Title: Bot Lockout Author: kognetiks Published: July 29, 2025 Last modified: July 29, 2025 --- Search plugins ![](https://ps.w.org/bot-lockout/assets/banner-772-250.png?rev=3335989) ![](https://ps.w.org/bot-lockout/assets/icon-128x128.png?rev=3335989) # Bot Lockout By [kognetiks](https://profiles.wordpress.org/kognetiks/) [Download](https://downloads.wordpress.org/plugin/bot-lockout.1.0.0.zip) * [Details](https://pcd.wordpress.org/plugins/bot-lockout/#description) * [Reviews](https://pcd.wordpress.org/plugins/bot-lockout/#reviews) * [Installation](https://pcd.wordpress.org/plugins/bot-lockout/#installation) * [Development](https://pcd.wordpress.org/plugins/bot-lockout/#developers) [Support](https://wordpress.org/support/plugin/bot-lockout/) ## Description Bot Lockout is a security plugin that implements a lightweight cryptographic challenge system to distinguish between real browsers and automated bots. Unlike traditional CAPTCHA systems, it uses JavaScript-based cryptographic operations that are easy for humans but difficult for most bots to solve. #### Key Features * **Lightweight Protection**: Uses minimal resources and doesn’t impact site performance * **Cryptographic Challenges**: SHA-256 hashing with date and user agent binding * **Smart Whitelisting**: Allow trusted bots (Google, Bing, etc.) and IP addresses * **Flexible Configuration**: Exclude specific pages and customize block messages * **Comprehensive Logging**: Track blocked attempts for analysis * **Custom Styling**: Add custom CSS to match your site’s design * **Daily Token Expiration**: Prevents long-term bypass attempts #### How It Works 1. **Initial Request**: When a visitor accesses your site, the plugin checks for a valid challenge token 2. **JavaScript Challenge**: If no token exists, a cryptographic challenge is presented 3. **Token Generation**: The challenge combines the current date with the user agent string and creates a SHA-256 hash 4. **Secure Storage**: The hash is base64 encoded, truncated, and stored as a secure cookie 5. **Validation**: Subsequent requests are validated against the stored token #### Security Features * **Cryptographically Secure**: Uses SHA-256 hashing algorithm * **Time-Bound**: Tokens expire daily to prevent long-term bypass * **Browser-Specific**: User agent binding prevents token sharing * **Secure Cookies**: Implements proper cookie security settings * **Whitelist Support**: Allow trusted services and IP addresses #### Multi-Site Support Bot Lockout supports WordPress Multi-Site installations with both network-wide and site-specific configurations: * **Network Activation**: Apply settings to all sites in the network * **Site-Specific Activation**: Independent settings for each site * **Mixed Configuration**: Network-wide defaults with site-specific overrides ### Security Advisory Bot Lockout is one layer in a broader security strategy, not a silver bullet. While Bot Lockout is designed to deter automated bots and AI scrapers through cryptographic JavaScript challenges, no single solution can offer complete protection. Web scraping technologies continue to evolve, and determined actors may find ways to bypass front- end defenses. This plugin should be used as part of a multi-layered approach to website security. For best results, we recommend combining Bot Lockout with additional tools such as server-level firewalls, rate limiting, CAPTCHA systems, behavior-based threat detection, and CDN-level bot mitigation. Kognetiks makes no guarantee that this plugin will block all unwanted bot traffic. It is intended as a proactive, lightweight defense mechanism—not a comprehensive security system. Users are responsible for evaluating their own threat model and deploying appropriate complementary protections. ### Support For support, please visit the [WordPress.org support forums](https://wordpress.org/support/plugin/bot-lockout/) or check the [plugin documentation](https://wordpress.org/plugins/bot-lockout/). ### Credits **Developer**: Kognetiks This plugin is licensed under the GPL v3 or later. ## Screenshots * [[ * General Settings * [[ * Blocked Attempts Logs * [[ * Test challenge * [[ * Support ## Installation ### Single Site Installation #### From WordPress Plugin Directory (Recommended) 1. Go to **Plugins > Add New** in your WordPress admin 2. Search for “Bot Lockout” 3. Click **Install Now** and then **Activate** #### Manual Installation 1. Download the plugin ZIP file 2. Go to **Plugins > Add New > Upload Plugin** in your WordPress admin 3. Choose the ZIP file and click **Install Now** 4. Click **Activate Plugin** #### FTP Installation 1. Extract the plugin files 2. Upload the `bot-lockout` folder to `/wp-content/plugins/` 3. Go to **Plugins** in your WordPress admin 4. Find “Bot Lockout” and click **Activate** ### Multi-Site Installation #### Network Activation (Recommended) 1. Go to **My Sites > Network Admin > Plugins** in your WordPress admin 2. Find “Bot Lockout” and click **Network Activate** 3. Configure settings at **My Sites > Network Admin > Settings > Bot Lockout** #### Site-Specific Activation 1. Go to **My Sites > Network Admin > Plugins** in your WordPress admin 2. Find “Bot Lockout” and click **Enable** for specific sites 3. Configure settings at **Settings > Bot Lockout** on each individual site ## FAQ ### Does this plugin block legitimate users? No, the plugin is designed to be transparent to legitimate users. It only presents a challenge once per day per browser, and the challenge is solved automatically via JavaScript. ### What happens if JavaScript is disabled? Users with JavaScript disabled will be blocked. This is by design as the protection relies on JavaScript execution to distinguish between real browsers and bots. ### Can I whitelist specific bots? Yes, you can add user agent strings for trusted bots like Googlebot, Bingbot, and other search engines in the plugin settings. ### Does this affect site performance? No, the plugin is designed to be lightweight. The JavaScript challenge runs only once per day per browser, and normal operation doesn’t require database queries. ### Can I exclude specific pages? Yes, you can specify pages or paths that should be excluded from protection, such as API endpoints, RSS feeds, or sitemap files. ### Is this compatible with caching plugins? Yes, the plugin works with most caching plugins. The challenge is presented before the cached content is served. ### Does this work with CDNs? Yes, the plugin is compatible with CDNs. The challenge is processed on your server before content is served through the CDN. ### Can I customize the block message? Yes, you can customize the block message and add custom CSS to match your site’s design. ### How do I test if the plugin is working? The plugin includes a built-in test tool in the admin settings that allows you to verify the challenge system works correctly. ### What if I need to bypass the protection temporarily? You can add your IP address to the whitelist in the plugin settings, or temporarily disable the plugin. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Bot Lockout” is open source software. The following people have contributed to this plugin. Contributors * [ kognetiks ](https://profiles.wordpress.org/kognetiks/) [Translate “Bot Lockout” into your language.](https://translate.wordpress.org/projects/wp-plugins/bot-lockout) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/bot-lockout/), check out the [SVN repository](https://plugins.svn.wordpress.org/bot-lockout/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/bot-lockout/) by [RSS](https://plugins.trac.wordpress.org/log/bot-lockout/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.0 * Initial release * JavaScript cryptographic challenges * Admin settings interface * Whitelist support * Logging functionality * Custom CSS support * Test challenge tool * Multi-site support ## Meta * Version **1.0.0** * Last updated **8 months ago** * Active installations **Fewer than 10** * Tested up to **6.8.5** * Language * [English (US)](https://wordpress.org/plugins/bot-lockout/) * Tags * [anti-scraping](https://pcd.wordpress.org/plugins/tags/anti-scraping/)[bot protection](https://pcd.wordpress.org/plugins/tags/bot-protection/) [captcha](https://pcd.wordpress.org/plugins/tags/captcha/)[security](https://pcd.wordpress.org/plugins/tags/security/) * [Advanced View](https://pcd.wordpress.org/plugins/bot-lockout/advanced/) ## Ratings No reviews have been submitted yet. [Add my review](https://wordpress.org/support/plugin/bot-lockout/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/bot-lockout/reviews/) ## Contributors * [ kognetiks ](https://profiles.wordpress.org/kognetiks/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/bot-lockout/)