WebDecoy Bot Detection
March 1, 2026 ยท View on GitHub
Zero-configuration bot protection for WordPress. Works immediately on activation with no account, no API key, and no external dependencies. Multi-layer detection uses invisible proof-of-work challenges so legitimate visitors are never interrupted.
Features
- Zero friction -- Humans never see CAPTCHAs or challenges
- Zero configuration -- Install, activate, done
- Multi-layer detection -- Server-side analysis, client-side fingerprinting, and proof-of-work challenges
- Good bot verification -- Reverse DNS verification for Googlebot, Bingbot, and other legitimate crawlers
- MITRE ATT&CK path analysis -- Detects admin probing and config file access attempts
- Rate limiting -- Automatic blocking with configurable thresholds
- IP blocking -- Individual and CIDR ranges, IPv4/IPv6, with optional expiration
- WooCommerce integration -- Checkout protection against carding attacks
- Dashboard & statistics -- Detection trends, threat breakdown, and recent activity
Installation
From WordPress.org
- Go to Plugins > Add New in your WordPress admin
- Search for "WebDecoy Bot Detection"
- Click Install Now, then Activate
Manual Installation
- Download the latest release ZIP from the Releases page
- Go to Plugins > Add New > Upload Plugin
- Upload the ZIP file and click Install Now
- Activate the plugin
Development
Prerequisites
- PHP 7.4+
- Composer
Setup
composer install
Coding Standards
composer run phpcs
Static Analysis
composer run phpstan
See CONTRIBUTING.md for detailed contribution guidelines.
License
This project is licensed under the GPL v2 or later. See license.txt for details.