🤖 Bot Detector
Intelligent bot detection with 143+ signatures, behavioral scoring, and Cloudflare-style management. Includes a built-in Robots.txt editor with templates for blocking AI crawlers and scrapers. See exactly who's crawling your site and take control.
See It in Action
Explore the admin interface — click any screenshot to zoom
What This Solves
Bad bots consume bandwidth, scrape content, test credentials, and inflate analytics. Most WordPress sites have no way to distinguish legitimate crawlers from scrapers, AI trainers, and vulnerability scanners. Bot Detector uses signature matching, behavioral scoring, and rDNS verification to identify and manage bot traffic.
Who This Module Is For
Sites Losing Bandwidth to Scrapers
Scrapers and AI training crawlers can consume more bandwidth than real visitors. Signature-based detection identifies and blocks them before they inflate your hosting bill.
WooCommerce Stores Targeted by Price Scrapers
Competitors use bots to monitor your pricing in real time. Bot Detector catches scraping tools by their behavioral patterns and shuts them down without affecting real shoppers.
Publishers Protecting Content
Your original content has value. Block the automated tools that copy your articles, steal your images, and republish your work without permission.
Key Features
143+ Bot Signatures
Comprehensive signature database covering scrapers, AI training crawlers, vulnerability scanners, SEO tools, headless browsers, and spam bots. Updated regularly.
Behavioral Scoring
Each visitor gets a 0-100 suspicion score calculated from request headers, rate patterns, 404 frequency, missing assets, and request sequencing.
rDNS Verification
Confirms that Googlebot, Bingbot, and other legitimate crawlers are genuine by performing reverse DNS lookups and forward verification against known netblocks.
Cloudflare-Style Controls
Inline action controls per bot signature: Block, Challenge, Allow, or Monitor. Manage every signature from a single table view with bulk actions.
JS Challenge
Lightweight JavaScript challenge page for suspicious traffic. Legitimate browsers solve it automatically in under a second; headless bots and simple scripts fail.
Good Bot Management
Separate controls for search engine crawlers, social media bots, uptime monitors, and feed readers. Allow good bots while blocking the rest.
How Bot Detection Works
The Bot Detector uses a layered approach: first matching the User-Agent against known signatures, then running behavioral analysis, and finally performing rDNS verification for bots that claim to be from known search engines.
Behavioral Scoring Signals
The scoring engine evaluates multiple signals to determine how suspicious a visitor is:
- Request rate — high request frequency without human-like gaps
- 404 patterns — repeated probing for common vulnerability paths
- Missing assets — real browsers load CSS, JS, and images; bots often don't
- Header analysis — missing or inconsistent Accept, Accept-Language, Accept-Encoding headers
- Request sequencing — jumping directly to deep URLs without visiting the homepage
- Cookie handling — inability to store and return cookies across requests
- TLS fingerprint — mismatches between claimed browser and actual TLS handshake characteristics
Signature Format
Each signature includes:
- Name — human-readable identifier (e.g., "AhrefsBot", "GPTBot")
- Pattern — regex matched against User-Agent string
- Category — scraper, AI crawler, vulnerability scanner, SEO tool, etc.
- Default action — the recommended action (block, challenge, allow, monitor)
- Description — what the bot does and who operates it
You can override the default action for any signature, and your custom actions persist across signature updates.
rDNS Verification
When a visitor claims to be Googlebot, Bingbot, or another known crawler, the Bot Detector performs a two-step verification process. First, it does a reverse DNS lookup on the visitor's IP address to get the hostname. Then it performs a forward DNS lookup on that hostname to confirm it resolves back to the same IP.
For Google, the hostname must end in .googlebot.com or .google.com. For Bing, it must end in .search.msn.com. Visitors that fail verification are flagged as impersonators and can be automatically blocked or challenged.
Why Upgrade Bot Detector to Pro
Free blocks known bots with 143 signatures. Pro adds 500+ signatures updated daily — catching new scrapers, AI crawlers, and attack tools that basic signatures miss. Trend reports show how bot traffic changes over time, critical for content sites and WooCommerce stores losing revenue to price scrapers. See this data in your cloud dashboard — alongside all your other sites.
Free vs Pro vs Max
Free blocks bots with 143 signatures. Pro adds 500+ daily-updated signatures, longer analytics history, and trend reports for scraper-heavy sites.
| Feature | Free | Pro | Max |
|---|---|---|---|
| Bot signatures | View Only | 500+ (daily updates) | 500+ (daily updates) |
| Behavioral scoring | View Only | ✓ | ✓ |
| rDNS verification | View Only | ✓ | ✓ |
| Challenge pages | View Only | ✓ | ✓ |
| Bot analytics history | View Only | 14 days | 30 days |
| PDF bot reports | ✗ | ✓ Standard | ✓ White-label |
| Team members | 1 | 5 | 20 |
| White-label branding | ✗ | ✗ | ✓ |
| API access | ✗ | ✗ | ✓ |
| Notifications | Email + Slack + webhook | Email + Slack + webhook + SMS | |
| Support | Community | 48h email | Priority email (24h) |
| $0 forever | $89/yr $7.42/mo billed annually $9.90/mo billed monthly | $169/yr $14.08/mo billed annually $18.90/mo billed monthly | |
| Start for Free No credit card required | Start Free Trial No credit card required | Start Free Trial No credit card required |
This is just 1 of 14 security modules. Every plan includes all modules — firewall, scanner, bot detection, uptime monitoring, and more. See full plan comparison →
Ready to Control Bot Traffic?
Install Bot Detector from the WordPress plugin directory and see exactly who's visiting your site.
Get Started Free See All Plans →