BotBlocker Security – Firewall & Bot Protection
BotBlocker Security blocks 99% of automated attacks before WordPress even loads. No bloat, no slowdowns, no monthly fees for core protection. If your site is hit by login brute force, spam comments, fake Googlebots, content scrapers, or XML-RPC floods, you are not alone: bots generate over 47% of all web traffic. Most security plugins react after WordPress boots, wasting CPU and memory on every bad request. BotBlocker stops them at the door. Why site owners switch to BotBlocker Faster than the competition. Runs on early init through three interception layers, before themes and plugins load. Server load drops during attacks instead of spiking. Smarter CAPTCHA. 9 modes including Silent Auto-Verify – zero clicks for humans, hard wall for bots. Proprietary CAPTCHAs defeat AI-based solvers that crack reCAPTCHA for $2-3 per 1 000. Honest free version. Full firewall, all 9 CAPTCHA modes, full 2FA, full logging, full Multisite support. No nag screens, no crippled features. Privacy-first. No visitor data leaves your server. GDPR and CCPA compliant out of the box. Works with everything. Cloudflare, WP Rocket, LiteSpeed, WooCommerce, Elementor, multisite, IPv6, PHP 7.4 to 8.5. 🛡️ Core Firewall (Free) Three-Layer Architecture – intercepts traffic at wp-config.php (before WordPress), MU-plugin phase, and main shield. The first layer blocks known threats without loading WordPress at all, saving 30-100ms and 5-20MB RAM per blocked request. Web Application Firewall (WAF) with real-time rule updates via the BotBlocker Threat Defense Feed 2 899 User-Agent signatures – largest blacklist among WordPress plugins – covering Scrapy, Selenium, Puppeteer, PhantomJS, curl, wget, Python, Java, Perl, and SQL injection tools Brute force protection with progressive lockouts – 5 attempts per 15 minutes, escalating bans for repeat offenders Anti-spam for comments, registration, contact forms – spammers blocked before they connect XML-RPC and REST API locked down by default with allowlist for trusted services Fake crawler detection via FCrDNS (dual-direction DNS verification), ASN tokens, and published IP ranges – 95% effective, impossible to spoof without controlling the provider’s DNS zone LLM / AI crawler management – allow or block GPTBot, ChatGPT-User, ClaudeBot, PerplexityBot, Bytespider via CIDR-verified IP ranges. Trusted crawlers verified, impersonators blocked. Country, ASN, IP range, User-Agent, Referer blocking rules with instant enforcement Cloudflare-aware real-IP resolution and origin bypass protection Full IPv6 support – separate tables and logic for IPv4 and IPv6, every feature works with both Live traffic monitor with attack map, country, ASN, device, browser, and exact block reason for every request Built-in caching via Redis and Memcached – free, auto-disable on connection failure 🔒 Login Security & 2FA (Free) Two-Factor Authentication compatible with Google Authenticator, Authy, 1Password, Bitwarden – TOTP standard with 10 backup codes 9 CAPTCHA modes: Silent Auto-Verify, Single Button, Color CAPTCHA, Images CAPTCHA, Shapes CAPTCHA (60fps Canvas), Digits CAPTCHA, Hold Button CAPTCHA, plus Google reCAPTCHA v2 and v3 Hybrid Mode – combine any internal CAPTCHA with reCAPTCHA v3 for two-layer invisible defense Hide login URL (PRO) Configurable lockout durations with escalation for repeat offenders – failed CAPTCHA triggers short ban, repeated failure triggers 24-hour ban 💳 Payment Gateway Bypass (Free) Auto-detects 25+ e-commerce platforms (WooCommerce, Easy Digital Downloads, SureCart, MemberPress, Paid Memberships Pro, Give, Dokan, CartFlows, FunnelKit, and more) and 150+ payment providers (Stripe, PayPal, Mollie, Adyen, Braintree, Square, Razorpay, Klarna, Paddle, Authorize.Net, 2Checkout, YooKassa, LiqPay, and more). Webhooks, IPN callbacks, and payment notifications never get blocked. Four detection layers ensure zero false positives on payment traffic. 📊 Visibility & Control (Free) Visual dashboard with attack map, top offenders, blocked-vs-allowed ratio, world traffic map Detailed event log with IP, country, ASN, User-Agent, and exact block reason – 54 unique event codes Health Score gauge – 42 parameters across 3 categories, 5 security levels from Critical to Secure 3 security presets – Light, Strong, Full – one-click configuration Setup Wizard – 8 steps from welcome to test attack, setup in under 5 minutes 8 interface languages – English, Deutsch, Español, Français, Polski, Русский, Українська + POT template Configurable retention with timezone and DST awareness Clean uninstall – drops all 16 tables, removes 40+ options, clears cron hooks. Zero leftover data. 🚀 PRO Adds (Premium / Pro / Ultimate) Real-time cloud threat intelligence cross-checked against global databases – 5M+ attack IPs, hundreds of thousands of bot signatures, updated daily Zero-day behavioral and heuristic detection – catches unknown attack patterns before signatures exist VPN, Tor, proxy, ASN, and hosting reputation checks Early Init Mode – filtering before WordPress Core loads, maximum resource savings during attacks Hide Login URL addon – custom admin URL, hardened wp-login.php protection Security Headers addon – HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy, X-Content-Type-Options Speed Up WordPress addon – 14 frontend and server optimizations Malware Scanner addon – 25 patterns scanning files + 7 database tables, detects webshells, eval injections, base64-obfuscated code hidden in wp_options and post_content Priority support – 24-hour response time Four plans to match your traffic: Premium ($12/month, 25k cloud checks), Pro ($50/month, 100k cloud checks), Ultimate ($100/month, 250k cloud checks + emergency 24h support). Annual billing includes 1 month free. 30-day refund policy. Licensed per domain, billed securely via Freemius. Compare plans → ⚡ Performance & Compatibility Zero database queries for returning visitors – 9 runtime PHP files with SHA-256 integrity signatures, loaded via include Measured overhead: +3-15ms TTFB for cached visitors, +50-200ms for first-time PTR lookups, +2-4MB memory Redis and Memcached support – free, auto-disables gracefully on connection failure Cache plugin compatibility – automatic DONOTCACHEPAGE and Cache-Control: no-store on verification pages. Works with WP Super Cache, W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, WP Fastest Cache, Cache Enabler CDN and WAF compatibility – Cloudflare, Sucuri, Incapsula, AWS CloudFront, Fastly, KeyCDN, StackPath. Multi-header real-IP resolution (CF-Connecting-IP, X-Forwarded-For, X-Real-IP) DDoS Protection Compatibility – automatic detection of JS-challenges from DDoS-Guard, Stormwall, Qrator. HMAC-signed AJAX responses, Circuit Breaker with automatic retry and backoff. BotBlocker is the only WordPress plugin that works correctly behind aggressive DDoS protection without manual configuration. Multisite Support – network activation, per-site data, per-site cleanup. Free on all plans. PHP 7.4 – 8.5 – tested across 7 PHP versions. WordPress 5.0 – 7.0+. Linux and Windows. GDPR and CCPA compliant – no PII collected, technical parameters only, Legitimate Interest basis (Art. 6(1)(f)) 🤝 Trusted by 3 000+ active installations Translated into 8 languages Tested up to WordPress 7.0 and PHP 8.5 Developed and maintained by GLOBUS.studio “Replaced two security plugins and a CAPTCHA plugin with one. Site is faster and the spam stopped overnight.” – WordPress.org user Privacy BotBlocker Security does not collect or process personal data of your visitors. All cloud analysis is performed on technical parameters only (IP, headers, User-Agent). No personally identifiable information is collected, stored, or transmitted to any external service. Support and Documentation Product site: https://botblocker.top/products/ Pricing and PRO plans: https://botblocker.top/pricing/ Documentation: https://botblocker.top/docs/ Contact/support: https://botblocker.top/contacts/ Community: https://botblocker.top/community/ License This plugin is licensed under the GPLv2 or later. See LICENSE.txt for details. Credits & Authors BotBlocker Security is developed and maintained by GLOBUS.studio. Concept, architecture & code – Yevhen Leonidov: https://leonidov.dev/ Code, code review – Andrii Lukashevych Code, translations – Aleksandr Kinakh BotBlocker Security – The first line of defense for your WordPress site.
Top keywords
- botblocker13×1.12%
- wordpress12×1.04%
- captcha11×0.95%
- security10×0.87%
- support8×0.69%
- php7×0.61%
- cache6×0.52%
- full6×0.52%
- https6×0.52%
- pro6×0.52%
- protection6×0.52%
- traffic6×0.52%
hCaptcha for WP
The strongest CAPTCHA. Switch from reCAPTCHA and Turnstile for free. A built-in Migration Wizard helps you move from Google reCAPTCHA or Cloudflare Turnstile to hCaptcha in just a few clicks. hCaptcha is a drop-in replacement for reCAPTCHA that puts user privacy first. Need to keep out bots? hCaptcha protects privacy while offering better protection against spam and abuse. Help build a better web. hCaptcha for WP makes security easy with broad integration support, detailed analytics, and strong protection. Start protecting logins, forms, and more in minutes. Benefits Privacy First: hCaptcha is designed to protect user privacy. It doesn’t retain or sell personal data, unlike platforms that gather, own, and monetize global behavior. Better Security: hCaptcha offers better protection against bots and abuse than other anti-abuse systems. Easy to Use: hCaptcha is easy to install and use with WordPress and popular plugins. Broad Integration: hCaptcha works with WordPress Core, WooCommerce, Contact Form 7, Elementor, and over 60 other plugins and themes. Features Highlights Migration Wizard: Migrate from Google reCAPTCHA or Cloudflare Turnstile to hCaptcha in just a few clicks. Built-in Anti-Spam: Honeypot fields and minimum submit time catch bots before the hCaptcha challenge, reducing friction for real users. Detailed Analytics: Get detailed analytics on hCaptcha events and form submissions. AI-Ready Security: Selected security actions are exposed via the WordPress Abilities API for automation and AI-driven workflows. Pro and Enterprise: Supports Pro and Enterprise versions of hCaptcha. No Challenge Modes: 99.9% passive and passive modes in Pro and Enterprise versions reduce user friction. Protect Site Content: Protects selected site URLs from bots with hCaptcha. Works best with Pro 99.9% passive mode. Logged-in Users: Optionally turn off hCaptcha for logged-in users. Delayed API Loading: Load the hCaptcha API instantly or on user interaction for zero page loading impact. IP Access Control: Allowlist trusted IPs to skip hCaptcha and denylist abusive IPs to block form submissions. Country Access Control: Allowlist or denylist countries to control where hCaptcha protections apply. Multisite Support: Sync hCaptcha settings across a Multisite Network. Anti-Spam Honeypot Protection: A hidden field catches bots before they reach the hCaptcha challenge, reducing friction for real users. Minimum Submit Time: Blocks instant form submissions from automated scripts. IP Denylist: Block abusive IPs from submitting any protected form. Country Blocking: Restrict form submissions by country to stop region-specific spam campaigns. Customization Language Support: Supports multiple languages. Custom Themes: Customize the appearance of hCaptcha to match your site. Custom Themes Editor: Edit custom themes directly in the plugin. Login Compatibility: Compatible with all major hide login, custom login, and 2FA login plugins. Login Attempts: Protect your site from brute force attacks. Ease of Use Test Modes: Use hCaptcha in live and Pro/Enterprise test modes. Activation and Deactivation: Activate and deactivate plugins and themes with hCaptcha in one click. Forced Verification: Optionally force hCaptcha verification before form submission. Check Config: Check hCaptcha configuration before saving keys and settings. Auto-Verification: Automatically verify custom forms. Standard Sizes and Themes: Choose the size and theme of the hCaptcha widget. How hCaptcha Works The purpose of a CAPTCHA is to distinguish between people and machines via a challenge-response test and thus increase the cost of spamming or otherwise abusing websites by keeping out bots. To use this plugin, install it and enter your sitekey and secret in the Settings → hCaptcha menu after signing up on hCaptcha.com. hCaptcha Free lets websites block bots and other forms of abuse via humanity challenges. hCaptcha Pro goes beyond the free hCaptcha service with advanced machine learning to reduce the challenge rate, delivering high security and low friction along with more features like UI customization. hCaptcha Enterprise delivers a complete advanced security platform, including site-specific risk scores, fraud protection, and more to address both human and automated abuse. Privacy Notices hCaptcha is designed to comply with privacy laws in every country, including GDPR, LGPD, CCPA, and more. For example, hCaptcha has been certified under ISO 27001 and 27701 and is enrolled in the EU-US, UK-US, and Swiss-US Data Privacy Framework for GDPR compliance. Details are available at www.hcaptcha.com/certifications and www.hcaptcha.com/gdpr. With the default configuration, this plugin does not: track users by stealth; write any user’s personal data to the database; send any data to external servers; use cookies. Once you activate this plugin, the hCaptcha-answering user’s IP address and browser data may be sent to the hCaptcha service on pages where you have activated hCaptcha protection. However, hCaptcha is designed to minimize data used, process it very close to the user, and rapidly discard it after analysis. For more details, please see the hCaptcha privacy policy at: hCaptcha.com If you enable the optional plugin-local statistics feature, the following additional data will be recorded in your database: counts of challenge verifications per form only if you enable this optional feature: the IP address challenged on each form only if you enable this optional feature: the User Agent challenged on each form We recommend leaving IP and User Agent recording off, which will make these statistics fully anonymous. You can collect data anonymously but still distinguish sources. The hashed IP address and User Agent will be saved. If this feature is enabled, anonymized statistics on your plugin configuration, not including any end user data, will also be sent to us. This lets us see which modules and features are being used and prioritize development for them accordingly. Plugins, Themes, and Forms Supported WordPress Login, Register, Lost Password, Comment, and Post/Page Password Forms ACF Extended Form Affiliates Login and Register Forms Asgaros Forum New Topic and Reply Form Avada standard and multistep Forms Back In Stock Notifier Form bbPress New Topic, Reply, Login, Register, and Lost Password Forms Beaver Builder Contact and Login Forms Blocksy Companion Newsletter Subscribe, Waitlist, and Product Review Forms BuddyPress — Create Group and Registration Forms Classified Listing Contact, Login, Lost Password, and Listing Register Forms CoBlocks Form Colorlib Customizer Login, Lost Password, and Customizer Register Forms Contact Form 7 Cookies and Content Security Policy Customer Reviews for WooCommerce Review and Q&A Forms Divi Comment, Contact, Email Optin, and Login Forms Divi Builder Comment, Contact, Email Optin, and Login Forms Download Manager Form Droit Dark Mode Easy Digital Downloads Checkout, Login, Lost Password, and Register Forms Elementor Pro Form and Login Form Essential Addons for Elementor Login and Register Forms Essential Blocks Form Events Manager Booking Form Extra Comment, Contact, Email Optin, and Login Forms Fluent Forms, including Conversational, Multi-Step, and Login Forms Forminator Forms Formidable Forms GiveWP Form Gravity Forms Gravity Perks Nested Forms Icegram Express Form Jetpack Forms Kadence Form and Advanced Form LearnDash Login, Lost Password, and Register Forms Login/Signup Popup Login and Register Forms Mailchimp for WP Form MailPoet Form Maintenance Login Form MemberPress Login and Register Forms Ninja Forms Otter Blocks Forms Paid Memberships Pro Checkout and Login Forms Passster Protection Form Password Protected Form Profile Builder Login, Recover Password, and Register Forms Really Simple CAPTCHA Quform Forms Sendinblue Form Simple Download Monitor Form Simple Membership Login, Lost Password, and Register Forms Simple Basic Contact Form Spectra — WordPress Gutenberg Blocks Form Subscriber Form Support Candy New Ticket Form Theme My Login — Login, Lost Password, and Register Form Tutor LMS — Checkout, Login, Lost Password, and Register Form Ultimate Addons for Elementor Login and Register Forms Ultimate Member Login, Lost Password, and Member Register Forms UsersWP Forgot Password, Login, and Register Forms WooCommerce Login, Registration, Lost Password, Checkout, and Order Tracking Forms WooCommerce Germanized Return Request Form WooCommerce Wishlist Form Wordfence Security Login Form Wordfence Login Security Login Form WP Dark Mode WP Job Openings Form WPForms Form wpDiscuz Comment and Support Forms wpForo New Topic and Reply Forms Please note NOTE: This is a community-developed plugin. Your PRs are welcome. For feature requests and issue reports, please open a pull request. We also suggest emailing the authors of plugins you’d like to support hCaptcha: it will usually take them only an hour or two to add native support. This will simplify your use of hCaptcha and is the best solution in the long run. You may use native hCaptcha support if available for your plugin. Please check with your plugin author if native support is not yet available. However, the hCaptcha plugin provides a broader set of options and features so that you can use it with any form on your site. Instructions for popular native integrations are below: WPForms native integration: instructions to enable hCaptcha