<li>Product site: <a href=\"https:\/\/botblocker.top\/products\/\">https:\/\/botblocker.top\/products\/<\/a><\/li>\n<li>Pricing and PRO plans: <a href=\"https:\/\/botblocker.top\/pricing\/\">https:\/\/botblocker.top\/pricing\/<\/a><\/li>\n<li>Documentation: <a href=\"https:\/\/botblocker.top\/docs\/\">https:\/\/botblocker.top\/docs\/<\/a><\/li>\n<li>Contact\/support: <a href=\"https:\/\/botblocker.top\/contacts\/\">https:\/\/botblocker.top\/contacts\/<\/a><\/li>\n<li>Community: <a href=\"https:\/\/botblocker.top\/community\/\">https:\/\/botblocker.top\/community\/<\/a><\/li>\n<\/ul>\n\n<h3>License<\/h3>\n\n<p>This plugin is licensed under the GPLv2 or later. See LICENSE.txt for details.<\/p>\n\n<h3>Credits &amp; Authors<\/h3>\n\n<p>BotBlocker Security is developed and maintained by GLOBUS.studio.<\/p>\n\n<ul>\n<li>Concept, architecture &amp; code - Yevhen Leonidov: <a href=\"https:\/\/leonidov.dev\/\">https:\/\/leonidov.dev\/<\/a><\/li>\n<li>Code, code review - Andrii Lukashevych<\/li>\n<li>Code, translations - Aleksandr Kinakh<\/li>\n<\/ul>\n\n<p><strong>BotBlocker Security - The first line of defense for your WordPress site.<\/strong><\/p>\n\n<!--section=installation-->\n<h4>60-second setup<\/h4>\n\n<ol>\n<li>In WordPress admin, go to <strong>Plugins \u2192 Add New<\/strong> and search for \"BotBlocker Security\"<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong><\/li>\n<li>Open <strong>BotBlocker<\/strong> in the admin menu and follow the Setup Wizard - 8 steps with compatibility test and test attack<\/li>\n<\/ol>\n\n<p>Default settings protect most sites immediately. For advanced configuration, three security presets (Light \/ Strong \/ Full) give you one-click protection tuned to your needs.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20botblocker%20security%20really%20free%3F\"><h3>Is BotBlocker Security really free?<\/h3><\/dt>\n<dd><p>Yes. The free version includes: three-layer firewall, all 9 CAPTCHA modes, FCrDNS bot verification, 2FA with backup codes, anti-spam, brute-force protection, XML-RPC and REST API protection, live traffic monitor, Redis\/Memcached, Multisite support, and DDoS compatibility. PRO adds cloud threat intelligence (5M+ attack IPs, hundreds of thousands of bot signatures), Early Init Mode, premium addons (Hide Login, Security Headers, Speed Up, Malware Scanner), and priority support. Premium starts at $12\/month.<\/p><\/dd>\n<dt id=\"will%20it%20slow%20down%20my%20site%3F\"><h3>Will it slow down my site?<\/h3><\/dt>\n<dd><p>No. Measured overhead is +3-15ms for verified visitors with zero database queries - all rules load from 9 pre-generated PHP files with SHA-256 integrity. Under attack, server load typically <strong>drops<\/strong> because bad requests are rejected at the earliest interception layer, before WordPress, PHP, or database code runs. FULL mode saves 30-100ms and 5-20MB RAM per blocked request.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20cloudflare%20or%20a%20cdn%3F\"><h3>Does it work with Cloudflare or a CDN?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker reads proxy headers (CF-Connecting-IP, X-Forwarded-For, X-Real-IP) to find the real client IP and blocks attempts to bypass Cloudflare by hitting your origin directly. Fully compatible with Cloudflare, Sucuri, Incapsula, AWS CloudFront, Fastly, KeyCDN, and StackPath.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20woocommerce%20and%20payment%20gateways%3F\"><h3>Does it work with WooCommerce and payment gateways?<\/h3><\/dt>\n<dd><p>Yes. Version 1.6.18 added auto-detection for 25+ e-commerce platforms and 150+ payment providers. Stripe, PayPal, Mollie, Adyen, Razorpay, YooKassa, and other webhooks are automatically recognized and never blocked. Four detection layers (paths, query keys, AJAX actions, signature headers) ensure zero interference with payment processing.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20caching%20plugins%3F\"><h3>Does it work with caching plugins?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker automatically sets <code>DONOTCACHEPAGE<\/code> and <code>Cache-Control: no-store<\/code> on verification pages so PHP-based cache plugins never cache security barriers. Works out of the box with WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, WP Fastest Cache, and Cache Enabler. Server-level caches (Nginx FastCGI, Varnish) need a cookie-based bypass rule - see <code>docs\/CACHE-COMPATIBILITY.md<\/code>.<\/p><\/dd>\n<dt id=\"does%20it%20work%20behind%20ddos-guard%2C%20stormwall%2C%20or%20similar%20services%3F\"><h3>Does it work behind DDoS-Guard, Stormwall, or similar services?<\/h3><\/dt>\n<dd><p>Yes. Since version 1.6.13, BotBlocker auto-detects JS-challenges from external DDoS protection services. HMAC-signed AJAX responses let the plugin distinguish its own responses from DDoS-provider challenge pages. Circuit Breaker prevents retry storms (3 failures \u2192 30-second cooldown). BotBlocker is the only WordPress security plugin that works correctly behind aggressive DDoS protection without manual whitelisting. See <code>docs\/DDOS-COMPATIBILITY.md<\/code>.<\/p><\/dd>\n<dt id=\"will%20it%20lock%20me%20out%3F\"><h3>Will it lock me out?<\/h3><\/dt>\n<dd><p>No. BotBlocker auto-detects your server IP during setup and lets you allowlist admin IPs and trusted services. WP-Cron and internal WordPress calls always pass. If you ever get locked out, a hashed Secret URL (generated in the admin panel and sent to the admin email) provides emergency access - no FTP required.<\/p><\/dd>\n<dt id=\"does%20it%20collect%20visitor%20data%3F\"><h3>Does it collect visitor data?<\/h3><\/dt>\n<dd><p>No. Only technical request parameters (IP, headers, User-Agent) are analyzed locally on your server. Nothing personal is stored or sent anywhere. GDPR-compliant under Legitimate Interest (Art. 6(1)(f)). CCPA compliant - no PII collection, no data sale. Full details in <code>docs\/PRIVACY.md<\/code>.<\/p><\/dd>\n<dt id=\"does%20it%20support%20ipv6%3F\"><h3>Does it support IPv6?<\/h3><\/dt>\n<dd><p>Yes. Every feature works with IPv4, IPv6, or dual-stack setups. Separate database tables and logic for each protocol family.<\/p><\/dd>\n<dt id=\"does%20it%20support%20multisite%3F\"><h3>Does it support multisite?<\/h3><\/dt>\n<dd><p>Yes, since version 1.6.15. Network activation, per-site data isolation, per-site settings, and per-site cleanup on uninstall. Free on all plans.<\/p><\/dd>\n<dt id=\"will%20it%20conflict%20with%20wordfence%2C%20sucuri%2C%20or%20other%20security%20plugins%3F\"><h3>Will it conflict with Wordfence, Sucuri, or other security plugins?<\/h3><\/dt>\n<dd><p>BotBlocker is designed to coexist. It operates very early in the request lifecycle and typically works alongside other plugins. The only thing to avoid is enabling the same CAPTCHA twice on the same form. Most users replace their previous security stack entirely.<\/p><\/dd>\n<dt id=\"which%20captcha%20should%20i%20choose%3F\"><h3>Which CAPTCHA should I choose?<\/h3><\/dt>\n<dd><p><strong>Silent Auto-Verify<\/strong> is the recommended default. Real users pass with zero clicks via JavaScript fingerprint checks behind the scenes - they see nothing. Bots see \"Access denied.\" For login pages, combine Silent Mode with reCAPTCHA v3 in Hybrid Mode for two-layer invisible defense. Shapes CAPTCHA (60fps Canvas with moving geometric figures) is the strongest against AI-based CAPTCHA solvers - it requires real-time computer vision, making it roughly 100x more expensive to crack than standard reCAPTCHA.<\/p><\/dd>\n<dt id=\"how%20does%20botblocker%20verify%20search%20engine%20bots%3F\"><h3>How does BotBlocker verify search engine bots?<\/h3><\/dt>\n<dd><p>Through <strong>FCrDNS<\/strong> (Forward-confirmed Reverse DNS) - the same method used by Cloudflare Bot Management, DataDome, and Akamai Bot Manager. Googlebot is verified via PTR (.googlebot.com) + ASN (15169). YandexBot uses triple verification (PTR + ASN 13238 + IP CIDR). Facebook gets dual verification (PTR + ASN 32934). 95% effective against fake crawlers - you cannot spoof FCrDNS without controlling the provider's DNS zone.<\/p><\/dd>\n<dt id=\"can%20i%20block%20ai%20crawlers%20%28chatgpt%2C%20claude%2C%20perplexity%29%3F\"><h3>Can I block AI crawlers (ChatGPT, Claude, Perplexity)?<\/h3><\/dt>\n<dd><p>Yes. GPTBot, ChatGPT-User, OAI-SearchBot, ClaudeBot, Claude-SearchBot, and PerplexityBot are verified via CIDR ranges synced from the cloud API. You can allow or block each provider independently. Bytespider (ByteDance) is verified via PTR (.bytedance.com). Trusted AI crawlers pass; impersonators are blocked.<\/p><\/dd>\n<dt id=\"what%20is%20the%20health%20score%3F\"><h3>What is the Health Score?<\/h3><\/dt>\n<dd><p>A 42-parameter security assessment displayed as a visual gauge (0-100). Five levels: Critical (&lt;25), Weak (25-49), Moderate (50-69), Strong (70-84), Secure (\u226585). Three categories weighted: core protection (75%), cloud extended (25%), neutral indicators. The score updates in real-time as you change settings - a built-in guide to improving your site's security posture.<\/p><\/dd>\n<dt id=\"does%20the%20pro%20version%20include%20a%20trial%3F\"><h3>Does the PRO version include a trial?<\/h3><\/dt>\n<dd><p>No traditional trial. Instead, the free version includes the full firewall, all 9 CAPTCHA modes, FCrDNS verification, 2FA, Multisite, Redis\/Memcached, and live traffic monitoring - enough to protect most sites permanently. A limited-time Premium promo (14 days, no credit card) is available inside the plugin to try cloud features. PRO plans start at $12\/month with a 30-day refund policy.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20delete%20the%20plugin%3F\"><h3>What happens when I delete the plugin?<\/h3><\/dt>\n<dd><p>Clean uninstall: all 16 database tables are dropped, 40+ WordPress options deleted, 22+ transients cleared, 12 cron hooks removed, MU-plugin files cleaned, and the uploads\/botblocker\/ directory deleted. On multisite, per-site cleanup runs in batches of 50. Zero leftover data - no orphaned rows, no stale cron jobs.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.6.21<\/h4>\n\n<p>Add LLM\/AI Crawler Whitelist system with dedicated database, admin management UI, and cloud-synced coverage for OpenAI, Claude, Gemini, Perplexity, and other AI crawlers\nAdd Daily Summary Statistics pipeline with incremental aggregation for fast multi-day analytics\nAdd Geo-Blocking - block entire countries from admin dashboard with import\/export support\nAdd DDoS Resilience Mode - HMAC-signed verification responses prevent forged challenge bypass\nAdd Session Token Verification - cookie-less browser fingerprint for restricted hosting environments\nAdd Data File Tampering Detection - automatic recovery from corrupted runtime data files\nAdd Addon Traffic Decision Pipeline - 6 interception points for addons to control visitor flow at each stage\nAdd Centralized Alert System - admin alerts for cloud connection, ASN database, file integrity, and cache plugin conflicts\nAdd RKN (Roskomnadzor) IP Blocking - cloud-synced Russian government blocklist with CIDR matching, scheduled auto-update, self-healing, and manual refresh from admin tools\nImprove verified crawler coverage - WhatsApp, Bluesky (Cardyb), BingPreview with updated Yandex CIDRs and ASN tokens\nImprove multisite support - per-site early init bootstrap generation, addon lifecycle fixes across network sites\nImprove compatibility - WordPress Plugin Check compliance, nonce_user_logged_out guard for third-party plugin conflicts, WP-Cron and core update screen bypass<\/p>\n\n<h4>1.6.20<\/h4>\n\n<p>Add WordPress 7.0 compatibility and Connections support for BotBlocker Security\nFix WordPress 7.0 REST OPTIONS permission checks from wp-admin pages\nAdd ASN allow, block, dark, and gray rule handling with safer crawler verification\nImprove anti-detect checks for critical browser fingerprint mismatch combinations\nFix Geo country rule sanitization and Cloud API contact email validation\nImprove plugin update notices when remote changelog data is unavailable<\/p>\n\n<h4>1.6.19<\/h4>\n\n<p>Add new security rules to block emerging threats with updated ASN coverage\nUpdate coverage for new bots and crawlers\nAdd coverage for 20+ payment providers in the Payment Gateway Bypass whitelist\nAdd HEAD request support for security checks and blocking\nFix minor bugs and UI glitches in admin panel\nFix language selection issue\nFix setup wizard issue with some hosting environments\nUpdate translation files<\/p>\n\n<h4>1.6.18<\/h4>\n\n<p>Add new ASN database with auto-update\nAdd Payment Gateway Bypass: dedicated whitelist for legitimate payment callbacks (webhooks, IPN, postbacks) so checkout notifications are never blocked\nAdd auto-detection for 25+ e-commerce platforms (WooCommerce, EDD, SureCart, MemberPress, RCP, PMPro, Give, Dokan, WCFM, CartFlows, FunnelKit, etc.)\nAdd built-in coverage for 30+ payment providers: Stripe, PayPal, Mollie, Adyen, Braintree, Square, Razorpay, CloudPayments, WayForPay, LiqPay, Fondy, PayU, Klarna, Paystack, Flutterwave, GoCardless, Paddle, Authorize.Net, 2Checkout and more\nAdd new \"Payment Gateways\" tab in Advanced Settings<\/p>\n\n<h4>1.6.17<\/h4>\n\n<p>Fix third-party library compatibility issues affecting some hosting environments\nFix minor bugs and plugin incompatibilities with popular WordPress plugins\nImprove legacy browser support\nImprove Security Headers addon with stricter defaults and additional directives\nImprove shared hosting compatibility with enhanced environment detection and fallback logic\nImprove statistics and reporting \nAdd updated ASN tables\nAdd cookie diagnostics tool\nAdd cache compatibility\nUpdate vulnerability signature database\nUpdate translation files<\/p>\n\n<h4>1.6.16<\/h4>\n\n<p>Add new CAPTCHA mode: Silent Auto-Verify - real users pass automatically with zero interaction, bots see \"Access denied\"\nAdd Silent Auto-Verify as the new recommended default in the setup wizard\nAdd Security Headers addon support (HSTS, CSP, X-Frame-Options, Permissions-Policy - coming soon to the addon marketplace)\nAdd updated LLM and AI bot whitelist\nAdd improved ASN validation with extended provider database and stricter hosting\/VPN detection\nAdd improved PTR record verification with multi-resolver fallback for more accurate fake-crawler detection\nAdd cache compatibility for Swift Performance, Cache Enabler, and Starter Templates caching\nFix CAPTCHA challenge token race condition in extended secure mode (SECURE_MODE_FULL)\nFix GD library fallback - now correctly falls back to Simple Button (mode 0) instead of Color Buttons when GD and reCAPTCHA are both unavailable\nFix CAPTCHA timeout handling for Silent Auto-Verify mode to prevent potential redirect loops\nFix 2FA backup code validation edge case on PHP 8.5\nImprove challenge token security with mode-specific transient TTL (1 hour for Silent Auto-Verify)\nImprove silent mode retry logic with sessionStorage-based counter surviving page reloads\nImprove setup wizard UI - removed duplicate \"Recommended\" badge from Image Recognition\nUpdate translation files<\/p>\n\n<h4>1.6.15<\/h4>\n\n<p>Add multisite support\nAdd LLM whitelist for trusted crawlers and services\nAdd new security rules to block emerging threats\nAdd compatibility improvements for WordPress 6.9.4\nFix minor bugs and UI glitches in admin panel\nUpdate translation files<\/p>\n\n<h4>1.6.14<\/h4>\n\n<p>Add automatic DDoS protection service compatibility (DDoS-Guard, Stormwall, etc.)\nAdd docs\/DDOS-COMPATIBILITY.md documentation\nUpdate cache compatibility layer\nUpdate 2FA libraries\nUpdate translation files<\/p>\n\n<h4>1.6.13<\/h4>\n\n<p>Improve support for shared hosting environments with dynamic self-IP detection and allowlist management\nImprove statistics sammary generation\nUpdate browser detection\nUpdate OS detection\nAdd privacy readme file\nUpdate translation files<\/p>\n\n<h4>1.6.12<\/h4>\n\n<p>Add new mode of image CAPTCHA: Image Delivery Mode (for high-traffic sites with caching)\nImprove compatibility with Firefox and Safari browsers\nFix minor issues with CAPTCHA rendering in some environments\nFix lagacy mode of Image CAPTCHA\nUpdate translation mode<\/p>\n\n<h4>1.6.11<\/h4>\n\n<p>Add new captcha type: hold button\nAdd cache compatibility layer: no-cache headers, DONOTCACHEPAGE, MU-phase cookie check\nAdd Vary: Cookie header option (Settings \u2192 Cookies \u2192 Cache Compatibility)\nAdd cache plugin incompatibility detection and admin alerts\nAdd docs\/CACHE-COMPATIBILITY.md with Nginx, Varnish, Apache, Cloudflare config examples\nAdd new security rules to block emerging threats\nImport data security improvements\nUpdate libraries and dependencies\nImprove translation files\nFix minor bugs<\/p>\n\n<h4>1.6.10<\/h4>\n\n<p>Fix captcha verification issue in some environments\nFix minor UI glitches in admin panel\nAdd OpenAI, Claude, and Gemini user agent detection<\/p>\n\n<h4>1.6.9<\/h4>\n\n<p>Add 2FA support for admin users\nAdd setup wizard improvements\nAdd PRO features\nFix performance issue in some environments\nImprove translation files\nUpdate libraries\nUpdate admin CSS styles<\/p>\n\n<h4>1.6.8<\/h4>\n\n<p>Fix cookie setting issue in some environments\nFix minor UI glitches in admin panel\nFix translation string issues<\/p>\n\n<h4>1.6.7<\/h4>\n\n<p>Add extended secure mode\nFix gauge chart rendering issue in some environments\nAdd missing translation strings\nAdd PHP 8.5 compatibility improvements<\/p>\n\n<h4>1.6.6<\/h4>\n\n<p>Fixed issue with cloud status page description not displaying correctly.\nFixed minor UI glitches in admin panel.\nAdd compatibility improvements for WordPress 6.9\nImproved translation files.<\/p>\n\n<h4>1.6.5<\/h4>\n\n<p>Minor bug fixes and improvements. Enhanced compatibility with WordPress 6.8<\/p>\n\n<h4>1.6.4<\/h4>\n\n<p>Improved compatibility with various hosting environments. Minor bug fixes and performance optimizations.<\/p>\n\n<h4>1.6.3<\/h4>\n\n<p>Bug fixes and improvements. Plugin now uses upload directory for better compatibility.<\/p>\n\n<h4>1.6.2<\/h4>\n\n<p>Major update: migrated to Chart.js for faster statistics rendering. Updated libraries and fixed minor bugs.<\/p>\n\n<h4>1.6.1<\/h4>\n\n<p>Maintenance release with bug fixes, updated libraries, and license improvements.<\/p>\n\n<h4>1.6.0<\/h4>\n\n<p>Significant performance improvements and extended detection layers for enhanced security.<\/p>","raw_excerpt":"Stop bots, brute force, spam, and fake crawlers before they reach WordPress. Three-layer firewall, 9 CAPTCHAs, FCrDNS, 2FA. Setup in 60 seconds.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/251503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=251503"}],"author":[{"embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/globusstudio"}],"wp:attachment":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=251503"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=251503"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=251503"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=251503"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=251503"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=251503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}