Bot Detector
User-Agent signature matching with behavioral scoring, rDNS verification, and Cloudflare-style inline action controls.
How It Works
The Bot Detector plugin operates at the WordPress level, inspecting every request before it reaches your content. It uses three detection methods in combination:
- Signature matching — Checks the User-Agent against 143+ known bot patterns
- Behavioral scoring — Assigns a suspicion score (0–100) based on request behavior
- rDNS verification — Confirms legitimate bots by verifying their source IP against expected domains
Signature Database
The plugin ships with 143+ bot signatures organized by category:
| Category | Examples | Default Action |
|---|---|---|
| SEO Crawlers | AhrefsBot, SemrushBot, MJ12bot, DotBot | Block |
| Scrapers | HTTrack, Wget, curl, Go-http-client | Monitor |
| Search Engines | Googlebot, Bingbot, YandexBot | Allow |
| Social Media | Twitterbot, facebookexternalhit, LinkedInBot | Allow |
| AI Crawlers | GPTBot, Claude-Web, Bytespider, CCBot | Block |
| Vulnerability Scanners | Nikto, sqlmap, WPScan, Nessus | Block |
| Spam Bots | Known spam User-Agent patterns | Block |
Inline Action Switching
Each signature row in the dashboard has a Cloudflare-style action dropdown that lets you change the response for that bot instantly:
| Action | Behavior |
|---|---|
| Block | Returns a 403 Forbidden response immediately |
| Challenge | Displays a JavaScript challenge page. Real browsers pass; simple bots fail. |
| Monitor | Allows the request but logs it for review |
| Allow | Permits the request without logging |
Action changes take effect immediately without any page reload or cache clearing.
Behavioral Scoring
Beyond signature matching, the plugin tracks behavioral signals to identify bots that use custom or rotating User-Agent strings:
| Signal | Score Impact |
|---|---|
| No JavaScript execution | +25 |
| No CSS/image loading | +15 |
| Abnormally fast page requests | +20 |
| Sequential page crawling pattern | +15 |
| Missing or forged headers | +10 |
| Known datacenter IP range | +15 |
IPs exceeding a configurable score threshold (default: 70) are automatically blocked or challenged.
rDNS Verification
When a request claims to be from a known search engine, the plugin verifies the claim:
- Reverse DNS lookup on the source IP
- Check the hostname matches the expected domain (e.g.,
*.googlebot.com) - Forward DNS lookup to confirm the hostname resolves back to the source IP
Bots that fail verification are marked as impostors and blocked. Verified bots are always allowed.
Allowlist
Maintain a list of User-Agent patterns or IPs that should always be allowed, regardless of signature matches or behavioral scores:
- IP allowlist — Add specific IPs or CIDR ranges
- UA allowlist — Add User-Agent substrings or regex patterns
- Path exclusions — Skip bot detection for specific URL paths (e.g., API endpoints)
Dashboard
The Bot Detector dashboard at VistoShield → Bot Detector shows:
- Real-time bot traffic chart (last 24 hours / 7 days / 30 days)
- Top detected bots with hit counts and actions
- Signature list with inline action controls
- Recent detection log with IP, UA, action, and timestamp