=== Voho bot manager === Contributors: voho8 Tags: security, privacy, administration, utilities, firewall Requires at least: 6.2 Tested up to: 6.9 Stable tag: 1.2.0 Requires PHP: 7.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Stop OpenClaw-class AI crawlers and allied headless automation: enforce HTTP 403 and keep an auditable interception log in WordPress. == Description == **Voho bot manager** hardens WordPress against the new wave of **AI-driven crawlers**—including stacks associated with **OpenClaw**—that attempt to scrape, snapshot, and probe your content through non-interactive, headless browsing pipelines. When a high-risk automation session is identified, the plugin **terminates the request with HTTP 403**, returns a concise English denial page, and **persists structured telemetry** (UTC timestamp, client IP, requested URL, and an intercepted flag reserved for richer policy engines) inside `{prefix}voho_bot_manager_intercepted_log`. **Operational visibility** * Dedicated **Voho Bot Manager** admin hub with paginated history. * Timestamps rendered in your configured WordPress timezone so responders can correlate events quickly. * **View log** shortcut on the Plugins screen for one-click access. **Roadmap-aware positioning:** automated threat actors evolve weekly; Voho bot manager ships iterative detection upgrades so your perimeter keeps pace with emerging AI browsing agents without waiting for a full rewrite. OpenClaw and similar names refer to widely discussed AI browsing ecosystems; Voho bot manager is an independent security tool and is not affiliated with any third-party vendor. == Installation == 1. Upload the `voho-bot-manager` folder to `/wp-content/plugins/`. 2. Activate **Voho bot manager** through the **Plugins** menu in WordPress. 3. Open **Voho Bot Manager** in the admin sidebar (or use **View log** on the plugin row) to review intercepted requests. On activation the plugin creates the `{prefix}voho_bot_manager_intercepted_log` table automatically. == Frequently Asked Questions == = How does this help against OpenClaw-style AI crawlers? = The plugin blocks the non-human automation paths these agents rely on, answers with HTTP 403, and logs each attempt so you can audit abuse, tune upstream controls, and brief stakeholders with concrete evidence. = Will it catch every crawler on the internet? = No defensive layer can promise universal coverage. Voho bot manager focuses on the high-risk automation families behind modern AI scrapers and continuously expands detection as new behaviours appear. = Does the plugin work with caching or CDN layers? = If a cache or proxy serves a response without executing WordPress/PHP for matching requests, interception must happen at that layer instead. Otherwise behaviour is unchanged. = What data is stored? = Each intercepted request stores UTC time, client IP (or the first value from `X-Forwarded-For` when present), full requested URL, and a boolean intercepted flag. == Screenshots == 1. Intercepted requests log table in the WordPress admin. == Changelog == = 1.2.0 = * Server-side blocking uses automation User-Agent patterns (e.g. python-requests, Go-http-client, curl, HeadlessChrome) while allowlisting common search/index crawlers (Google, Bing, Yandex, Baidu, etc.). Filters: `voho_bot_manager_search_bot_allowlist`, `voho_bot_manager_automation_ua_patterns`, `voho_bot_manager_should_block_request`. = 1.1.0 = * Split codebase into `includes/` for maintainability; forbidden HTML lives in `templates/forbidden.php`. * Public forbidden screen at `/voho-bot-forbidden/` (flush permalinks after update) with plain-URL fallback. * Front-end script `assets/js/bot-check.js` detects common automation signals in the browser and redirects to the forbidden screen (logged when `voho_js=1`). = 1.0.5 = * Themed HTTP 403 page: loads the active (and parent, if child) theme stylesheet, uses block-theme CSS variables when present, and returns JSON errors for REST/JSON requests. = 1.0.4 = * Harden input handling (`wp_unslash`, sanitization), use `wpdb::prepare()` identifier placeholders for custom table queries, and document direct DB usage for Plugin Check. = 1.0.3 = * Show log timestamps in the site timezone with an explanatory note. = 1.0.2 = * Top-level admin menu and **View log** plugin action link. = 1.0.1 = * Admin log viewer with pagination. = 1.0.0 = * Initial release: AI crawler mitigation, HTTP 403 enforcement, database log on activation. == Upgrade Notice == = 1.2.0 = Tighter server-side rules for script HTTP clients; search crawlers on the allowlist stay unaffected. = 1.1.0 = Re-save Permalinks once (Settings → Permalinks → Save) so the `/voho-bot-forbidden/` route works. = 1.0.5 = 403 responses now use a themed HTML page (and JSON for REST). Interception runs after the theme loads. = 1.0.4 = Requires WordPress 6.2 or newer (identifier placeholders in database queries). = 1.0.3 = Timezone-aware display for log timestamps.