=== Botcrawl Bot Blocker ===
Contributors: botcrawl
Tags: bots, security, bot blocker, bot detection, firewall, ai crawlers, geo blocking
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 2.6.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Professional bot detection, enforcement, live monitoring, and geo-analytics for WordPress. $9.99/year.

== Description ==

Botcrawl Bot Blocker identifies, logs, and blocks unwanted automated traffic before it affects your site. A live traffic monitor gives you a real-time view of incoming bot requests including IP address, user agent, country of origin, and the reason each request was blocked. Every event is stored in a searchable log so you can review patterns over time.

This is a paid plugin. A license key is required to activate Pro features. Purchase at sera.guru for $9.99/year.

Key features:

* 771+ bot registry entries across six categories: search engine crawlers, AI scrapers, vulnerability scanners, content scrapers, spam bots, and fake trusted bots.
* Live geo-map monitor - A Plotly-powered world map shows bot origins in real time. Markers are color-coded by action. A live feed panel shows the most recent events with bot name, location, path, action, and timestamp.
* Three-layer detection - User agent matching, DNS reverse-lookup verification, and behavioral heuristics working together.
* Fake bot auto-escalation - When a bot claims to be Googlebot but fails DNS verification, it is automatically escalated to a permanent block.
* Per-category rules - Assign any action (allow, log, rate-limit, temporary block, block) to each category independently.
* Country-level blocking - Restrict traffic from specific regions entirely.
* Manual allow/block lists - Override rules by IP address, CIDR range, user-agent substring, or path prefix.
* Weekly email digest - Summarizes blocked traffic so you stay informed without checking the dashboard daily.
* CSV and JSON log export - Export log data for use in your own analytics or reporting.
* Custom block page - Control the message, layout, and HTTP response code served to blocked visitors.
* License key system - Enter your Sera license key once. Pro features activate immediately. License status is verified against sera.guru with a 24-hour local cache so there is no performance overhead on live requests.
* Multisite network support - One license covers the entire network.
* GDPR-compliant log retention controls.

== Installation ==

1. Purchase a license at sera.guru/products/botcrawl-bot-blocker.
2. Download the plugin ZIP from your account dashboard on sera.guru.
3. Upload the ZIP through Plugins > Add New > Upload Plugin in WordPress.
4. Activate the plugin.
5. Open Botcrawl Bot Blocker in the WordPress admin sidebar.
6. Go to Settings and enter your license key to activate Pro features.
7. Review the default rules on the Rules page and adjust them to suit your site.

Updates are delivered automatically through the WordPress admin. When a new version is available, a standard WordPress update notice will appear on the Plugins page. You do not need to return to sera.guru to download updates.

== Frequently Asked Questions ==

= Is there a free version? =
No. Botcrawl Bot Blocker is a paid plugin. A license key purchased at sera.guru is required. The price is $9.99/year.

= How do I get my license key? =
Purchase at sera.guru/products/botcrawl-bot-blocker. Your license key is delivered immediately to your account dashboard and by email after purchase.

= Does my license cover multiple sites? =
One license covers a single WordPress installation or an entire multisite network. To use the plugin on multiple independent sites, purchase a separate license for each.

= How much does it cost? =
$9.99/year. Renew at sera.guru/products/botcrawl-bot-blocker.

= How do updates work? =
Updates are delivered directly through the WordPress admin. When a new version is available, a standard update notice appears on your Plugins page. Click Update and WordPress installs the new version automatically. You do not need to visit sera.guru to download updates.

= Why are some events unmapped on the geo-map? =
Geolocation is performed asynchronously in a background job after the event is recorded. If the background job has not yet run, or if geolocation is disabled in Settings, the event will appear in the live feed and counts but will not have map coordinates.

= Does geolocation slow down my site? =
No. Geolocation lookups run in the background, completely outside the live request path.

= What is the difference between "Claimed trusted bots" and "Fake trusted bots"? =
Claimed trusted bots are requests whose user agent claims to be a well-known crawler such as Googlebot but whose identity has not yet been verified via reverse-DNS. Fake trusted bots are requests that claimed a trusted identity but failed the reverse-DNS check, meaning they are almost certainly malicious impersonators.

= How does DNS verification work? =
When a bot claims to be a trusted crawler, Botcrawl Bot Blocker schedules an asynchronous reverse-DNS lookup. If the resolved hostname does not match the expected domain for that crawler, the event is marked as failed verification and re-categorized as a fake trusted bot for future requests from that IP.

= Does Bot Blocker affect real visitors? =
No. Bot Blocker only processes requests that match known bot user agents or sensitive-path probes. Regular visitor traffic is not inspected or affected.

= Can I whitelist my own monitoring tools or crawlers? =
Yes. Add the IP address or user-agent substring of your tool to the Allow IPs or Allow agents list on the Lists page. Allow-list entries are evaluated before any rules.

= Is this plugin compatible with Cloudflare? =
Yes. Enable the "Prefer Cloudflare connecting IP header" option in Settings and add your Cloudflare IP ranges to the Trusted proxy IPs list.

= Where is bot data stored? =
All event data is stored in a custom database table in your WordPress database. No data is sent to external servers except for the optional asynchronous geolocation lookup to ipwho.is and license verification requests to sera.guru.

= How do I completely remove all data when uninstalling? =
Deactivating and then deleting the plugin via the WordPress admin triggers the uninstall routine, which drops the custom database tables and deletes all plugin options and transients.

== Privacy ==

Botcrawl Bot Blocker stores bot event logs in a custom database table. Stored fields include a SHA-256 hash of the IP address (salted with the WordPress auth key), a masked IP (last octet zeroed for IPv4, last 64 bits zeroed for IPv6), the user agent string, the requested path, the action taken, the matched rule, and optional geolocation fields only when geolocation is enabled.

Query strings and referrers are not stored by default. These can be enabled individually in Settings.

Geolocation uses the ipwho.is third-party API only when explicitly enabled in Settings. License verification sends a license key hash to sera.guru to confirm validity. No personally identifiable information is transmitted.

The plugin registers with the WordPress personal data exporter and eraser tools to support GDPR data subject requests.

== Changelog ==

= 2.5.0 =
* Rewrote readme.txt as a paid-only product with correct $9.99/year pricing throughout.
* Linked renewal note in the license section directly to the sera.guru checkout page.
* Connected trial.register and trial.check to live sera.guru tRPC endpoints.
* Verified WordPress auto-update pipeline: updates install directly from the WordPress admin without visiting sera.guru.

= 2.4.0 =
* Fixed all pricing references to $9.99/year throughout the plugin.
* Removed all em dashes from plugin strings.
* Fixed admin menu icon color flash on page load.
* Added in-plugin update notice when a new version is available.

= 2.3.0 =
* Unified Pro Settings into the main Settings form.
* Fixed admin menu icon SVG fill color.
* Added admin_notices update banner.

= 2.2.0 =
* Merged Pro Settings into the main Settings form as a single unified page with one Save button.

= 2.1.0 =
* Cleaned up Settings page labels and field order.
* Expanded bot registry to 771 entries.

= 2.0.0 =
* Expanded bot registry from 571 to 771 entries.
* Added latest AI crawlers: GPT-Actions, ChatGPT-Operator, MistralAI-User, Gemini-Deep-Research, Claude-SearchBot, Meta-WebIndexer, Bytespider, OAI-SearchBot.

= 1.2.1 =
* Fixed (critical): threat summary blocked/fake-bot counters always returned 0.
* Fixed (critical): five fatal PHP errors in extended features class.
* Fixed (critical): temporary lock durations were 60x longer than intended.

= 1.2.0 =
* Initial Sera release.
