EDH Bad Bots
EDH Bad Bots is an intelligent bot detection and blocking system that protects your WordPress site from unwanted crawlers and malicious bots. Unlike traditional blocking methods that rely on user agent strings (which can be easily spoofed), this plugin uses a honeypot technique to identify and block bots that don’t respect your site’s robots.txt directives. Key Features Automatic Bot Detection: Identifies bad bots using a hidden trap URL technique Smart Blocking System: Blocks misbehaving bots with configurable duration (default 30 days) Advanced DNS Resolution: PTR record lookups with DNS over HTTPS (DoH) support for hostname identification Dual-Level Blocking: Server-level .htaccess blocking AND PHP-level blocking for maximum effectiveness Configurable Blocking Methods: Choose between .htaccess blocking (Apache) or PHP-only blocking (Nginx compatible) IP Whitelist Management: Protect trusted IPs from ever being blocked Enhanced Admin Interface: Clean dashboard with hostname display, manual hostname updates, and debug tools Background Processing: Automated hostname resolution via WordPress cron jobs Legitimate Crawler Protection: Synchronous FCrDNS verification prevents Googlebot and similar crawlers from being blocked, even if robots.txt is misconfigured robots.txt Health Check: Daily cron monitors for a physical robots.txt missing the trap Disallow rule and alerts the admin Database Optimization: Automatic cleanup of expired blocks to maintain performance Security-First Design: All forms include proper nonce verification and user capability checks How It Works The plugin implements a sophisticated honeypot system: Trap URL Generation: Creates a unique, hidden URL specific to your domain Robots.txt Integration: Automatically adds a Disallow rule for the trap URL Hidden Link Placement: Places an invisible link to the trap URL in your site’s footer Bot Detection: When bad bots ignore robots.txt and follow the hidden link, they’re identified Automatic Blocking: Detected bot IPs are blocked with configurable duration and immediate effect Hostname Resolution: PTR record lookups identify the hostname/organization behind blocked IPs Legitimate Crawler Guard: If a request to the trap URL carries a Googlebot, Bingbot, or similar User-Agent, FCrDNS is run synchronously before any block decision. Verified crawlers are whitelisted on the spot; spoofed UAs are blocked normally. robots.txt Health Check: A daily cron fetches and validates the site’s robots.txt. If a physical file is missing the Disallow rule, an admin notice is shown until the issue is resolved. Configuration Admin Dashboard Access the plugin dashboard at Tools > Bad Bots in your WordPress admin: Whitelisted IPs Tab Add IP addresses that should never be blocked Remove IPs from the whitelist View all currently whitelisted addresses with timestamps Blocked Bots Tab View all currently blocked IP addresses with hostnames See when each IP was blocked and when the block expires Manually update missing hostnames for better identification Force refresh all hostnames to clear cache and re-resolve Debug hostname resolution issues (when WP_DEBUG is enabled) Manually unblock IPs if needed Options Tab .htaccess Blocking: Enable/disable server-level IP blocking via .htaccess file Block Duration: Configure how many days to block detected bots Configure blocking method based on your server setup (Apache vs Nginx) Server-level blocking bypasses caching for immediate effect Help Tab Detailed explanation of how the plugin works Best practices for managing IPs Information about .htaccess blocking options Unique trap URL for caching plugin exclusion Requirements WordPress 6.2 or higher PHP 7.4 or higher MySQL 5.6 or higher Apache server (for .htaccess blocking) or Nginx (PHP-only blocking) Writable .htaccess file (if using Apache server-level blocking) Technical Details Database Tables The plugin creates two custom database tables: wp_edhbb_blocked_bots: Stores blocked IP addresses with expiration dates and hostnames wp_edhbb_whitelisted_ips: Stores permanently whitelisted IP addresses DNS Resolution System The plugin includes an advanced DNS lookup system: DNS over HTTPS (DoH) Support Primary providers: Cloudflare DNS, Google DNS Secure queries: HTTPS-encrypted DNS requests for enhanced privacy Fallback system: Automatic fallback to traditional DNS methods PTR Record Lookups Reverse DNS: Converts IP addresses to hostnames for better identification IPv4 and IPv6 support: Full support for both IP versions Caching: Results cached for 1 hour to improve performance Background processing: Automated hostname resolution via WordPress cron Blocking Methods The plugin offers two blocking approaches: 1. Server-Level Blocking (.htaccess) Default method for Apache servers Blocks IPs at the server level before WordPress loads Bypasses caching plugins for immediate effect More efficient and faster blocking Automatically manages .htaccess file with unique markers Safe cleanup on plugin deactivation 2. PHP-Level Blocking Alternative method for Nginx or when .htaccess is unavailable Blocks IPs during WordPress initialization Compatible with all web servers May be affected by caching plugins No server configuration files modified Security Features Nonce Verification: All forms use WordPress nonces for CSRF protection Capability Checks: Only users with manage_options capability can access admin features Input Sanitization: All user inputs are properly sanitized and validated SQL Injection Protection: All database queries use prepared statements Safe .htaccess Management: Uses unique markers and automatic cleanup Performance Optimization Automatic Cleanup: Expired blocks are automatically removed from the database Efficient Queries: Database operations are optimized for minimal performance impact Smart Loading: Admin assets only load on the plugin’s admin page Server-Level Blocking: .htaccess blocking prevents blocked requests from reaching PHP Whitelist Filtering: Whitelisted IPs are excluded from .htaccess rules automatically DNS Caching: Hostname lookups cached to reduce DNS query overhead Background Processing: Hostname resolution runs in background to avoid delays API Hooks Actions plugins_loaded: Plugin initialization init: Early request blocking check template_redirect: Bot trap detection wp_footer: Hidden link injection admin_menu: Admin page registration admin_notices: robots.txt misconfiguration warning edhbb_update_hostnames_cron: Background hostname resolution (hourly) edhbb_check_robots_txt_cron: robots.txt Disallow validation (daily) Filters robots_txt: Adds disallow rule to robots.txt edhbb_trusted_crawler_domains: Customise the FCrDNS hostname suffixes used to identify legitimate crawlers (e.g. .googlebot.com) edhbb_trusted_crawler_ua_patterns: Customise the User-Agent tokens that trigger a synchronous FCrDNS check on trap hits (e.g. googlebot, bingbot) File Structure ` edh-bad-bots/ ├── admin/ │ └── views/ │ └── admin-display.php # Admin interface HTML ├── assets/ │ ├── css/ │ │ └── admin-style.css # Admin page styling │ └── js/ │ └── admin-script.js # Admin page JavaScript ├── includes/ │ ├── class-edhbb-admin.php # Admin functionality │ ├── class-edhbb-blocker.php # Bot detection and blocking │ ├── class-edhbb-database.php # Database operations │ └── class-edhbb-dnslookup.php # DNS/PTR lookup system ├── edh-bad-bots.php # Main plugin file ├── LICENSE └── readme.txt ` Contributing Contributions are welcome! Please feel free to submit a Pull Request. Development Setup Clone the repository to your WordPress plugins directory Ensure you have a WordPress development environment running Activate the plugin and test your changes License This project is licensed under the GPL v3 or later. Author EncodeDotHost – Website: https://encode.host – GitHub: @EncodeDotHost Support For support, please visit the support forum: https://wordpress.org/support/plugin/edh-bad-bots/
Top keywords
- blocking27×2.43%
- admin16×1.44%
- txt14×1.26%
- dns13×1.17%
- htaccess13×1.17%
- robots13×1.17%
- robots txt13×1.17%
- blocked12×1.08%
- hostname12×1.08%
- ips11×0.99%
- wordpress11×0.99%
- bots10×0.90%
VPN Guard – Block VPN, Proxy, Bots & Anonymous Visitors
VPN Guard is the ultimate freemium WordPress plugin to help you block VPNs, proxies, and other anonymizing networks frequently leveraged by unwanted bots and suspicious traffic in real-time — no subscription required. It uses the powerful vpnapi.io engine to scan visitors’ IP addresses and instantly block connections flagged as VPN, Proxy, Tor, or Relay—and your free account includes 1,000 API requests per day! This helps protect your site from various threats that hide behind these anonymization layers. And here’s the game-changer: YOU decide the battlefield! Want to shield your entire site? Done. Need to protect just your login page, WooCommerce checkout, specific posts, or even the entire /wp-admin/ area? VPN Guard gives you pinpoint control with its advanced targeting rules. > 💡 Premium-grade features, no premium price. Unlock serious protection with granular control, without spending a dime. ✅ Features You’ll Love ✨ NEW! Block Page Preview & Test Tab – See exactly what your blocked users see and get tips for testing your setup! 🎯 NEW! LASER-FOCUSED TARGETING! – Why block everything when you can block SMARTER? Full Site Protection: Shield your entire WordPress site with one click. Specific Areas Only: Create custom rules to protect: – Individual Post / Page ID(s) – Entire Post Types (e.g., all “products”, all “articles”, or your custom post types) – URLs based on Contains, Starts With, or Exact Match – Critical WooCommerce Pages (Cart, Checkout, My Account) – Essential WordPress Pages (Login Page, Registration Page) – The entire WordPress Admin Area (/wp-admin/) 🔍 VPN & Proxy Detection – Block anonymized traffic (VPN, Proxy, Tor, Relay) using trusted IP intelligence. Enhanced IP validation logic. 🛡️ Mitigate Unwanted Traffic – Helps reduce access from scrapers and unwanted bots that often operate through the types of anonymizing networks detected by the API. 🔐 WordPress Login Security – Harden your admin and login endpoints (now even more precise with targeting!) 🛒 WooCommerce Checkout Protection – Reduce fraud and suspicious orders by blocking high-risk anonymized connections. 🧠 Smart Role Bypasses – Let trusted roles skip blocking rules. ⏰ Scheduled Blocking – Only apply blocking rules at certain hours or days. Improved scheduler logic. 📋 View Blocked Logs – Review recent blocked IPs, URLs, and detection reasons. User Agent and Referer now included in CSV export. 📤 Export to CSV – One-click export for audit logs or compliance. Log export functionality restored and improved. ✅ IP Whitelist – Allow specific IPs even if flagged by the detection service. – 🛡️ Admin Panel Status Notice – Optional notice in your dashboard, with refined styling and more robust status display. 🧠 Ideal For Bloggers looking to protect login and admin access with precision. WooCommerce stores wanting to secure checkout or specific product categories from risky traffic. Membership sites and online courses needing to protect premium content areas. Publishers battling fake traffic or content scrapers on high-value articles or sections. Any WordPress site that needs smarter, targeted access control against anonymized and potentially malicious traffic. 🚀 Why Choose VPN Guard? While other security or VPN-blocking plugins lock core features or charge extra for flexibility, VPN Guard gives you true freemium access with unparalleled control: ✅ 100% free with generous API usage for detecting VPNs, Proxies, Tor, and Relays. 🎯 Powerful targeting rules at no extra cost! 🔓 Key features without nagging upsells. 📈 Designed for performance, speed, and SEO safety. Enhanced stability and security in the latest update. > 💥 Use it standalone or alongside other security tools like Wordfence, iThemes Security, All In One WP Security, and more! VPN Guard’s targeting complements them perfectly. 🔌 Integrations & Compatibility ✅ Fully compatible with WooCommerce (target cart, checkout, account pages) ✅ Works with popular caching plugins ✅ Integrates with any WordPress theme or builder ✅ Safe for use with CDNs and Cloudflare 📦 API Details VPN Guard uses vpnapi.io — a modern and reliable IP intelligence service. The API response includes flags for: – VPN: Is the IP a VPN? – Proxy: Is the IP a Proxy? – Tor: Is the IP a Tor exit node? – Relay: Is the IP part of a relay network? (The API may also provide a “hosting” flag indicating a datacenter/hosting IP, which contributes to identifying non-residential traffic, though VPN Guard’s primary blocking is based on the above explicit flags). 🆓 Free plan includes 1,000 requests per day 🚀 Easy upgrade options available (no commitment) 🔐 GDPR compliant, fast response times, and global coverage You’ll be prompted to add your free API key inside the plugin settings. 💬 Support Got questions or feature requests? Reach out from the plugin’s built-in feedback form or at https://vpndeals.com/wordpress-plugins/vpn-guard/ External Services This plugin utilizes the vpnapi.io service to perform real-time IP address analysis. This is essential for the plugin’s core functionality of detecting and blocking traffic from VPNs, proxies, Tor networks, and relays. Service Provider: vpnapi.io Purpose: To identify the nature of a visitor’s IP address (VPN, proxy, Tor, relay) to enable blocking or restriction based on your plugin settings, thereby enhancing website security and integrity. Data Sent: When a visitor accesses a page or area of your site that is actively protected by VPN Guard (and the result for their IP is not already cached locally or if the IP is not whitelisted), the visitor’s IP address is sent to the vpnapi.io service for analysis. Service Terms of Use: https://vpnapi.io/terms Service Privacy Policy: https://vpnapi.io/privacy Privacy Considerations VPN Guard is designed with user and site visitor privacy in mind. Here’s how we handle data: Visitor IP Addresses: To protect your site, VPN Guard processes the IP addresses of your site visitors. As detailed in the “External Services” section, visitor IP addresses may be sent to the vpnapi.io service for analysis. Data Logging: If a visitor’s IP address is blocked, VPN Guard will store the following information in your local WordPress database: the visitor’s IP address, the date and time of the block, the detection reason (e.g., “VPN”), the URL the visitor attempted to access, their browser user agent, and the HTTP referer. This data is for your security logging and review purposes. You have an option in the plugin settings to delete all plugin data, including these logs, upon uninstallation. Cookies: VPN Guard’s core IP blocking functionality does not set any cookies on your website visitors’ browsers. Site Administrator Data (Feedback Form): If you choose to send feedback to us via the plugin’s built-in feedback form, it will include your WordPress admin email, site URL, and technical details (plugin version, WP version, PHP version) to help us provide support. This is explicitly stated on the feedback form itself. * Your Website’s Privacy Policy: We recommend that you update your website’s privacy policy to inform your users about the data processing activities performed by VPN Guard, including the use of the vpnapi.io service and the local logging of blocked IP addresses.