BotBlocker Security – Firewall & Bot Protection
BotBlocker Security blocks 99% of automated attacks before WordPress even loads. No bloat, no slowdowns, no monthly fees for core protection. If your site is hit by login brute force, spam comments, fake Googlebots, content scrapers, or XML-RPC floods, you are not alone: bots generate over 47% of all web traffic. Most security plugins react after WordPress boots, wasting CPU and memory on every bad request. BotBlocker stops them at the door. Why site owners switch to BotBlocker Faster than the competition. Runs on early init through three interception layers, before themes and plugins load. Server load drops during attacks instead of spiking. Smarter CAPTCHA. 9 modes including Silent Auto-Verify – zero clicks for humans, hard wall for bots. Proprietary CAPTCHAs defeat AI-based solvers that crack reCAPTCHA for $2-3 per 1 000. Honest free version. Full firewall, all 9 CAPTCHA modes, full 2FA, full logging, full Multisite support. No nag screens, no crippled features. Privacy-first. No visitor data leaves your server. GDPR and CCPA compliant out of the box. Works with everything. Cloudflare, WP Rocket, LiteSpeed, WooCommerce, Elementor, multisite, IPv6, PHP 7.4 to 8.5. 🛡️ Core Firewall (Free) Three-Layer Architecture – intercepts traffic at wp-config.php (before WordPress), MU-plugin phase, and main shield. The first layer blocks known threats without loading WordPress at all, saving 30-100ms and 5-20MB RAM per blocked request. Web Application Firewall (WAF) with real-time rule updates via the BotBlocker Threat Defense Feed 2 899 User-Agent signatures – largest blacklist among WordPress plugins – covering Scrapy, Selenium, Puppeteer, PhantomJS, curl, wget, Python, Java, Perl, and SQL injection tools Brute force protection with progressive lockouts – 5 attempts per 15 minutes, escalating bans for repeat offenders Anti-spam for comments, registration, contact forms – spammers blocked before they connect XML-RPC and REST API locked down by default with allowlist for trusted services Fake crawler detection via FCrDNS (dual-direction DNS verification), ASN tokens, and published IP ranges – 95% effective, impossible to spoof without controlling the provider’s DNS zone LLM / AI crawler management – allow or block GPTBot, ChatGPT-User, ClaudeBot, PerplexityBot, Bytespider via CIDR-verified IP ranges. Trusted crawlers verified, impersonators blocked. Country, ASN, IP range, User-Agent, Referer blocking rules with instant enforcement Cloudflare-aware real-IP resolution and origin bypass protection Full IPv6 support – separate tables and logic for IPv4 and IPv6, every feature works with both Live traffic monitor with attack map, country, ASN, device, browser, and exact block reason for every request Built-in caching via Redis and Memcached – free, auto-disable on connection failure 🔒 Login Security & 2FA (Free) Two-Factor Authentication compatible with Google Authenticator, Authy, 1Password, Bitwarden – TOTP standard with 10 backup codes 9 CAPTCHA modes: Silent Auto-Verify, Single Button, Color CAPTCHA, Images CAPTCHA, Shapes CAPTCHA (60fps Canvas), Digits CAPTCHA, Hold Button CAPTCHA, plus Google reCAPTCHA v2 and v3 Hybrid Mode – combine any internal CAPTCHA with reCAPTCHA v3 for two-layer invisible defense Hide login URL (PRO) Configurable lockout durations with escalation for repeat offenders – failed CAPTCHA triggers short ban, repeated failure triggers 24-hour ban 💳 Payment Gateway Bypass (Free) Auto-detects 25+ e-commerce platforms (WooCommerce, Easy Digital Downloads, SureCart, MemberPress, Paid Memberships Pro, Give, Dokan, CartFlows, FunnelKit, and more) and 150+ payment providers (Stripe, PayPal, Mollie, Adyen, Braintree, Square, Razorpay, Klarna, Paddle, Authorize.Net, 2Checkout, YooKassa, LiqPay, and more). Webhooks, IPN callbacks, and payment notifications never get blocked. Four detection layers ensure zero false positives on payment traffic. 📊 Visibility & Control (Free) Visual dashboard with attack map, top offenders, blocked-vs-allowed ratio, world traffic map Detailed event log with IP, country, ASN, User-Agent, and exact block reason – 54 unique event codes Health Score gauge – 42 parameters across 3 categories, 5 security levels from Critical to Secure 3 security presets – Light, Strong, Full – one-click configuration Setup Wizard – 8 steps from welcome to test attack, setup in under 5 minutes 8 interface languages – English, Deutsch, Español, Français, Polski, Русский, Українська + POT template Configurable retention with timezone and DST awareness Clean uninstall – drops all 16 tables, removes 40+ options, clears cron hooks. Zero leftover data. 🚀 PRO Adds (Premium / Pro / Ultimate) Real-time cloud threat intelligence cross-checked against global databases – 5M+ attack IPs, hundreds of thousands of bot signatures, updated daily Zero-day behavioral and heuristic detection – catches unknown attack patterns before signatures exist VPN, Tor, proxy, ASN, and hosting reputation checks Early Init Mode – filtering before WordPress Core loads, maximum resource savings during attacks Hide Login URL addon – custom admin URL, hardened wp-login.php protection Security Headers addon – HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy, X-Content-Type-Options Speed Up WordPress addon – 14 frontend and server optimizations Malware Scanner addon – 25 patterns scanning files + 7 database tables, detects webshells, eval injections, base64-obfuscated code hidden in wp_options and post_content Priority support – 24-hour response time Four plans to match your traffic: Premium ($12/month, 25k cloud checks), Pro ($50/month, 100k cloud checks), Ultimate ($100/month, 250k cloud checks + emergency 24h support). Annual billing includes 1 month free. 30-day refund policy. Licensed per domain, billed securely via Freemius. Compare plans → ⚡ Performance & Compatibility Zero database queries for returning visitors – 9 runtime PHP files with SHA-256 integrity signatures, loaded via include Measured overhead: +3-15ms TTFB for cached visitors, +50-200ms for first-time PTR lookups, +2-4MB memory Redis and Memcached support – free, auto-disables gracefully on connection failure Cache plugin compatibility – automatic DONOTCACHEPAGE and Cache-Control: no-store on verification pages. Works with WP Super Cache, W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, WP Fastest Cache, Cache Enabler CDN and WAF compatibility – Cloudflare, Sucuri, Incapsula, AWS CloudFront, Fastly, KeyCDN, StackPath. Multi-header real-IP resolution (CF-Connecting-IP, X-Forwarded-For, X-Real-IP) DDoS Protection Compatibility – automatic detection of JS-challenges from DDoS-Guard, Stormwall, Qrator. HMAC-signed AJAX responses, Circuit Breaker with automatic retry and backoff. BotBlocker is the only WordPress plugin that works correctly behind aggressive DDoS protection without manual configuration. Multisite Support – network activation, per-site data, per-site cleanup. Free on all plans. PHP 7.4 – 8.5 – tested across 7 PHP versions. WordPress 5.0 – 7.0+. Linux and Windows. GDPR and CCPA compliant – no PII collected, technical parameters only, Legitimate Interest basis (Art. 6(1)(f)) 🤝 Trusted by 3 000+ active installations Translated into 8 languages Tested up to WordPress 7.0 and PHP 8.5 Developed and maintained by GLOBUS.studio “Replaced two security plugins and a CAPTCHA plugin with one. Site is faster and the spam stopped overnight.” – WordPress.org user Privacy BotBlocker Security does not collect or process personal data of your visitors. All cloud analysis is performed on technical parameters only (IP, headers, User-Agent). No personally identifiable information is collected, stored, or transmitted to any external service. Support and Documentation Product site: https://botblocker.top/products/ Pricing and PRO plans: https://botblocker.top/pricing/ Documentation: https://botblocker.top/docs/ Contact/support: https://botblocker.top/contacts/ Community: https://botblocker.top/community/ License This plugin is licensed under the GPLv2 or later. See LICENSE.txt for details. Credits & Authors BotBlocker Security is developed and maintained by GLOBUS.studio. Concept, architecture & code – Yevhen Leonidov: https://leonidov.dev/ Code, code review – Andrii Lukashevych Code, translations – Aleksandr Kinakh BotBlocker Security – The first line of defense for your WordPress site.
Top keywords
- botblocker13×1.12%
- wordpress12×1.04%
- captcha11×0.95%
- security10×0.87%
- support8×0.69%
- php7×0.61%
- cache6×0.52%
- full6×0.52%
- https6×0.52%
- pro6×0.52%
- protection6×0.52%
- traffic6×0.52%
Web-Art Login Shield with reCAPTCHA
Web-Art Login Shield with reCAPTCHA is a focused security plugin that protects WordPress authentication, Elementor Login widgets and Elementor Forms against automated attacks. It strengthens wp-login.php, Elementor Login and Elementor Forms by integrating Google reCAPTCHA v2 verification and optional IP-based rate limiting, without replacing or modifying WordPress core authentication logic. The plugin is intentionally lightweight and transparent: – no ads – no telemetry or analytics sent to the author – no third-party dashboards provided by the plugin – no all-in-one security suite overhead All login protection modules (reCAPTCHA, Login Protect, Advanced login URL) are opt-in and disabled by default. Additionally, the plugin can apply a small XML-RPC hardening rule-set (disables a few high-risk XML-RPC methods) to reduce common abuse vectors. This does not disable XML-RPC completely. XML-RPC hardening is applied only when Login Protect is enabled and “Protect XML-RPC logins” is enabled. Each module (reCAPTCHA, Login Protect, Advanced login URL) can be enabled independently. Elementor reCAPTCHA options require reCAPTCHA to be configured and verified. Key Features reCAPTCHA v2 integration reCAPTCHA v2 checkbox for wp-login.php (when enabled and IP is not allowlisted) server-side token verification for WordPress login and Elementor Forms validation reCAPTCHA must be verified before enabling protection Elementor reCAPTCHA options automatic frontend injection for Elementor Login widgets (when enabled) optional frontend injection for Elementor Forms (Elementor Pro) (when enabled) Custom Alignment: Ability to set Left, Center, or Right alignment for reCAPTCHA in both Elementor Login and Elementor Forms directly from plugin settings. Elementor frontend scripts inject reCAPTCHA only when they detect relevant widgets/forms in the DOM (supports dynamically loaded content, popups, AJAX, etc.) Google reCAPTCHA scripts are not loaded for allowlisted IPs Whitelist IPs (reCAPTCHA) reCAPTCHA IP allowlist (allowlisted IPs bypass reCAPTCHA checks on wp-login.php, Elementor Login and Elementor Forms; Login Protect may still apply) reCAPTCHA allowlist accepts one entry per line (exact IP match only) optional note format supported: IP | reason (reason is ignored for matching) Login Protect (IP-based lockouts) failed login attempt counting per IP address timed lockouts after a configurable threshold blocked IP list (lockouts expire automatically after the configured lockout time) recent security event log (stored locally) wp-login.php lockout UX: countdown notice and temporary submit blocking during an active lockout Login Protect is independent of reCAPTCHA (can be enabled and used without reCAPTCHA enabled) three practical protection modes: MODE 1 – reCAPTCHA only MODE 2 – reCAPTCHA + Login Protect MODE 3 – Login Protect only Trusted IPs (Login Protect) separate allowlists for reCAPTCHA and Login Protect (exact IP match only) Login Protect allowlist accepts one entry per line (exact IP match only) optional note format supported: IP | reason (reason is ignored for matching) REST API and XML-RPC protection (optional) optional protection for authentication attempts via XML-RPC and REST API (applies only when the corresponding checkbox is enabled; Login Protect must be enabled) XML-RPC hardening (optional) optionally disables a small set of high-risk XML-RPC methods commonly abused by attackers: pingback.ping pingback.extensions.getPingbacks system.multicall XML-RPC hardening is applied only when Login Protect is enabled and “Protect XML-RPC logins” is enabled This reduces abuse without disabling XML-RPC entirely. Advanced login URL (optional) single toggle enables Advanced login behavior custom login endpoint (rewrites requests to the standard WordPress login handler without altering core authentication logic) when Advanced is enabled, wp-login.php and wp-admin are protected for non-authenticated visitors protection behavior is configured via two required fields: Custom login URL slug (example: “secure-login-1234”) Default redirect slug (recommended: “404” to display the active theme’s 404 page) both fields are required when Advanced is enabled (saving is blocked if any field is empty) if fields are empty when enabling Advanced, the plugin auto-generates a secure random login slug and sets the redirect slug to the recommended default protection applies only to non-authenticated users (logged-in users can still access wp-admin and wp-login.php) safe fallback handling to avoid logout loops (wp-login.php?action=logout remains accessible) IP Blocking (Site-wide) single toggle enables site-wide IP blocking permanently blocks selected IP addresses from accessing the entire site (returns HTTP 403) blocklist accepts one entry per line (exact IP match only) optional note format supported: IP | reason (reason is ignored for matching) recommended use cases: persistent abuse, scraping, hostile bots, repeated attacks not covered by login-only protection warning: do not add your own IP address unless you have alternative access (hosting panel / WP-CLI / database access) to remove the entry Technical Design Principles Fail-closed security model (scoped) If reCAPTCHA verification cannot be completed and reCAPTCHA protection is enabled for the given login or form, the request is rejected to reduce the risk of automated bypass. Administrators can always regain access by disabling the feature in plugin settings or by deactivating the plugin via hosting or FTP. Non-intrusive defaults Login protection modules remain disabled until explicitly enabled by an administrator. Conflict awareness If another plugin injects reCAPTCHA into login or form flows, it should be disabled to avoid duplicate widgets or verification conflicts. Emergency config kill-switches (wp-config.php) For recovery scenarios (e.g. accidental lockouts), selected modules can be force-disabled via wp-config.php constants. This does not bypass security rules; it disables the module logic before it runs. Remove the constant to restore normal behavior. External Services This plugin integrates with Google reCAPTCHA v2, an external service provided by Google LLC. reCAPTCHA features are disabled by default. The plugin does not load reCAPTCHA scripts or send verification requests unless an administrator enables reCAPTCHA protection and/or uses the “Verify reCAPTCHA” test in the plugin settings. Google’s reCAPTCHA JavaScript (https://www.google.com/recaptcha/api.js) may be loaded on: – wp-login.php (when reCAPTCHA is enabled and the visitor IP is not allowlisted) – the frontend (when Elementor Login protection is enabled and a non-allowlisted visitor loads the page; injection occurs only if Elementor Login widgets are detected in the DOM) – the frontend (when Elementor Forms protection is enabled and a non-allowlisted visitor loads the page; injection occurs only for Elementor Forms) – the plugin settings page only when an administrator runs the “Verify reCAPTCHA” test (if provided in the UI) When a visitor (or admin during verification) completes the reCAPTCHA challenge: – a verification token (g-recaptcha-response) is generated in the browser – during server-side verification on your website, the token and the configured Secret Key are sent to: https://www.google.com/recaptcha/api/siteverify – the visitor’s IP address is sent to Google as the remoteip parameter when it is available on the server The plugin sends the g-recaptcha-response token to Google only when the protected form is submitted (login attempt / form submission) or when an administrator runs the “Verify reCAPTCHA” test. The plugin does not send usernames, passwords, email addresses, or any form field contents to Google – only the reCAPTCHA token, the configured Secret Key, and the visitor IP address (remoteip) when available. The plugin does not store or process any data returned by Google beyond the verification result, and it does not send any telemetry, analytics, or usage data to the plugin author. Note: Google reCAPTCHA may set cookies and collect additional device and usage data in the visitor’s browser, as described in Google’s privacy policy and terms. Site owners are responsible for disclosing this in their site privacy policy and obtaining consent where required by applicable law. Google privacy policies apply: – https://policies.google.com/privacy – https://policies.google.com/terms Privacy This plugin does not send telemetry, analytics or usage data to the plugin author or any third party. Local data stored by the plugin (for security purposes only): – IP addresses related to login attempts / lockouts (Login Protect) – timestamps of failed attempts and lockouts – last username associated with a locked IP (Login Protect) – recent security event log entries (the plugin stores up to the last 30 events; entries rotate automatically) – last reCAPTCHA configuration or HTTP error (for admin diagnostics) – permanent site-wide IP blocklist entries (optional notes stored; notes are not used for matching) Data retention: – security event log keeps only the most recent entries (up to 30; automatic rotation) – Login Protect state is stored locally and is automatically pruned (e.g. stale non-locked entries are removed over time and the list is capped) – permanent site-wide IP blocklist entries are retained until removed by an administrator – plugin data can be removed during uninstall if the uninstall cleanup option is enabled All data is stored locally in the WordPress database and is used solely to enforce security rules and display administrative information. Legal reCAPTCHA is a trademark of Google LLC. Elementor is a trademark of Elementor Ltd. This plugin is not affiliated with, endorsed by, or sponsored by Google LLC or Elementor Ltd.