Bot Lockout
Bot Lockout is a security plugin that implements a lightweight cryptographic challenge system to distinguish between real browsers and automated bots. Unlike traditional CAPTCHA systems, it uses JavaScript-based cryptographic operations that are easy for humans but difficult for most bots to solve. Key Features Lightweight Protection: Uses minimal resources and doesn’t impact site performance Cryptographic Challenges: SHA-256 hashing with date and user agent binding Smart Whitelisting: Allow trusted bots (Google, Bing, etc.) and IP addresses Flexible Configuration: Exclude specific pages and customize block messages Comprehensive Logging: Track blocked attempts for analysis Custom Styling: Add custom CSS to match your site’s design Daily Token Expiration: Prevents long-term bypass attempts How It Works Initial Request: When a visitor accesses your site, the plugin checks for a valid challenge token JavaScript Challenge: If no token exists, a cryptographic challenge is presented Token Generation: The challenge combines the current date with the user agent string and creates a SHA-256 hash Secure Storage: The hash is base64 encoded, truncated, and stored as a secure cookie Validation: Subsequent requests are validated against the stored token Security Features Cryptographically Secure: Uses SHA-256 hashing algorithm Time-Bound: Tokens expire daily to prevent long-term bypass Browser-Specific: User agent binding prevents token sharing Secure Cookies: Implements proper cookie security settings Whitelist Support: Allow trusted services and IP addresses Multi-Site Support Bot Lockout supports WordPress Multi-Site installations with both network-wide and site-specific configurations: Network Activation: Apply settings to all sites in the network Site-Specific Activation: Independent settings for each site Mixed Configuration: Network-wide defaults with site-specific overrides Security Advisory Bot Lockout is one layer in a broader security strategy, not a silver bullet. While Bot Lockout is designed to deter automated bots and AI scrapers through cryptographic JavaScript challenges, no single solution can offer complete protection. Web scraping technologies continue to evolve, and determined actors may find ways to bypass front-end defenses. This plugin should be used as part of a multi-layered approach to website security. For best results, we recommend combining Bot Lockout with additional tools such as server-level firewalls, rate limiting, CAPTCHA systems, behavior-based threat detection, and CDN-level bot mitigation. Kognetiks makes no guarantee that this plugin will block all unwanted bot traffic. It is intended as a proactive, lightweight defense mechanism—not a comprehensive security system. Users are responsible for evaluating their own threat model and deploying appropriate complementary protections. Support For support, please visit the WordPress.org support forums or check the plugin documentation. Credits Developer: Kognetiks This plugin is licensed under the GPL v3 or later.
Top keywords
- bot7×1.66%
- security7×1.66%
- token6×1.43%
- bot lockout5×1.19%
- challenge5×1.19%
- cryptographic5×1.19%
- lockout5×1.19%
- support5×1.19%
- bots4×0.95%
- secure4×0.95%
- site4×0.95%
- agent3×0.71%
JTZL's Bot Maze
JTZL’s Bot Maze protects your WordPress site from unwanted AI crawlers and scrapers by planting invisible trap links that only bots will follow. When a bot enters the trap maze, it gets lost in an ever-expanding maze of realistic-looking fake pages while it quietly builds a suspicion score based on its behavior. How it works: Trap link injection — Invisible links are added to your real pages. Legitimate visitors never see them, but bots following every link on the page will enter the trap maze. Lazy maze generation — Trap pages link to more trap pages, generated on demand. The deeper a bot goes, the more time it wastes. Bot scoring — Each trap page visit adds suspicion points. Deeper traversal earns bonus points. Once a threshold is reached, the visitor is flagged as a bot. Blocking and tarpitting — Flagged bots can be blocked outright (403), served decoy pages (light tarpit), or slowed down with a deliberate delay (full tarpit). Crawler verification — Known search engine crawlers (Googlebot, Bingbot, etc.) are verified via reverse DNS and exempted from scoring. Features: Zero impact on legitimate visitors — trap links are hidden from humans and search engines Configurable injection method (content, footer, or both) Adjustable scoring thresholds and blocking behavior robots.txt integration to signal trap paths as disallowed Analytics dashboard showing bot activity, top IPs, and score distribution Blocked Bots detail page showing full user agent, score, visit history Optional comprehensive tracking mode to monitor blocked bot persistence Automatic log retention and maintenance via WP-Cron Privacy policy suggestion for GDPR compliance Geographic heat map of bot activity by country with two GeoIP provider options MaxMind GeoLite2 local database — all lookups on your server, GDPR-friendly (recommended) ip-api.com external API — simple setup, no license key required Lightweight — minimal footprint, geographic tracking is fully optional Third-Party Services This plugin offers optional geographic tracking with two provider options. No data is sent to any external service unless a site administrator explicitly enables one of these providers. MaxMind GeoLite2 (Recommended) When MaxMind GeoLite2 is selected as the GeoIP provider (Settings > Bot Maze > Geographic Tracking), the plugin downloads the GeoLite2-Country database from MaxMind and performs all IP-to-country lookups locally. No visitor data leaves your server. What is downloaded: The GeoLite2-Country database (~60 MB), updated weekly via WP-Cron. What is sent to MaxMind: Only your license key during database downloads. No visitor IP addresses are shared. Requires: A free MaxMind license key from maxmind.com/en/geolite2/signup. Service website: https://www.maxmind.com License: GeoLite2 databases are licensed under CC BY-SA 4.0. Terms of service: https://www.maxmind.com/en/geolite2/eula ip-api.com When ip-api.com is selected as the GeoIP provider, the plugin sends visitor IP addresses to ip-api.com to resolve their country of origin. This data is used to display a geographic heat map of bot activity in the admin dashboard. What is sent: The visitor’s IP address only, over unencrypted HTTP. When it is sent: At the time a trap page visit is recorded, only while this provider is selected. Service website: http://ip-api.com Terms of service: https://ip-api.com/docs/legal Privacy policy: ip-api.com does not log queries from the free API endpoint. Note: The free tier only supports HTTP (not HTTPS). If your site must comply with GDPR, use the MaxMind local database option instead. Geographic tracking is off by default and requires explicit opt-in by a site administrator.