General Settings
Bot Lockout is a security plugin that implements a lightweight cryptographic challenge system to distinguish between real browsers and automated bots. Unlike traditional CAPTCHA systems, it uses JavaScript-based cryptographic operations that are easy for humans but difficult for most bots to solve.
Key Features
- Lightweight Protection: Uses minimal resources and doesn’t impact site performance
- Cryptographic Challenges: SHA-256 hashing with date and user agent binding
- Smart Whitelisting: Allow trusted bots (Google, Bing, etc.) and IP addresses
- Flexible Configuration: Exclude specific pages and customize block messages
- Comprehensive Logging: Track blocked attempts for analysis
- Custom Styling: Add custom CSS to match your site’s design
- Daily Token Expiration: Prevents long-term bypass attempts
How It Works
- Initial Request: When a visitor accesses your site, the plugin checks for a valid challenge token
- JavaScript Challenge: If no token exists, a cryptographic challenge is presented
- Token Generation: The challenge combines the current date with the user agent string and creates a SHA-256 hash
- Secure Storage: The hash is base64 encoded, truncated, and stored as a secure cookie
- Validation: Subsequent requests are validated against the stored token
Security Features
- Cryptographically Secure: Uses SHA-256 hashing algorithm
- Time-Bound: Tokens expire daily to prevent long-term bypass
- Browser-Specific: User agent binding prevents token sharing
- Secure Cookies: Implements proper cookie security settings
- Whitelist Support: Allow trusted services and IP addresses
Multi-Site Support
Bot Lockout supports WordPress Multi-Site installations with both network-wide and site-specific configurations:
- Network Activation: Apply settings to all sites in the network
- Site-Specific Activation: Independent settings for each site
- Mixed Configuration: Network-wide defaults with site-specific overrides
Security Advisory
Bot Lockout is one layer in a broader security strategy, not a silver bullet.
While Bot Lockout is designed to deter automated bots and AI scrapers through cryptographic JavaScript challenges, no single solution can offer complete protection. Web scraping technologies continue to evolve, and determined actors may find ways to bypass front-end defenses.
This plugin should be used as part of a multi-layered approach to website security. For best results, we recommend combining Bot Lockout with additional tools such as server-level firewalls, rate limiting, CAPTCHA systems, behavior-based threat detection, and CDN-level bot mitigation.
Kognetiks makes no guarantee that this plugin will block all unwanted bot traffic. It is intended as a proactive, lightweight defense mechanism—not a comprehensive security system. Users are responsible for evaluating their own threat model and deploying appropriate complementary protections.
Support
For support, please visit the WordPress.org support forums or check the plugin documentation.
Credits
Developer: Kognetiks
This plugin is licensed under the GPL v3 or later.
