EDH Bad Bots

EDH Bad Bots is an intelligent bot detection and blocking system that protects your WordPress site from unwanted crawlers and malicious bots. Unlike traditional blocking methods that rely on user agent strings (which can be easily spoofed), this plugin uses a honeypot technique to identify and block bots that don’t respect your site’s robots.txt directives.

Key Features

• Automatic Bot Detection: Identifies bad bots using a hidden trap URL technique
• Smart Blocking System: Blocks misbehaving bots with configurable duration (default 30 days)
• Advanced DNS Resolution: PTR record lookups with DNS over HTTPS (DoH) support for hostname identification
• Dual-Level Blocking: Server-level .htaccess blocking AND PHP-level blocking for maximum effectiveness
• Configurable Blocking Methods: Choose between .htaccess blocking (Apache) or PHP-only blocking (Nginx compatible)
• IP Whitelist Management: Protect trusted IPs from ever being blocked
• Enhanced Admin Interface: Clean dashboard with hostname display, manual hostname updates, and debug tools
• Background Processing: Automated hostname resolution via WordPress cron jobs
• Zero False Positives: Legitimate search engine bots that follow robots.txt rules are never affected
• Database Optimization: Automatic cleanup of expired blocks to maintain performance
• Security-First Design: All forms include proper nonce verification and user capability checks

How It Works

The plugin implements a sophisticated honeypot system:

1. Trap URL Generation: Creates a unique, hidden URL specific to your domain
2. Robots.txt Integration: Automatically adds a Disallow rule for the trap URL
3. Hidden Link Placement: Places an invisible link to the trap URL in your site’s footer
4. Bot Detection: When bad bots ignore robots.txt and follow the hidden link, they’re identified
5. Automatic Blocking: Detected bot IPs are blocked with configurable duration and immediate effect
6. Hostname Resolution: PTR record lookups identify the hostname/organization behind blocked IPs
7. Legitimate Bot Protection: Good bots (like Googlebot) respect robots.txt and never trigger the trap

Configuration

Admin Dashboard

Access the plugin dashboard at Tools > Bad Bots in your WordPress admin:

Whitelisted IPs Tab

• Add IP addresses that should never be blocked
• Remove IPs from the whitelist
• View all currently whitelisted addresses with timestamps

Blocked Bots Tab

• View all currently blocked IP addresses with hostnames
• See when each IP was blocked and when the block expires
• Manually update missing hostnames for better identification
• Force refresh all hostnames to clear cache and re-resolve
• Debug hostname resolution issues (when WP_DEBUG is enabled)
• Manually unblock IPs if needed

Options Tab

• .htaccess Blocking: Enable/disable server-level IP blocking via .htaccess file
• Block Duration: Configure how many days to block detected bots
• Configure blocking method based on your server setup (Apache vs Nginx)
• Server-level blocking bypasses caching for immediate effect

Help Tab

• Detailed explanation of how the plugin works
• Best practices for managing IPs
• Information about .htaccess blocking options
• Unique trap URL for caching plugin exclusion

Requirements

• WordPress 6.2 or higher
• PHP 7.4 or higher
• MySQL 5.6 or higher
• Apache server (for .htaccess blocking) or Nginx (PHP-only blocking)
• Writable .htaccess file (if using Apache server-level blocking)

Technical Details

Database Tables

The plugin creates two custom database tables:

• wp_edhbb_blocked_bots: Stores blocked IP addresses with expiration dates and hostnames
• wp_edhbb_whitelisted_ips: Stores permanently whitelisted IP addresses

DNS Resolution System

The plugin includes an advanced DNS lookup system:

DNS over HTTPS (DoH) Support

• Primary providers: Cloudflare DNS, Google DNS
• Secure queries: HTTPS-encrypted DNS requests for enhanced privacy
• Fallback system: Automatic fallback to traditional DNS methods

PTR Record Lookups

• Reverse DNS: Converts IP addresses to hostnames for better identification
• IPv4 and IPv6 support: Full support for both IP versions
• Caching: Results cached for 1 hour to improve performance
• Background processing: Automated hostname resolution via WordPress cron

Blocking Methods

The plugin offers two blocking approaches:

1. Server-Level Blocking (.htaccess)

• Default method for Apache servers
• Blocks IPs at the server level before WordPress loads
• Bypasses caching plugins for immediate effect
• More efficient and faster blocking
• Automatically manages .htaccess file with unique markers
• Safe cleanup on plugin deactivation

2. PHP-Level Blocking

• Alternative method for Nginx or when .htaccess is unavailable
• Blocks IPs during WordPress initialization
• Compatible with all web servers
• May be affected by caching plugins
• No server configuration files modified

Security Features

• Nonce Verification: All forms use WordPress nonces for CSRF protection
• Capability Checks: Only users with manage_options capability can access admin features
• Input Sanitization: All user inputs are properly sanitized and validated
• SQL Injection Protection: All database queries use prepared statements
• Safe .htaccess Management: Uses unique markers and automatic cleanup

Performance Optimization

• Automatic Cleanup: Expired blocks are automatically removed from the database
• Efficient Queries: Database operations are optimized for minimal performance impact
• Smart Loading: Admin assets only load on the plugin’s admin page
• Server-Level Blocking: .htaccess blocking prevents blocked requests from reaching PHP
• Whitelist Filtering: Whitelisted IPs are excluded from .htaccess rules automatically
• DNS Caching: Hostname lookups cached to reduce DNS query overhead
• Background Processing: Hostname resolution runs in background to avoid delays

API Hooks

Actions

• plugins_loaded: Plugin initialization
• init: Early request blocking check
• template_redirect: Bot trap detection
• wp_footer: Hidden link injection
• admin_menu: Admin page registration
• edhbb_update_hostnames_cron: Background hostname resolution

Filters

• robots_txt: Adds disallow rule to robots.txt

File Structure

`

edh-bad-bots/
├── admin/
│ └── views/
│ └── admin-display.php # Admin interface HTML
├── assets/
│ ├── css/
│ │ └── admin-style.css # Admin page styling
│ └── js/
│ └── admin-script.js # Admin page JavaScript
├── includes/
│ ├── class-edhbb-admin.php # Admin functionality
│ ├── class-edhbb-blocker.php # Bot detection and blocking
│ ├── class-edhbb-database.php # Database operations
│ └── class-edhbb-dnslookup.php # DNS/PTR lookup system
├── edh-bad-bots.php # Main plugin file
├── LICENSE
└── readme.txt
`

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Development Setup

1. Clone the repository to your WordPress plugins directory
2. Ensure you have a WordPress development environment running
3. Activate the plugin and test your changes

License

This project is licensed under the GPL v3 or later.

Author

EncodeDotHost
– Website: https://encode.host
– GitHub: @EncodeDotHost

Contributors

• @nbwpuk

Support

For support, please visit https://encode.host or create an issue on the GitHub repository.