{"id":251503,"date":"2025-11-02T17:11:49","date_gmt":"2025-11-02T17:11:49","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/botblocker-security\/"},"modified":"2026-05-23T13:04:28","modified_gmt":"2026-05-23T13:04:28","slug":"botblocker-security","status":"publish","type":"plugin","link":"https:\/\/kaa.wordpress.org\/plugins\/botblocker-security\/","author":21117379,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.6.20","stable_tag":"1.6.20","tested":"7.0","requires":"5.0","requires_php":"7.4","requires_plugins":null,"header_name":"BotBlocker Security - Firewall & Bot Protection","header_author":"Yevhen Leonidov","header_description":"BotBlocker Security is a powerful WordPress plugin designed to safeguard your website from unwanted bots and malicious activities. With advanced detection algorithms, BotBlocker identifies and blocks harmful bots, reducing spam and protecting your site's resources. The plugin provides real-time monitoring and customizable rules, allowing you to control access and enhance site security effortlessly. Easy to install and configure, BotBlocker ensures a smooth user experience while keeping your site safe from automated threats. Keep your WordPress site secure and running efficiently with BotBlocker.","assets_banners_color":"c9dceb","last_updated":"2026-05-23 13:04:28","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/botblocker.top\/","header_author_uri":"https:\/\/leonidov.dev\/","rating":5,"author_block_rating":0,"active_installs":3000,"downloads":6873,"num_ratings":9,"support_threads":5,"support_threads_resolved":2,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.6.10":{"tag":"1.6.10","author":"globusstudio","date":"2026-02-14 13:40:05"},"1.6.11":{"tag":"1.6.11","author":"globusstudio","date":"2026-03-02 22:58:29"},"1.6.12":{"tag":"1.6.12","author":"globusstudio","date":"2026-03-04 00:41:50"},"1.6.13":{"tag":"1.6.13","author":"globusstudio","date":"2026-03-06 23:33:59"},"1.6.14":{"tag":"1.6.14","author":"globusstudio","date":"2026-03-10 18:22:49"},"1.6.15":{"tag":"1.6.15","author":"globusstudio","date":"2026-03-25 15:52:45"},"1.6.16":{"tag":"1.6.16","author":"globusstudio","date":"2026-04-10 11:09:50"},"1.6.17":{"tag":"1.6.17","author":"globusstudio","date":"2026-04-12 09:26:41"},"1.6.18":{"tag":"1.6.18","author":"globusstudio","date":"2026-04-27 20:45:44"},"1.6.19":{"tag":"1.6.19","author":"globusstudio","date":"2026-05-08 23:23:17"},"1.6.20":{"tag":"1.6.20","author":"globusstudio","date":"2026-05-23 13:04:28"},"1.6.3":{"tag":"1.6.3","author":"globusstudio","date":"2025-11-02 20:07:55"},"1.6.4":{"tag":"1.6.4","author":"globusstudio","date":"2025-11-04 14:16:18"},"1.6.5":{"tag":"1.6.5","author":"globusstudio","date":"2025-11-25 15:59:56"},"1.6.6":{"tag":"1.6.6","author":"globusstudio","date":"2025-12-04 01:37:19"},"1.6.7":{"tag":"1.6.7","author":"globusstudio","date":"2025-12-09 14:25:48"},"1.6.8":{"tag":"1.6.8","author":"globusstudio","date":"2025-12-15 15:33:07"},"1.6.9":{"tag":"1.6.9","author":"globusstudio","date":"2026-01-24 22:47:11"}},"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":9},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3405280,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3405280,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3405280,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3405280,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.16","1.6.17","1.6.18","1.6.19","1.6.20","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3446309,"resolution":"1","location":"assets","locale":"","width":1600,"height":1050},"screenshot-10.jpg":{"filename":"screenshot-10.jpg","revision":3446309,"resolution":"10","location":"assets","locale":"","width":1600,"height":1050},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3446309,"resolution":"2","location":"assets","locale":"","width":1600,"height":1050},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3446309,"resolution":"3","location":"assets","locale":"","width":1600,"height":1050},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3446309,"resolution":"4","location":"assets","locale":"","width":1600,"height":1050},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3446309,"resolution":"5","location":"assets","locale":"","width":1600,"height":1050},"screenshot-6.jpg":{"filename":"screenshot-6.jpg","revision":3446309,"resolution":"6","location":"assets","locale":"","width":1600,"height":1050},"screenshot-7.jpg":{"filename":"screenshot-7.jpg","revision":3446309,"resolution":"7","location":"assets","locale":"","width":1600,"height":1050},"screenshot-8.jpg":{"filename":"screenshot-8.jpg","revision":3446309,"resolution":"8","location":"assets","locale":"","width":1600,"height":1050},"screenshot-9.jpg":{"filename":"screenshot-9.jpg","revision":3446309,"resolution":"9","location":"assets","locale":"","width":1600,"height":1050}},"screenshots":{"1":"Dashboard overview with visual charts and statistics","2":"Wizard setup for quick configuration","3":"2FA setup for admin users","4":"Live traffic monitoring and threat log","5":"Rules management interface","6":"Settings panel with detailed options","7":"Speed optimization settings (PRO)","8":"Integration settings for ReCAPTCHA, Redis, Memcached and more","9":"Addon management interface","10":"Health check and diagnostics tool"}},"plugin_section":[262246],"plugin_tags":[2656,2439,362,1174,600],"plugin_category":[54],"plugin_contributors":[250140,250139,250136],"plugin_business_model":[],"class_list":["post-251503","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-anti-spam","plugin_tags-brute-force","plugin_tags-captcha","plugin_tags-firewall","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-alexandrkinakh","plugin_contributors-alukashevych","plugin_contributors-globusstudio","plugin_committers-globusstudio"],"banners":{"banner":"https:\/\/ps.w.org\/botblocker-security\/assets\/banner-772x250.png?rev=3405280","banner_2x":"https:\/\/ps.w.org\/botblocker-security\/assets\/banner-1544x500.png?rev=3405280","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/botblocker-security\/assets\/icon-128x128.png?rev=3405280","icon_2x":"https:\/\/ps.w.org\/botblocker-security\/assets\/icon-256x256.png?rev=3405280","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-1.jpg?rev=3446309","caption":"Dashboard overview with visual charts and statistics"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-2.jpg?rev=3446309","caption":"Wizard setup for quick configuration"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-3.jpg?rev=3446309","caption":"2FA setup for admin users"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-4.jpg?rev=3446309","caption":"Live traffic monitoring and threat log"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-5.jpg?rev=3446309","caption":"Rules management interface"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-6.jpg?rev=3446309","caption":"Settings panel with detailed options"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-7.jpg?rev=3446309","caption":"Speed optimization settings (PRO)"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-8.jpg?rev=3446309","caption":"Integration settings for ReCAPTCHA, Redis, Memcached and more"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-9.jpg?rev=3446309","caption":"Addon management interface"},{"src":"https:\/\/ps.w.org\/botblocker-security\/assets\/screenshot-10.jpg?rev=3446309","caption":"Health check and diagnostics tool"}],"raw_content":"<!--section=description-->\n<h4>WordPress Security Plugin &amp; Firewall (WAF)<\/h4>\n\n<p><strong>Every day, automated bots and hackers bombard websites with attacks.<\/strong> Mass botnets, fake search engine crawlers, brute-force login attempts, and spam bots can overwhelm your WordPress site - stealing data, overloading your server, and defacing content. It's a 24\/7 threat to your business. If you\u2019re looking for <strong>WordPress site protection<\/strong>, you need a proactive defense that stops these attacks before they reach your website.<\/p>\n\n<p><strong>BotBlocker Security is the all-in-one solution to keep your site safe from automated threats.<\/strong> This powerful <strong>WordPress security plugin and Web Application Firewall (WAF)<\/strong> acts as a dedicated <strong>anti-bot<\/strong> firewall, blocking malicious traffic at the front gate without slowing down your site.<\/p>\n\n<p>BotBlocker's setup and onboarding experience allows anyone to secure their <strong>WordPress site<\/strong> in under 1 minute, regardless of technical expertise. You can rest assured knowing you have enabled the right <strong>site protection<\/strong> settings to protect your website.<\/p>\n\n<p>BotBlocker also supports <strong>WordPress Multisite<\/strong>, making it suitable for agencies, developers, and administrators who manage networks of client sites from a single WordPress installation.<\/p>\n\n<h4>\ud83d\udd25 WordPress Firewall (WAF)<\/h4>\n\n<p>BotBlocker Security includes an endpoint <strong>firewall\/WAF<\/strong> that identifies and blocks malicious traffic before it reaches WordPress. Built and maintained by a team focused 100% on WordPress security, our Web Application Firewall protects your site while reducing server load.<\/p>\n\n<p><strong>BotBlocker intercepts bad traffic at the earliest stage<\/strong> - even before WordPress or your theme loads. By running as a must-use plugin (MU-plugin) on early init, it blocks threats before WordPress initializes, drastically reducing server load during attacks.<\/p>\n\n<p><strong>Key Firewall Features:<\/strong><\/p>\n\n<ul>\n<li>Real-time firewall rule updates via the BotBlocker Threat Defense Feed<\/li>\n<li>Real-time IP Blocklist blocks all requests from the most malicious IPs<\/li>\n<li>Early-init protection - blocks threats before WordPress loads<\/li>\n<li>Cloud-based threat intelligence - cross-checks every visitor against global threat databases<\/li>\n<li>Extended Secure Mode - stricter challenge, session, and token validation for high-risk traffic<\/li>\n<li>No visitor data collected - only technical request parameters analyzed (GDPR\/CCPA-compliant)<\/li>\n<li>Brute force protection with login attempt limits and multi-layer verification<\/li>\n<\/ul>\n\n<h4>\ud83d\udce1 WordPress Security Scanner &amp; Site Protection<\/h4>\n\n<p>Every attempt to access your site is thoroughly analyzed and filtered. BotBlocker provides comprehensive <strong>site protection<\/strong> across all entry points:<\/p>\n\n<ul>\n<li><strong>XML-RPC and API Protection<\/strong> - all endpoints blocked by default. Create access rules for trusted services and add allowed URLs for payment plugins<\/li>\n<li><strong>Spam Prevention<\/strong> - spammers cannot connect to your site. Automatically block IP addresses that exceed spam comment thresholds<\/li>\n<li><strong>File Access Protection<\/strong> - theme and plugin files securely protected from unauthorized access<\/li>\n<li><strong>Deep Analysis<\/strong> - User-Agent, Accept-Language, GeoIP, PTR, DNSBL, cookies, browser fingerprint, AdBlock, Incognito detection<\/li>\n<li><strong>Network &amp; Protocol Control<\/strong> - block obsolete HTTP\/1.0 clients and disable IPv6 if not used. Cloudflare-aware protection blocks origin bypass attempts<\/li>\n<\/ul>\n\n<h4>\ud83d\udd12 Login Security &amp; 2FA<\/h4>\n\n<p>All login attempts pass through multi-layer filtering and CAPTCHA verification:<\/p>\n\n<ul>\n<li><strong>Two-Factor Authentication Support<\/strong> - 2FA enhanced login security for admin area. Backup codes for recovery access. Universal 2FA app support \u2013 works with Google Authenticator, Authy, etc.<\/li>\n<li><strong>Multi-layer CAPTCHA Protection<\/strong> - color buttons, animal images, floating shapes, floating math, Google reCAPTCHA v2\/v3, and more. Any internal CAPTCHA can be combined with reCAPTCHA v3 for dual-layer protection<\/li>\n<li><strong>Brute Force Protection<\/strong> - configurable login attempt limits. Failed attempts trigger temporary bans, with escalating penalties for repeated failures<\/li>\n<li><strong>Advanced Anti-bot Challenges<\/strong> - proprietary CAPTCHA designed to be nearly impossible to bypass, even by AI-based anti-CAPTCHA services<\/li>\n<li><strong>Intelligent Ban System<\/strong> - failed CAPTCHA results in configurable ban periods. Repeated failures trigger 24-hour bans<\/li>\n<li><strong>Admin Access Simplification<\/strong> - special mechanism to ease site administrator login while maintaining security<\/li>\n<li><strong>XML-RPC Control<\/strong> - options including complete disabling<\/li>\n<\/ul>\n\n<h4>\ud83d\udee0\ufe0f Security Tools<\/h4>\n\n<p>Comprehensive tools to block attackers and monitor your site in real-time:<\/p>\n\n<ul>\n<li><strong>Advanced Blocking Rules<\/strong> - block by IP or build rules based on IP Range, Hostname, User Agent, Referrer, PTR record, ASN, country, city, and more<\/li>\n<li><strong>IP-PTR-Host Mismatch Detection<\/strong> - automatically detect and block fake crawlers (e.g., fake Googlebots)<\/li>\n<li><strong>Crawler &amp; AI Allowlist Management<\/strong> - manage trusted SEO bots and LLM\/AI crawlers such as OpenAI, Claude, and Gemini while still detecting impersonators<\/li>\n<li><strong>Blacklist &amp; Whitelist Management<\/strong> - instantly allow or block any IP, ASN, range, or User-Agent<\/li>\n<li><strong>Live Traffic Monitoring<\/strong> - see all traffic in real-time: robots, humans, 404 errors, logins\/logouts, file requests, and content consumption<\/li>\n<li><strong>Server IP Identification<\/strong> - prevent lockouts by automatically identifying and protecting server IPs<\/li>\n<li><strong>Visual Dashboard<\/strong> - intuitive charts and stats showing blocked attacks, world map of threat origins, top offending IPs\/countries<\/li>\n<li><strong>Detailed Security Log<\/strong> - every event logged with IP address, user agent, country, and blocking reason<\/li>\n<li><strong>Hide Login URL<\/strong> <em>(Premium Addon)<\/em><\/li>\n<\/ul>\n\n<h4>\u26a1 Performance &amp; Integration<\/h4>\n\n<p>BotBlocker's robust defense won't slow your site down - in fact, it often improves performance under attack:<\/p>\n\n<ul>\n<li><strong>Lightweight &amp; Fast<\/strong> - negligible overhead in normal conditions. Reduces database and server load during attacks<\/li>\n<li><strong>Built-in Caching<\/strong> - Redis and Memcached support for high-traffic environments<\/li>\n<li><strong>Cache Plugin Compatibility<\/strong> - automatic <code>DONOTCACHEPAGE<\/code> + <code>Cache-Control: no-store<\/code> on verification pages. Works with WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, and more. Server-level caches (Nginx FastCGI, Varnish, Cloudflare) may need a cookie-based bypass rule - see <code>docs\/CACHE-COMPATIBILITY.md<\/code><\/li>\n<li><strong>Cache-Optimized CAPTCHA Delivery<\/strong> - Image Delivery Mode serves image CAPTCHA assets in a cache-friendly way for high-traffic sites<\/li>\n<li><strong>DDoS Protection Compatibility<\/strong> - automatic detection of JS-challenges from DDoS-Guard, Stormwall, and similar services. See <code>docs\/DDOS-COMPATIBILITY.md<\/code> for advanced configuration<\/li>\n<li><strong>Seamless Compatibility<\/strong> - works with Cloudflare, CDN services, caching plugins, and optimizers<\/li>\n<li><strong>WordPress Multisite Support<\/strong> - protect multisite networks and agency-managed site fleets<\/li>\n<li><strong>Full IPv6 Support<\/strong> - all security functions work with both IPv4 and IPv6<\/li>\n<li><strong>Server Optimization<\/strong> <em>(Premium Addon)<\/em> - additional performance enhancements for high-traffic sites<\/li>\n<\/ul>\n\n<h4>\ud83d\udc64 Easy Setup &amp; User-Friendly Interface<\/h4>\n\n<p>You don't have to be a security expert to use BotBlocker:<\/p>\n\n<ul>\n<li><strong>Quick Installation Wizard<\/strong> - step-by-step setup guide for configuration in under 1 minute<\/li>\n<li><strong>Intuitive Admin Panel<\/strong> - organized settings with clear descriptions and tooltips<\/li>\n<li><strong>Multilingual<\/strong> - translated into English, Spanish, German, French, Polish, Russian, Ukrainian, and more<\/li>\n<li><strong>No Conflicts &amp; Modern PHP Compatibility<\/strong> - built following WordPress best practices, tested with recent WP versions and current PHP releases including PHP 8.5<\/li>\n<li><strong>Adjustable Logging<\/strong> - configurable retention periods with time zone awareness and daylight saving support<\/li>\n<\/ul>\n\n<p><strong>Security first - BotBlocker's on guard!<\/strong><\/p>\n\n<h4>\ud83d\udd25 PRO Version<\/h4>\n\n<p>Upgrade to PRO for production sites, WooCommerce stores, agencies, and high-traffic WordPress projects that need cloud intelligence, premium add-ons, and faster support. Current PRO subscriptions start at <strong>$12\/month<\/strong>; compare plan limits and current offers on the <a href=\"https:\/\/botblocker.top\/pricing\/\">pricing page<\/a>. Annual billing includes 1 month free, and most purchases are covered by a 30-day refund policy according to the <a href=\"https:\/\/botblocker.top\/terms-of-service\/\">Terms of Service<\/a>.<\/p>\n\n<p><strong>PRO includes:<\/strong><\/p>\n\n<ul>\n<li>Real-time cloud threat intelligence checks against global databases<\/li>\n<li>Zero-day threat detection - behavioral analysis and heuristic rules catch unknown attack patterns before signatures are available<\/li>\n<li>VPN, Tor, proxy, ASN, and hosting reputation checks for stricter traffic filtering<\/li>\n<li>Hide Admin URL add-on - custom login URL and protection for default <code>wp-login.php<\/code> and registration endpoints<\/li>\n<li>Security Headers add-on - HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy (CSP) configuration<\/li>\n<li>Early Init add-on - filtering before WordPress Core loads for better performance during attacks<\/li>\n<li>Speed Up WordPress add-on - frontend cleanup and optimization for faster page delivery<\/li>\n<li>Advanced reporting, analytics, and forensic traffic context<\/li>\n<li>Daily signature, PTR, User-Agent, and AI model updates<\/li>\n<li>Priority support with 24-hour response and emergency help for critical issues<\/li>\n<\/ul>\n\n<h3>Features<\/h3>\n\n<h4>Detection &amp; Analysis<\/h4>\n\n<p>BotBlocker employs advanced multi-layer detection to identify and block threats:<\/p>\n\n<p><strong>Detection Mechanisms:<\/strong><\/p>\n\n<ul>\n<li>Local and cloud signature databases with real-time updates<\/li>\n<li>IP reputation and blacklist checks with global threat intelligence<\/li>\n<li>DNS-based and PTR lookups to detect fake crawlers<\/li>\n<li>Heuristic and behavioral analysis for suspicious patterns<\/li>\n<li>Trusted SEO and LLM\/AI crawler allowlists for known services such as OpenAI, Claude, and Gemini<\/li>\n<li>Browser fingerprint and feature mismatch detection<\/li>\n<li>Header and protocol validation<\/li>\n<li>JavaScript challenge and capability verification<\/li>\n<li>Multi-layered CAPTCHA verification<\/li>\n<\/ul>\n\n<p><strong>Comprehensive Request Analysis:<\/strong><\/p>\n\n<ul>\n<li><strong>Network &amp; IP:<\/strong> Full IPv4\/IPv6 support, blacklist\/whitelist, country\/GeoIP, ASN, hosting\/VPN detection, TOR detection, PTR\/DNSBL checks<\/li>\n<li><strong>Browser &amp; Client:<\/strong> User-Agent validation, browser\/OS\/device detection, fingerprint analysis, headless browser detection, JavaScript\/cookie support<\/li>\n<li><strong>Headers &amp; Protocol:<\/strong> Accept-Language, Referer validation, HTTP version control, Cloudflare\/proxy detection<\/li>\n<li><strong>Advanced Fingerprinting:<\/strong> Font rendering, WebGL, media devices, touch events, battery API, permissions, timing analysis, plugin verification<\/li>\n<\/ul>\n\n<h4>CAPTCHA Modes<\/h4>\n\n<p>Choose from various CAPTCHA types to protect your site:<\/p>\n\n<ul>\n<li><strong>Single Button<\/strong> - one-click verification for quick validation<\/li>\n<li><strong>Google reCAPTCHA v2<\/strong> - standard image\/checkbox challenge<\/li>\n<li><strong>Google reCAPTCHA v3<\/strong> - invisible background scoring<\/li>\n<li><strong>BotBlocker Color CAPTCHA<\/strong> - select colored buttons challenge<\/li>\n<li><strong>BotBlocker Digits CAPTCHA<\/strong> - floating math challenge<\/li>\n<li><strong>BotBlocker Images CAPTCHA<\/strong> - animal image selection<\/li>\n<li><strong>BotBlocker Image Delivery Mode<\/strong> - cache-friendly image CAPTCHA delivery for high-traffic sites and aggressive caching setups<\/li>\n<li><strong>BotBlocker Shapes CAPTCHA<\/strong> - floating shapes challenge<\/li>\n<li><strong>BotBlocker Hold Button CAPTCHA<\/strong> - press and hold to verify, distinct from one-click Single Button mode, with no images or math required<\/li>\n<li><strong>Silent Auto-Verify<\/strong> - no CAPTCHA shown. Real users pass automatically via JS fingerprint checks; bots see \"Access denied\"<\/li>\n<li><strong>Hybrid Mode<\/strong> - combine any CAPTCHA with reCAPTCHA v3 for dual-layer protection<\/li>\n<\/ul>\n\n<h4>Additional Capabilities<\/h4>\n\n<ul>\n<li>Early-init &amp; MU plugin support<\/li>\n<li>WordPress Multisite support<\/li>\n<li>Extended Secure Mode for stricter verification on sensitive routes and high-risk traffic<\/li>\n<li>Trusted LLM\/AI crawler allowlist management<\/li>\n<li>Real-time cloud threat checks<\/li>\n<li>Dynamic and graphical anti-bot challenges<\/li>\n<li>Automatic logging with adjustable retention<\/li>\n<li>Session tracking and verification<\/li>\n<li>No visitor data collected - GDPR\/CCPA-compliant (see FAQ for admin notification details)<\/li>\n<\/ul>\n\n<h3>Privacy<\/h3>\n\n<p>BotBlocker Security does <strong>not<\/strong> collect or process personal data of your visitors. All cloud analysis is performed on technical parameters only (IP, headers, User-Agent). No personally identifiable information is collected, stored, or transmitted to any external service.<\/p>\n\n<h3>Support and Documentation<\/h3>\n\n<ul>\n<li>Product site: <a href=\"https:\/\/botblocker.top\/products\/\">https:\/\/botblocker.top\/products\/<\/a><\/li>\n<li>Pricing and PRO plans: <a href=\"https:\/\/botblocker.top\/pricing\/\">https:\/\/botblocker.top\/pricing\/<\/a><\/li>\n<li>Documentation: <a href=\"https:\/\/botblocker.top\/docs\/\">https:\/\/botblocker.top\/docs\/<\/a><\/li>\n<li>Contact\/support: <a href=\"https:\/\/botblocker.top\/contacts\/\">https:\/\/botblocker.top\/contacts\/<\/a><\/li>\n<li>Community: <a href=\"https:\/\/botblocker.top\/community\/\">https:\/\/botblocker.top\/community\/<\/a><\/li>\n<\/ul>\n\n<h3>License<\/h3>\n\n<p>This plugin is licensed under the GPLv2 or later. See LICENSE.txt for details.<\/p>\n\n<h3>Credits &amp; Authors<\/h3>\n\n<p>BotBlocker Security is developed and maintained by GLOBUS.studio.<\/p>\n\n<ul>\n<li>Concept, architecture &amp; code - Yevhen Leonidov: <a href=\"https:\/\/leonidov.dev\/\">https:\/\/leonidov.dev\/<\/a><\/li>\n<li>Code, code review - Andrii Lukashevych<\/li>\n<li>Code, translations - Aleksandr Kinakh<\/li>\n<\/ul>\n\n<p><strong>BotBlocker Security - The first line of defense for your WordPress site.<\/strong><\/p>\n\n<!--section=installation-->\n<ol>\n<li>Download the plugin archive or install directly from your WordPress dashboard<\/li>\n<li>Unpack to <code>wp-content\/plugins\/botblocker-security\/<\/code> if uploading manually<\/li>\n<li>Activate <strong>BotBlocker Security<\/strong> in the Plugins menu<\/li>\n<li>Go to <strong>BotBlocker<\/strong> to configure protection settings<\/li>\n<\/ol>\n\n<p>The setup wizard will guide you through initial configuration in under 1 minute.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"how%20does%20botblocker%20security%20protect%20sites%20from%20attackers%3F\"><h3>How does BotBlocker Security protect sites from attackers?<\/h3><\/dt>\n<dd><p>BotBlocker uses multi-layer <strong>site protection<\/strong>: early-init filtering before WordPress loads, cloud-based threat intelligence, advanced CAPTCHA challenges, deep request analysis, and real-time IP blocking. This comprehensive approach stops bots, scrapers, brute force attacks, and spam before they reach your site.<\/p><\/dd>\n<dt id=\"how%20does%20the%20botblocker%20wordpress%20firewall%20%28waf%29%20work%3F\"><h3>How does the BotBlocker WordPress Firewall (WAF) work?<\/h3><\/dt>\n<dd><p>The <strong>firewall\/WAF<\/strong> operates at the earliest stage - before WordPress loads - analyzing every request's technical fingerprint. It checks User-Agent strings, headers, IP reputation, PTR records, and behavioral patterns to identify and block malicious traffic instantly.<\/p><\/dd>\n<dt id=\"does%20the%20plugin%20collect%20personal%20data%3F\"><h3>Does the plugin collect personal data?<\/h3><\/dt>\n<dd><p>BotBlocker does <strong>not<\/strong> collect any visitor PII - only technical request parameters (IP, headers, User-Agent) are analyzed locally. Full details are available in <code>docs\/PRIVACY.md<\/code> included with the plugin.<\/p><\/dd>\n<dt id=\"do%20i%20need%20an%20external%20service%3F\"><h3>Do I need an external service?<\/h3><\/dt>\n<dd><p>No. Local protection works out of the box. <strong>Cloud checks (PRO)<\/strong> are optional and provide enhanced threat intelligence from global databases.<\/p><\/dd>\n<dt id=\"will%20it%20work%20with%20cloudflare%20or%20a%20cdn%3F\"><h3>Will it work with Cloudflare or a CDN?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker recognizes proxy headers to resolve the real client IP and can block origin bypass attempts. Fully compatible with Cloudflare and other CDN services.<\/p><\/dd>\n<dt id=\"does%20botblocker%20support%20wordpress%20multisite%3F\"><h3>Does BotBlocker support WordPress Multisite?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker can protect WordPress Multisite networks, making it useful for agencies, developers, and administrators who manage multiple sites from one installation.<\/p><\/dd>\n<dt id=\"how%20does%20botblocker%20handle%20ai%20crawlers%20and%20llm%20bots%3F\"><h3>How does BotBlocker handle AI crawlers and LLM bots?<\/h3><\/dt>\n<dd><p>BotBlocker can recognize and allow trusted AI crawlers and LLM-related services while continuing to block spoofed user agents, fake crawlers, scrapers, and abusive automation. This includes allowlist handling for services such as OpenAI, Claude, and Gemini.<\/p><\/dd>\n<dt id=\"does%20botblocker%20work%20behind%20ddos%20protection%20services%20%28ddos-guard%2C%20stormwall%2C%20etc.%29%3F\"><h3>Does BotBlocker work behind DDoS protection services (DDoS-Guard, Stormwall, etc.)?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker automatically detects and handles simple JS-challenge responses from external DDoS protection services. For advanced challenges (Proof-of-Work, interactive CAPTCHA from the DDoS provider), add <code>\/wp-admin\/admin-ajax.php<\/code> to the challenge bypass list in your DDoS service control panel. See <code>docs\/DDOS-COMPATIBILITY.md<\/code> included with the plugin for detailed configuration examples.<\/p><\/dd>\n<dt id=\"does%20botblocker%20work%20with%20caching%20plugins%3F\"><h3>Does BotBlocker work with caching plugins?<\/h3><\/dt>\n<dd><p>Yes. BotBlocker automatically sets <code>DONOTCACHEPAGE<\/code> and <code>Cache-Control: no-store<\/code> headers on verification\/denied pages, preventing PHP-based cache plugins from caching them. WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, and Hummingbird work out of the box. For server-level caches (Nginx FastCGI, Varnish) or WP Super Cache Expert (mod_rewrite) mode, add a cookie-based bypass rule - see <code>docs\/CACHE-COMPATIBILITY.md<\/code> included with the plugin. The MU-plugin phase also defines <code>DONOTCACHEPAGE<\/code> for visitors without a BotBlocker cookie.<\/p><\/dd>\n<dt id=\"can%20image%20captcha%20work%20on%20high-traffic%20cached%20sites%3F\"><h3>Can Image CAPTCHA work on high-traffic cached sites?<\/h3><\/dt>\n<dd><p>Yes. Image Delivery Mode is designed for high-traffic sites and caching-heavy environments, helping image CAPTCHA assets load reliably without letting cached verification pages weaken protection.<\/p><\/dd>\n<dt id=\"can%20i%20protect%20xml-rpc%2Frest%20api%20or%20login%2Fcomments%3F\"><h3>Can I protect XML-RPC\/REST API or login\/comments?<\/h3><\/dt>\n<dd><p>Yes. XML-RPC and REST API endpoints are blocked by default. You can create access rules for trusted services and protect login\/comments with multi-layer CAPTCHA verification.<\/p><\/dd>\n<dt id=\"what%20captcha%20types%20are%20available%3F\"><h3>What CAPTCHA types are available?<\/h3><\/dt>\n<dd><p>One-click button, hold button, color buttons, animal images, image delivery mode, floating shapes, floating math, silent auto-verify, plus Google reCAPTCHA v2\/v3. Silent Auto-Verify is the recommended default - real users pass automatically with zero interaction. Any internal CAPTCHA can be combined with reCAPTCHA v3. Our proprietary CAPTCHAs are designed to be nearly impossible to bypass with AI-based anti-CAPTCHA services.<\/p><\/dd>\n<dt id=\"what%20is%20extended%20secure%20mode%3F\"><h3>What is Extended Secure Mode?<\/h3><\/dt>\n<dd><p>Extended Secure Mode tightens the verification chain for sensitive or suspicious traffic. It applies stricter challenge token validation, browser capability checks, and session consistency rules before allowing the request to continue.<\/p><\/dd>\n<dt id=\"does%20botblocker%20security%20support%20ipv6%3F\"><h3>Does BotBlocker Security support IPv6?<\/h3><\/dt>\n<dd><p>Yes. Full IPv6 support with all security functions including country blocking, range blocking, city lookup, whois lookup, and all other features. Compatible with IPv4-only, IPv6-only, or dual-stack configurations.<\/p><\/dd>\n<dt id=\"will%20it%20conflict%20with%20other%20security%20plugins%3F\"><h3>Will it conflict with other security plugins?<\/h3><\/dt>\n<dd><p>BotBlocker operates very early in the request lifecycle and usually coexists well with other plugins. Avoid duplicating the exact same CAPTCHA on the same form.<\/p><\/dd>\n<dt id=\"how%20do%20i%20avoid%20locking%20out%20admins%20or%20cron%20jobs%3F\"><h3>How do I avoid locking out admins or cron jobs?<\/h3><\/dt>\n<dd><p>Use <strong>Allowlist<\/strong> for admin IPs\/services and enable \"allow server self-IP\" so WP-Cron and internal calls pass safely. The plugin automatically identifies server IPs to prevent lockouts.<\/p><\/dd>\n<dt id=\"what%20security%20monitoring%20features%20does%20botblocker%20include%3F\"><h3>What security monitoring features does BotBlocker include?<\/h3><\/dt>\n<dd><p><strong>Live Traffic<\/strong> view shows all visits in real-time: robots, humans, 404 errors, logins\/logouts, file requests, heartbeat, and content consumption. <strong>Detailed security logs<\/strong> track every blocked attack, passed challenge, and admin action with full context (IP, country, user agent, reason).<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.6.20<\/h4>\n\n<p>Add WordPress 7.0 compatibility and Connections support for BotBlocker Security\nFix WordPress 7.0 REST OPTIONS permission checks from wp-admin pages\nAdd ASN allow, block, dark, and gray rule handling with safer crawler verification\nImprove anti-detect checks for critical browser fingerprint mismatch combinations\nFix Geo country rule sanitization and Cloud API contact email validation\nImprove plugin update notices when remote changelog data is unavailable<\/p>\n\n<h4>1.6.19<\/h4>\n\n<p>Add new security rules to block emerging threats with updated ASN coverage\nUpdate coverage for new bots and crawlers\nAdd coverage for 20+ payment providers in the Payment Gateway Bypass whitelist\nAdd HEAD request support for security checks and blocking\nFix minor bugs and UI glitches in admin panel\nFix language selection issue\nFix setup wizard issue with some hosting environments\nUpdate translation files<\/p>\n\n<h4>1.6.18<\/h4>\n\n<p>Add new ASN database with auto-update\nAdd Payment Gateway Bypass: dedicated whitelist for legitimate payment callbacks (webhooks, IPN, postbacks) so checkout notifications are never blocked\nAdd auto-detection for 25+ e-commerce platforms (WooCommerce, EDD, SureCart, MemberPress, RCP, PMPro, Give, Dokan, WCFM, CartFlows, FunnelKit, etc.)\nAdd built-in coverage for 30+ payment providers: Stripe, PayPal, Mollie, Adyen, Braintree, Square, Razorpay, CloudPayments, WayForPay, LiqPay, Fondy, PayU, Klarna, Paystack, Flutterwave, GoCardless, Paddle, Authorize.Net, 2Checkout and more\nAdd new \"Payment Gateways\" tab in Advanced Settings<\/p>\n\n<h4>1.6.17<\/h4>\n\n<p>Fix third-party library compatibility issues affecting some hosting environments\nFix minor bugs and plugin incompatibilities with popular WordPress plugins\nImprove legacy browser support\nImprove Security Headers addon with stricter defaults and additional directives\nImprove shared hosting compatibility with enhanced environment detection and fallback logic\nImprove statistics and reporting \nAdd updated ASN tables\nAdd cookie diagnostics tool\nAdd cache compatibility\nUpdate vulnerability signature database\nUpdate translation files<\/p>\n\n<h4>1.6.16<\/h4>\n\n<p>Add new CAPTCHA mode: Silent Auto-Verify - real users pass automatically with zero interaction, bots see \"Access denied\"\nAdd Silent Auto-Verify as the new recommended default in the setup wizard\nAdd Security Headers addon support (HSTS, CSP, X-Frame-Options, Permissions-Policy - coming soon to the addon marketplace)\nAdd updated LLM and AI bot whitelist\nAdd improved ASN validation with extended provider database and stricter hosting\/VPN detection\nAdd improved PTR record verification with multi-resolver fallback for more accurate fake-crawler detection\nAdd cache compatibility for Swift Performance, Cache Enabler, and Starter Templates caching\nFix CAPTCHA challenge token race condition in extended secure mode (SECURE_MODE_FULL)\nFix GD library fallback - now correctly falls back to Simple Button (mode 0) instead of Color Buttons when GD and reCAPTCHA are both unavailable\nFix CAPTCHA timeout handling for Silent Auto-Verify mode to prevent potential redirect loops\nFix 2FA backup code validation edge case on PHP 8.5\nImprove challenge token security with mode-specific transient TTL (1 hour for Silent Auto-Verify)\nImprove silent mode retry logic with sessionStorage-based counter surviving page reloads\nImprove setup wizard UI - removed duplicate \"Recommended\" badge from Image Recognition\nUpdate translation files<\/p>\n\n<h4>1.6.15<\/h4>\n\n<p>Add multisite support\nAdd LLM whitelist for trusted crawlers and services\nAdd new security rules to block emerging threats\nAdd compatibility improvements for WordPress 6.9.4\nFix minor bugs and UI glitches in admin panel\nUpdate translation files<\/p>\n\n<h4>1.6.14<\/h4>\n\n<p>Add automatic DDoS protection service compatibility (DDoS-Guard, Stormwall, etc.)\nAdd docs\/DDOS-COMPATIBILITY.md documentation\nUpdate cache compatibility layer\nUpdate 2FA libraries\nUpdate translation files<\/p>\n\n<h4>1.6.13<\/h4>\n\n<p>Improve support for shared hosting environments with dynamic self-IP detection and allowlist management\nImprove statistics sammary generation\nUpdate browser detection\nUpdate OS detection\nAdd privacy readme file\nUpdate translation files<\/p>\n\n<h4>1.6.12<\/h4>\n\n<p>Add new mode of image CAPTCHA: Image Delivery Mode (for high-traffic sites with caching)\nImprove compatibility with Firefox and Safari browsers\nFix minor issues with CAPTCHA rendering in some environments\nFix lagacy mode of Image CAPTCHA\nUpdate translation mode<\/p>\n\n<h4>1.6.11<\/h4>\n\n<p>Add new captcha type: hold button\nAdd cache compatibility layer: no-cache headers, DONOTCACHEPAGE, MU-phase cookie check\nAdd Vary: Cookie header option (Settings \u2192 Cookies \u2192 Cache Compatibility)\nAdd cache plugin incompatibility detection and admin alerts\nAdd docs\/CACHE-COMPATIBILITY.md with Nginx, Varnish, Apache, Cloudflare config examples\nAdd new security rules to block emerging threats\nImport data security improvements\nUpdate libraries and dependencies\nImprove translation files\nFix minor bugs<\/p>\n\n<h4>1.6.10<\/h4>\n\n<p>Fix captcha verification issue in some environments\nFix minor UI glitches in admin panel\nAdd OpenAI, Claude, and Gemini user agent detection<\/p>\n\n<h4>1.6.9<\/h4>\n\n<p>Add 2FA support for admin users\nAdd setup wizard improvements\nAdd PRO features\nFix performance issue in some environments\nImprove translation files\nUpdate libraries\nUpdate admin CSS styles<\/p>\n\n<h4>1.6.8<\/h4>\n\n<p>Fix cookie setting issue in some environments\nFix minor UI glitches in admin panel\nFix translation string issues<\/p>\n\n<h4>1.6.7<\/h4>\n\n<p>Add extended secure mode\nFix gauge chart rendering issue in some environments\nAdd missing translation strings\nAdd PHP 8.5 compatibility improvements<\/p>\n\n<h4>1.6.6<\/h4>\n\n<p>Fixed issue with cloud status page description not displaying correctly.\nFixed minor UI glitches in admin panel.\nAdd compatibility improvements for WordPress 6.9\nImproved translation files.<\/p>\n\n<h4>1.6.5<\/h4>\n\n<p>Minor bug fixes and improvements. Enhanced compatibility with WordPress 6.8<\/p>\n\n<h4>1.6.4<\/h4>\n\n<p>Improved compatibility with various hosting environments. Minor bug fixes and performance optimizations.<\/p>\n\n<h4>1.6.3<\/h4>\n\n<p>Bug fixes and improvements. Plugin now uses upload directory for better compatibility.<\/p>\n\n<h4>1.6.2<\/h4>\n\n<p>Major update: migrated to Chart.js for faster statistics rendering. Updated libraries and fixed minor bugs.<\/p>\n\n<h4>1.6.1<\/h4>\n\n<p>Maintenance release with bug fixes, updated libraries, and license improvements.<\/p>\n\n<h4>1.6.0<\/h4>\n\n<p>Significant performance improvements and extended detection layers for enhanced security.<\/p>","raw_excerpt":"Protect your WordPress site or multisite network: firewall, bot &amp; brute-force protection, anti-spam, multi-layer CAPTCHA, optional cloud threat intel.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/251503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=251503"}],"author":[{"embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/globusstudio"}],"wp:attachment":[{"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=251503"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=251503"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=251503"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=251503"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=251503"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/kaa.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=251503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}