You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix false-positive detection on static assets: Browser-fetched CSS, JS, images and fonts from honeypot templates no longer trigger the detection pipeline. A normal
page visit no longer generates 10+ false attack logs.
Fix visitor logging: Human visitors are now always logged. Good bots and AI agents (GPTBot, ClaudeBot etc.) retain their classification instead of being overwritten
to 'hacker'.
Improvements
Category-based cooldown per IP: Prevents duplicate reports for the same IP + category combination (configurable via category_cooldown_minutes).
AI agents treated as legitimate bots: GPTBot, ClaudeBot, PerplexityBot and other AI agents now get safe-bot treatment on content pages.
Static assets routed as 'misc': /wp-content/ static assets (theme CSS, plugin JS, images) are routed as misc instead of vuln.
Default log_human_visitors changed to true for new installations.
