=== Anti Bot ===
Contributors:       Vladislav Darmogray
Tags:               geo, country, block, access control, ip, bot, waf, spam, forms, blacklist
Requires at least:  5.8
Tested up to:       6.5
Requires PHP:       8.0
Stable tag:         1.1.2
License:            Commercial
License URI:        https://solutions.wbhr.ru/licenses/anti-bot/
Author:             Vladislav Darmogray
Author URI:         https://solutions.wbhr.ru

Block access to your WordPress site by country, IP, ASN or bot with geo-database and JS Challenge support.

== Description ==

**Anti Bot** is a commercial WordPress plugin that gives you full control over who can access your website — by country, IP address, ASN or User-Agent.

= Key Features =

* Block selected countries from accessing your site
* IP Whitelist — specific IPs always allowed through (with bulk import)
* IP Blacklist — specific IPs always blocked (with bulk import)
* ASN Blacklist — block entire hosting providers, ISPs or VPN networks by autonomous system number
* Bot rules — block or allow bots by group (search engines, social, monitoring, generic) or custom User-Agent strings
* JS Challenge — show a slide puzzle to blocked visitors instead of a hard 403; bots can't solve it, real users can
* Local geo database — store GeoLite2-Country.mmdb locally, no API calls for country lookups, auto-updated every 3 days via WP-Cron
* Fast geo-lookup via geo.solutions.wbhr.ru with 24-hour IP cache in your own database
* ASN lookup with 7-day cache
* Access statistics always recorded — even without blocking rules, for traffic analysis
* Statistics include ASN, organisation name and request URL per event
* Load more in statistics — paginated event log
* Spam comment protection — filters wp-comments-post.php requests
* Support for Cloudflare, nginx proxy, and plain hosting (IP source selector)
* Beautiful admin UI with country search and checkboxes
* Access statistics dashboard with 24h / 3d / 7d switcher (stored max 7 days)
* Dashboard widget with live stats
* Debug logging to wp-content/uploads/anti-bot/debug.log
* Multisite support
* Commercial license with 1-year updates &amp; support

= License Types =

* **Trial** — 7 days free, 1 domain
* **Single** — 1 domain (+ www., test., dev.), 1 year
* **Multi** — 5 domains, 1 year
* **Unlimited** — unlimited domains (agency), 1 year

== Installation ==

1. Upload the `anti-bot` folder to `/wp-content/plugins/`
2. Activate through the **Plugins** menu in WordPress
3. Go to **Anti Bot** in the left menu
4. Enter your license key on the **License** tab
5. Run `composer install --no-dev` in the plugin folder (required for local geo database)
6. Select the countries to block on the **Countries** tab and save

= Requirements =

* PHP 8.0+
* WordPress 5.8+
* Composer (for local geo database feature)

== Frequently Asked Questions ==

= Will Googlebot be blocked? =

No. By default all search engine bots are allowed through regardless of country rules. You can change this in the **Bots** tab.

= What is JS Challenge? =

When enabled, blocked visitors see a slide puzzle instead of a 403 page. If they drag the piece to the correct position, they are allowed through for 24 hours. Bots cannot pass this check programmatically.

= What is ASN blocking? =

ASN (Autonomous System Number) identifies a network operator — hosting provider, ISP or VPN service. Blocking an ASN blocks all IP addresses of that provider. Useful for blocking known spam hosting like Stark Industries (AS44477) or M247 (AS9009).

= What happens if the geo API is unavailable? =

The plugin fails open — visitors are allowed through. Results are cached for 24 hours so API calls are minimal. Alternatively, enable the local geo database for zero API dependency on country lookups.

= Does it work with Cloudflare? =

Yes. Set **IP Source** to "Cloudflare" in Settings to use the CF-Connecting-IP header.

= Does it support multisite? =

Yes. When activated network-wide, each site gets its own trial and settings.

= Does it protect against DDoS? =

No. The plugin filters application-layer traffic (spam bots, scrapers, form spam). For DDoS protection use a dedicated service or your hosting provider's firewall.

== Changelog ==

= 1.1.2 =
* Added ASN Blacklist tab — block entire hosting providers and VPN networks by autonomous system number (AS number)
* Added bulk import for IP Whitelist and Blacklist (one IP per line, optional label via colon)
* Added bulk import for ASN Blacklist
* Added local geo database support — download and store GeoLite2-Country.mmdb locally, auto-updated every 3 days via WP-Cron, no API requests for country lookups
* Replaced 2ip.io API with own geo.solutions.wbhr.ru API (country + ASN in a single service)
* Added ASN lookup with 7-day cache per IP
* Added JS Challenge mode — show slide puzzle instead of hard block page; real users pass, bots do not
* Statistics now always recorded regardless of whether blocking rules are configured — enables traffic analysis before blocking
* Statistics table now shows ASN number, organisation name and request URL per event
* Added "Load more" button in statistics — paginated event log (50 records at a time via AJAX)
* Fixed statistics not recording allowed bots, whitelisted IPs and custom UA passes
* Added IP Cache section in settings (separated from geo API section)
* Removed 2ip.io API token field from settings
* Added Russian translations for all new UI strings
* Fixed undefined variable $org in access guard when data comes from cache
* Fixed JS Challenge cookie not being applied in the same request after verification
* Fixed challenge mode: allowed visitors through correctly after passing the puzzle

= 1.0.1 =
* Initial release
* Country blocking with geo-detection
* IP Whitelist and Blacklist
* Bot rules with custom User-Agent support
* Access statistics (7-day storage)
* Dashboard widget
* Debug logging
* Commercial license with trial, single, multi and unlimited types
* Multisite support
* Comment spam protection