Zero-configuration bot protection for WordPress. Works immediately on activation with no account, no API key, and no external dependencies. Multi-layer detection uses invisible proof-of-work challenges so legitimate visitors are never interrupted.
- Zero friction -- Humans never see CAPTCHAs or challenges
- Zero configuration -- Install, activate, done
- Multi-layer detection -- Server-side analysis, client-side fingerprinting, and proof-of-work challenges
- Good bot verification -- Reverse DNS verification for Googlebot, Bingbot, and other legitimate crawlers
- MITRE ATT&CK path analysis -- Detects admin probing and config file access attempts
- Rate limiting -- Automatic blocking with configurable thresholds
- IP blocking -- Individual and CIDR ranges, IPv4/IPv6, with optional expiration
- WooCommerce integration -- Checkout protection against carding attacks
- Dashboard & statistics -- Detection trends, threat breakdown, and recent activity
- Go to Plugins > Add New in your WordPress admin
- Search for "WebDecoy Bot Detection"
- Click Install Now, then Activate
- Download the latest release ZIP from the Releases page
- Go to Plugins > Add New > Upload Plugin
- Upload the ZIP file and click Install Now
- Activate the plugin
- PHP 7.4+
- Composer
composer installcomposer run phpcscomposer run phpstanSee CONTRIBUTING.md for detailed contribution guidelines.
This project is licensed under the GPL v2 or later. See license.txt for details.