Bot Lockout
Bot Lockout is a security plugin that implements a lightweight cryptographic challenge system to distinguish between real browsers and automated bots. Unlike traditional CAPTCHA systems, it uses JavaScript-based cryptographic operations that are easy for humans but difficult for most bots to solve. Key Features Lightweight Protection: Uses minimal resources and doesn’t impact site performance Cryptographic Challenges: SHA-256 hashing with date and user agent binding Smart Whitelisting: Allow trusted bots (Google, Bing, etc.) and IP addresses Flexible Configuration: Exclude specific pages and customize block messages Comprehensive Logging: Track blocked attempts for analysis Custom Styling: Add custom CSS to match your site’s design Daily Token Expiration: Prevents long-term bypass attempts How It Works Initial Request: When a visitor accesses your site, the plugin checks for a valid challenge token JavaScript Challenge: If no token exists, a cryptographic challenge is presented Token Generation: The challenge combines the current date with the user agent string and creates a SHA-256 hash Secure Storage: The hash is base64 encoded, truncated, and stored as a secure cookie Validation: Subsequent requests are validated against the stored token Security Features Cryptographically Secure: Uses SHA-256 hashing algorithm Time-Bound: Tokens expire daily to prevent long-term bypass Browser-Specific: User agent binding prevents token sharing Secure Cookies: Implements proper cookie security settings Whitelist Support: Allow trusted services and IP addresses Multi-Site Support Bot Lockout supports WordPress Multi-Site installations with both network-wide and site-specific configurations: Network Activation: Apply settings to all sites in the network Site-Specific Activation: Independent settings for each site Mixed Configuration: Network-wide defaults with site-specific overrides Security Advisory Bot Lockout is one layer in a broader security strategy, not a silver bullet. While Bot Lockout is designed to deter automated bots and AI scrapers through cryptographic JavaScript challenges, no single solution can offer complete protection. Web scraping technologies continue to evolve, and determined actors may find ways to bypass front-end defenses. This plugin should be used as part of a multi-layered approach to website security. For best results, we recommend combining Bot Lockout with additional tools such as server-level firewalls, rate limiting, CAPTCHA systems, behavior-based threat detection, and CDN-level bot mitigation. Kognetiks makes no guarantee that this plugin will block all unwanted bot traffic. It is intended as a proactive, lightweight defense mechanism—not a comprehensive security system. Users are responsible for evaluating their own threat model and deploying appropriate complementary protections. Support For support, please visit the WordPress.org support forums or check the plugin documentation. Credits Developer: Kognetiks This plugin is licensed under the GPL v3 or later.
Top keywords
- bot7×1.66%
- security7×1.66%
- token6×1.43%
- bot lockout5×1.19%
- challenge5×1.19%
- cryptographic5×1.19%
- lockout5×1.19%
- support5×1.19%
- bots4×0.95%
- secure4×0.95%
- site4×0.95%
- agent3×0.71%
HumanGate
HumanGate protects your WordPress site from AI training crawlers, search engine bots, and unauthorized scraping bots. Add global refusal signals (meta tags, HTTP headers, robots.txt), actively block bots (AI crawlers, scrapers, etc.), and deter large-scale bot extraction with lightweight JavaScript challenges—all without CAPTCHAs or heavy databases. Perfect for: * Journalists protecting sensitive content * Activists and independent creators * Nonprofits and whistleblower support projects * Anyone wanting to opt out of AI training data collection Core Features: Block Search Engines – Clear, top-level setting to block all search engines (Google, Bing, etc.) via noindex/nofollow meta tags Global AI Refusal – Adds AI-specific meta tags, HTTP headers (X-AI-Training), and robots.txt rules to refuse AI training crawlers Active Enforcement Modes – Choose from Signals Only (default), Challenge Mode (JS verification), or Block Mode (403 Forbidden) for AI crawlers and other bots Bot Challenge System – Automatically detects suspicious bot traffic patterns (burst traffic, sequential traversal, deep-link access) and serves lightweight JavaScript challenges to all bots—not just AI crawlers Emergency Lockdown – One-click site lockdown with HTTP 451 responses and optional login-only access SEO Plugin Compatible – Works seamlessly with Yoast SEO, Rank Math, All in One SEO, and other SEO plugins Privacy-Focused Stats – Lightweight telemetry using WordPress transients (no database bloat, no IP storage) Performance Optimized – DNS lookup caching and user agent pattern caching for faster response times Whitelist Support – IP address and user agent whitelists to bypass blocking for trusted sources How It Works: Block Search Engines – Optional setting to block all search engines (Google, Bing, etc.) using noindex/nofollow meta tags. This is a separate, clear setting at the top of the plugin configuration. AI Refusal Signals – Adds AI-specific meta tags, HTTP headers, and robots.txt rules that tell AI crawlers (GPTBot, ClaudeBot, PerplexityBot, etc.) not to train on your content. This works independently from search engine blocking. Active Enforcement – Optionally block or challenge bots at the HTTP level: Signals Only (default): Sends refusal signals only Challenge Mode: Requires JavaScript execution verification for all bots Block Mode: Returns 403 Forbidden to AI crawlers and other unauthorized bots Selective Friction – Automatically detects bot scraping patterns and serves invisible JavaScript challenges to any suspicious traffic: Burst traffic detection (12+ pages in 5 seconds) – catches all bots, not just AI crawlers Sequential traversal detection (machine-like pagination) Deep-link access detection (direct access to old content) Auto-completing challenges (no user interaction required) Works against all types of bots: AI training crawlers, scrapers, data harvesters, etc. Emergency Lockdown – Instantly lock down your site with one toggle, returning HTTP 451 responses with optional login-only access. Design Philosophy: HumanGate doesn’t try to perfectly identify machines. Instead, it makes large-scale extraction economically inefficient while keeping the experience invisible to 99% of real human users. No CAPTCHAs, no heavy databases, just lightweight protection. Development For development, bug reports, and contributions, please visit the plugin’s GitHub repository at https://github.com/NomadBuilder/HumanGate