Version: 1.0.0
Author: FlowAxy
Developer: iTeffa (iteffa@flowaxy.com)
Studio: FlowAxy
Website: https://flowaxy.com
License: Proprietary
Bot Blocker plugin for Flowaxy CMS provides automatic blocking of bots and automated scripts from accessing your website. The plugin analyzes User-Agent headers and blocks suspicious requests while allowing legitimate search engine crawlers.
- π‘οΈ Automatic Bot Detection β Analyzes User-Agent strings to identify bots
- π« Blocking System β Blocks suspicious requests with 403 Forbidden
- β Allowed Bots List β Configure which bots should have access (e.g., Google, Bing, Yandex)
- π Statistics β View blocking statistics and top blocked IPs
- π Logging β All blocked requests are logged to the database
- βοΈ Settings Page β Easy configuration through admin panel
- π Admin Panel Protected β Admin panel and API are always accessible
- Early request interception via
handle_early_requesthook - Pattern-based bot detection
- Database-backed settings and logging
- Integration with Flowaxy CMS access control system
- PHP >= 8.4.0
- Flowaxy CMS with plugin support
- MySQL/MariaDB database
- Admin access for configuration
- Copy the plugin directory to
plugins/bot-blocker/. - Activate the plugin via the admin panel (Settings β Plugins).
- The plugin will automatically create necessary database tables.
The plugin will automatically register its route and menu item upon activation.
- Log in to the admin panel.
- Navigate to System β ΠΠ»ΠΎΠΊΡΠ²Π°Π½Π½Ρ Π±ΠΎΡΡΠ² in the menu.
- Or go directly to
/admin/bot-blocker.
- Toggle the "Π£Π²ΡΠΌΠΊΠ½ΡΡΠΈ Π±Π»ΠΎΠΊΡΠ²Π°Π½Π½Ρ Π±ΠΎΡΡΠ²" switch to enable or disable bot blocking.
Add bots that should have access to your website (one per line):
googlebot
bingbot
yandexbot
baiduspider
These bots will bypass the blocking system.
-
Request Interception β All incoming requests (except admin/API) are intercepted early in the request lifecycle.
-
User-Agent Analysis β The plugin analyzes the User-Agent header to identify bots.
-
Pattern Matching β Known bot patterns are checked:
- Social media bots (Facebook, Twitter, LinkedIn, etc.)
- Scrapers and crawlers
- Automated tools (curl, wget, Python requests, etc.)
- Archive bots
-
Allowed Bots Check β If the bot is in your allowed list, it's permitted.
-
Blocking β Suspicious bots receive a 403 Forbidden response and are logged.
The plugin provides:
- Today's Blocks β Number of bots blocked today
- Total Blocks β Total number of blocked requests
- Top Blocked IPs β IP addresses with the most blocked attempts
bot-blocker/
βββ assets/
β βββ styles/
β βββ bot-blocker.css # Styles for the settings page
βββ src/
β βββ admin/
β β βββ pages/
β β βββ BotBlockerAdminPage.php # Admin settings page
β βββ Services/
β βββ BotBlockerService.php # Core blocking service
βββ templates/
β βββ bot-blocker.php # Settings page template
βββ init.php # Plugin initialization
βββ plugin.json # Plugin metadata
βββ README.md # Documentation
The plugin uses a service-oriented architecture:
- BotBlockerService β Core service for bot detection and blocking
- BotBlockerAdminPage β Admin panel page for configuration
- Templates β PHP templates for HTML rendering
Logs all blocked requests:
idβ Unique identifierip_addressβ IP address of blocked requestuser_agentβ User-Agent stringurlβ Requested URLblocked_atβ Block timestampcreated_atβ Creation timestamp
- β CSRF protection for all write operations
- β Access permission checks before executing operations
- β Admin panel and API are always accessible
- β SQL injection protection via prepared statements
- β XSS protection via output sanitization
The plugin detects bots by checking for common patterns in User-Agent strings:
- Social media bots:
facebookexternalhit,twitterbot,linkedinbot, etc. - Scrapers:
scrape,crawl,spider,bot - Automated tools:
curl,wget,python-requests,java, etc. - Archive bots:
archive,wayback,ia_archiver
The plugin uses the following hooks:
handle_early_request(priority: 1) β Early request interception for blockingadmin_register_routesβ Register admin routeadmin_menuβ Add menu item
By default, the plugin:
- Blocks all bots except those in the allowed list
- Allows admin panel and API access
- Logs all blocked requests
- Blocks empty User-Agent strings
You can customize bot detection by:
- Adding allowed bots in the admin panel
- Modifying bot patterns in
BotBlockerService::initializeBotPatterns() - Adjusting blocking logic in
BotBlockerService::isBot()
The plugin uses the following components from the Engine:
engine/core/support/base/BasePlugin.phpengine/core/support/helpers/DatabaseHelper.phpengine/interface/admin-ui/includes/AdminPage.phpengine/core/support/helpers/UrlHelper.phpengine/core/support/helpers/SecurityHelper.php
To extend the plugin:
- Add new bot patterns β Edit
initializeBotPatterns()inBotBlockerService.php - Customize blocking logic β Modify
isBot()method - Add new statistics β Extend
getBlockStats()method - Customize UI β Edit
templates/bot-blocker.phpandassets/styles/bot-blocker.css
If you find a bug or have questions:
- Check log files for errors
- Verify database tables are created
- Ensure PHP has proper permissions
The easiest way to test bot blocking is using curl:
# Test 1: Normal browser (should pass)
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" http://your-domain.com/
# Expected: HTTP 200
# Test 2: Bot (should be blocked)
curl -A "TestBot/1.0" http://your-domain.com/
# Expected: HTTP 403
# Test 3: Empty User-Agent (should be blocked)
curl -A "" http://your-domain.com/
# Expected: HTTP 403Proprietary. All rights reserved.
- β¨ Initial release
- β Bot detection and blocking
- β Admin settings page
- β Statistics and logging
- β Allowed bots configuration
- β Integration with Flowaxy CMS Engine
- β Database timezone support
FlowAxy
Developer: iTeffa
Email: iteffa@flowaxy.com
Studio: flowaxy.com
Website: https://flowaxy.com
Developed with β€οΈ for Flowaxy CMS