Skip to content

Commit 9c3fcc9

Browse files
Martin Krchoclaude
andcommitted
Document WordPress AI Bot Management
Add end-user and admin documentation for the WordPress-plugin AI Bot Management feature (pre-WordPress bot classification and per-category rate limiting): - wordpress_plugin: new "AI Bot Management" section — how it works, bot categories, the Balanced/Strict/Monitor presets, the dashboard-widget row and detail pane (with screenshots), and the wp-config controls; add a version note. Also move the WAF version note out of Prerequisites into the WAF section's own opening note. - config_file_description: document ai_bot_protection and ai_bot_protection_preset in the WORDPRESS section; move the stranded "Active Response" block up next to its active_response row. - command_line_interface: add an AI Bot Management subsection with config-update examples (server-wide and per-account). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 29db1b9 commit 9c3fcc9

5 files changed

Lines changed: 162 additions & 27 deletions

File tree

68.2 KB
Loading
75.1 KB
Loading

docs/command_line_interface/README.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2822,3 +2822,40 @@ imunify360-agent wordpress-plugin rules list-disabled
28222822

28232823
</div>
28242824

2825+
### AI Bot Management
2826+
2827+
<span class="notranslate">AI Bot Management</span> (bot classification and per-category rate limiting) is controlled through configuration keys rather than a dedicated subcommand. The plugin must be installed first (see <span class="notranslate">`security_plugin_enabled`</span>). Site owners can also manage it from the WordPress dashboard — see <span class="notranslate">[AI Bot Management](/wordpress_plugin/#ai-bot-management)</span>.
2828+
2829+
Enable or disable it server-wide:
2830+
2831+
<div class="notranslate">
2832+
2833+
```
2834+
imunify360-agent config update '{"WORDPRESS":{"ai_bot_protection": true}}'
2835+
imunify360-agent config update '{"WORDPRESS":{"ai_bot_protection": false}}'
2836+
```
2837+
2838+
</div>
2839+
2840+
Enable it for a single hosting account:
2841+
2842+
<div class="notranslate">
2843+
2844+
```
2845+
imunify360-agent config update --user user1 '{"WORDPRESS":{"ai_bot_protection": true}}'
2846+
```
2847+
2848+
</div>
2849+
2850+
Set the default preset applied to sites that have not chosen their own — one of <span class="notranslate">`balanced`</span>, <span class="notranslate">`strict`</span>, or <span class="notranslate">`monitor`</span>:
2851+
2852+
<div class="notranslate">
2853+
2854+
```
2855+
imunify360-agent config update '{"WORDPRESS":{"ai_bot_protection_preset": "strict"}}'
2856+
```
2857+
2858+
</div>
2859+
2860+
A site owner can override the server default from the WordPress dashboard, and a <span class="notranslate">`define()`</span> in <span class="notranslate">`wp-config.php`</span> overrides both.
2861+

docs/config_file_description/README.md

Lines changed: 32 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -373,6 +373,33 @@ If a non-eligible interval is configured, the agent will ignore it and keep the
373373
<tr><th colspan="2" align="left"><span class="notranslate">OSSEC:</span></th></tr>
374374
<tr><td><span class="notranslate">active_response: False</span></td>
375375
<td># block (<span class="notranslate">True</span>) access to a specific server port being attacked. The ports include FTP (21), SSH (any port) and SMTP (25, 465, 587). The default value is <span class="notranslate">False</span>.</td></tr>
376+
<tr>
377+
<td colspan="2">
378+
379+
<span class="notranslate">Active Response</span> is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
380+
381+
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
382+
383+
In order to activate <span class="notranslate">Active Response, </span>the following lines should be added into <span class="notranslate">_/etc/sysconfig/imunify360/imunify360.config_</span>:
384+
<div class="notranslate">
385+
386+
```
387+
OSSEC:
388+
active_response: True
389+
```
390+
391+
</div>
392+
and then restart Imunify360 service:
393+
<div class="notranslate">
394+
395+
```
396+
systemctl restart imunify360
397+
```
398+
399+
</div>
400+
401+
</td>
402+
</tr>
376403
<tr><th colspan="2" align="left"><span class="notranslate">ADMIN_CONTACTS:</span></th></tr>
377404
<tr><td><span class="notranslate">emails: youremail@email.com</span></td>
378405
<td># your email to receive reports about critical issues, security alerts or system misconfigurations detected on your servers.</td></tr>
@@ -422,36 +449,18 @@ If a non-eligible interval is configured, the agent will ignore it and keep the
422449
<td># enable (<span class="notranslate">True</span>) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, that only WordPress, Joomla, and Magento databases are supported now.</td></tr>
423450
<tr><th colspan="2" align="left"><span class="notranslate">WORDPRESS:</span></th></tr>
424451
<tr><td><span class="notranslate">security_plugin_enabled: False</span></td>
425-
<td># installs the <span class="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin and its WordPress WAF. Default is <span class="notranslate">False</span>.</td></tr>
452+
<td># installs the <span class="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin, its WordPress WAF, and AI Bot Management. Default is <span class="notranslate">False</span>.</td></tr>
426453
<tr><td><span class="notranslate">waf_enabled: True</span></td>
427454
<td># enables the WordPress WAF (virtual patching) for WordPress sites on the server. When set to <span class="notranslate">False</span>, WAF rules are removed from all sites. Can also be set per hosting account. Default is <span class="notranslate">True</span>.</td></tr>
428455
<tr><td><span class="notranslate">waf_default: False</span></td>
429456
<td># whether the WordPress WAF is enabled automatically for newly created hosting accounts. Default is <span class="notranslate">False</span>.</td></tr>
457+
<tr><td><span class="notranslate">ai_bot_protection: False</span></td>
458+
<td># enables AI Bot Management (bot classification and per-category rate limiting) for WordPress sites on the server. Can also be set per hosting account; a site owner may override it from the WordPress dashboard. Default is <span class="notranslate">False</span>.</td></tr>
459+
<tr><td><span class="notranslate">ai_bot_protection_preset: balanced</span></td>
460+
<td># the default AI Bot Management preset applied to sites that have not chosen their own. One of <span class="notranslate">balanced</span>, <span class="notranslate">strict</span>, or <span class="notranslate">monitor</span>. Default is <span class="notranslate">balanced</span>.</td></tr>
430461
</tbody>
431462
</table>
432463

433-
<span class="notranslate">Active Response</span> is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
434-
435-
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
436-
437-
In order to activate <span class="notranslate">Active Response, </span>the following lines should be added into <span class="notranslate">_/etc/sysconfig/imunify360/imunify360.config_</span>:
438-
<div class="notranslate">
439-
440-
```
441-
OSSEC:
442-
active_response: True
443-
```
444-
445-
</div>
446-
and then restart Imunify360 service:
447-
<div class="notranslate">
448-
449-
```
450-
systemctl restart imunify360
451-
```
452-
453-
</div>
454-
455464
#### How to apply changes from CLI
456465

457466
In order to apply changes via command-line interface (CLI), you can use the following command:

docs/wordpress_plugin/README.md

Lines changed: 93 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,6 @@ The **Imunify Security plugin for WordPress** is available to all Imunify custom
1313
* **Imunify360**: 8.4.1 or higher
1414
* **ImunifyAV/AV+**: 8.6.0 or higher
1515

16-
::: tip Note
17-
The <span class="notranslate">Web Application Firewall</span> (virtual patching) described below requires the <span class="notranslate">Imunify Security</span> WordPress plugin (<span class="notranslate">`imunify-wp-security`</span>) <span class="notranslate">`wp-3.0.1-2`</span> or later, together with a supported Imunify agent — <span class="notranslate">ImunifyAV/AV+</span> (<span class="notranslate">`imunify-antivirus`</span>) <span class="notranslate">`av-8.7.1-2`</span> or later, or <span class="notranslate">Imunify360</span> (<span class="notranslate">`imunify360-firewall`</span>) <span class="notranslate">`8.12.5-3`</span> or later.
18-
:::
19-
2016
## Installation
2117

2218
The plugin is not available in the WordPress plugin repository. To install:
@@ -40,6 +36,7 @@ The plugin adds a dashboard widget that helps administrators keep track of their
4036
- Real-time security status
4137
- Proactive Defense status
4238
- Web Application Firewall status and recent WAF incidents (see <span class="notranslate">[Web Application Firewall](/wordpress_plugin/#web-application-firewall-virtual-patching)</span>)
39+
- Bot Protection status and recent bot activity (see <span class="notranslate">[AI Bot Management](/wordpress_plugin/#ai-bot-management)</span>)
4340
- Timestamps for last and next scheduled scans
4441
- Detailed list of detected and cleaned malware (file path, signature, detection or clean-up time)
4542

@@ -88,6 +85,8 @@ ImunifyAV users are shown a limited interface and prompted to upgrade to Imunify
8885
The <span class="notranslate">Imunify Security</span> plugin includes a **Web Application Firewall (WAF)** that provides *virtual patching* for WordPress. It protects your sites against known vulnerabilities (CVEs) in WordPress plugins, themes, and core — **without modifying any of your site's files**. When a plugin or theme you use has a known security flaw, the WAF blocks attempts to exploit it, giving you time to apply the real update.
8986

9087
::: tip Note
88+
The <span class="notranslate">Web Application Firewall</span> (virtual patching) described below requires the <span class="notranslate">Imunify Security</span> WordPress plugin (<span class="notranslate">`imunify-wp-security`</span>) <span class="notranslate">`wp-3.0.1-2`</span> or later, together with a supported Imunify agent — <span class="notranslate">ImunifyAV/AV+</span> (<span class="notranslate">`imunify-antivirus`</span>) <span class="notranslate">`av-8.7.1-2`</span> or later, or <span class="notranslate">Imunify360</span> (<span class="notranslate">`imunify360-firewall`</span>) <span class="notranslate">`8.12.5-3`</span> or later.
89+
9190
This WordPress WAF is a separate layer from the server-side <span class="notranslate">[WAF (ModSecurity)](/dashboard/#waf-settings)</span> and from <span class="notranslate">[WordPress Account Brute-force Protection](/dashboard/#wordpress-account-brute-force-protection)</span>. It runs inside the WordPress plugin and focuses on blocking exploit attempts against vulnerable plugins and themes. In the Imunify control panel it is presented on the <span class="notranslate">_CMS WAF_</span> tab.
9291
:::
9392

@@ -188,3 +187,93 @@ The WordPress WAF requires the <span class="notranslate">Imunify Security</span>
188187

189188
* **Server administrators** enable or disable the WAF server-wide, and can choose whether it is on by default for new hosting accounts. See <span class="notranslate">[WordPress plugin settings](/dashboard/#wordpress-plugin)</span> and the <span class="notranslate">[command-line reference](/command_line_interface/#wordpress-plugin)</span>.
190189
* **Hosting-account owners** can turn the WAF off for their own account, unless the administrator has locked it server-wide (shown as *This value is set by server administrator*).
190+
191+
## AI Bot Management
192+
193+
<span class="notranslate">Imunify Security</span> includes **AI Bot Management** — a layer that identifies automated traffic (search-engine crawlers, AI/LLM crawlers, scrapers, and malicious bots) *before WordPress finishes loading* and applies a per-minute request limit to each kind of bot, while leaving real visitors untouched. It protects sites from aggressive crawling and bot-driven resource abuse — increasingly from the wave of AI training and scraping crawlers — without slowing down legitimate users.
194+
195+
::: tip Note
196+
AI Bot Management requires the <span class="notranslate">Imunify Security</span> WordPress plugin (<span class="notranslate">`imunify-wp-security`</span>) <span class="notranslate">`wp-4.0.2-2`</span> or later, together with a supported Imunify agent — <span class="notranslate">ImunifyAV/AV+</span> (<span class="notranslate">`imunify-antivirus`</span>) <span class="notranslate">`av-8.8.3-6`</span> or later, or <span class="notranslate">Imunify360</span> (<span class="notranslate">`imunify360-firewall`</span>) <span class="notranslate">`8.13.6-6`</span> or later. It is a separate layer from the server-side <span class="notranslate">[WAF (ModSecurity)](/dashboard/#waf-settings)</span>, from <span class="notranslate">[WordPress Account Brute-force Protection](/dashboard/#wordpress-account-brute-force-protection)</span>, and from the plugin's own <span class="notranslate">[Web Application Firewall](#web-application-firewall-virtual-patching)</span>. In the WordPress dashboard it appears as <span class="notranslate">_Bot Protection_</span>.
197+
:::
198+
199+
### How it works
200+
201+
The feature runs as a *must-use* plugin, so it evaluates each request before the rest of WordPress (and other plugins) load. For every request it:
202+
203+
1. **Classifies** the visitor into one category — a verified search engine, a verified AI crawler, an unknown automated client, an unverified bot, a malicious bot, or a human. Clients that claim to be a known crawler (for example, Googlebot) are confirmed by *forward-confirmed reverse DNS*, so a spoofed user-agent does not earn a crawler's higher limit.
204+
2. **Applies the category's limit.** Each non-human category has a requests-per-minute allowance set by the active preset. Requests over the limit are refused with <span class="notranslate">HTTP 429 (Too Many Requests)</span> and a <span class="notranslate">`Retry-After`</span> hint; malicious bots are blocked outright with <span class="notranslate">HTTP 403 (Forbidden)</span>. Clients that keep exceeding their limit can be escalated to a temporary block.
205+
206+
Human visitors are never rate-limited. The check is *fail-open*: if anything goes wrong (for example, the backing storage is unavailable), the request is allowed through, so the feature can never take a site down.
207+
208+
### Bot categories
209+
210+
| Category | What it is |
211+
|---|---|
212+
| <span class="notranslate">_Verified search engines_</span> | Crawlers confirmed by reverse DNS to belong to a search engine (Google, Bing, and similar). Given a high allowance so indexing is never disrupted. |
213+
| <span class="notranslate">_Verified AI crawlers_</span> | Confirmed crawlers from AI/LLM providers (training or retrieval). |
214+
| <span class="notranslate">_Unknown automated_</span> | Automated clients that do not match a known, verified crawler. |
215+
| <span class="notranslate">_Unverified bots_</span> | Clients claiming to be a known bot but failing reverse-DNS verification. |
216+
| <span class="notranslate">_Malicious bots_</span> | Known-bad clients, and clients caught by the honeypot. Blocked in every preset except <span class="notranslate">_Monitor only_</span>. |
217+
| <span class="notranslate">_Humans_</span> | Regular visitors. Never rate-limited. |
218+
219+
### Protection presets
220+
221+
The active **preset** decides the per-minute limits. <span class="notranslate">_Balanced_</span> is the default.
222+
223+
| Category (requests / minute) | <span class="notranslate">_Balanced_</span> | <span class="notranslate">_Strict_</span> | <span class="notranslate">_Monitor only_</span> |
224+
|---|---|---|---|
225+
| Verified search engines | 300 | 300 | Not enforced |
226+
| Verified AI crawlers | 10 | 3 | Not enforced |
227+
| Unknown automated | 5 | 2 | Not enforced |
228+
| Unverified bots | 2 | 1 | Not enforced |
229+
| Malicious bots | Blocked | Blocked | Not enforced |
230+
231+
* <span class="notranslate">_Balanced_</span> — sensible limits for a typical site. Recommended for most sites.
232+
* <span class="notranslate">_Strict_</span> — tighter limits for sites under heavy bot pressure.
233+
* <span class="notranslate">_Monitor only_</span> — classifies traffic but does not block or limit anything. Useful for trying the feature out before enforcing it.
234+
235+
### In the WordPress dashboard widget
236+
237+
Once your hosting provider has enabled AI Bot Management, the <span class="notranslate">Imunify Security</span> dashboard widget shows a <span class="notranslate">_Bot Protection_</span> row with the current status, the active preset, and the number of requests blocked in the last 24 hours.
238+
239+
<img src="/images/wordpress-plugin/bot-widget.png" alt="The Imunify Security dashboard widget with the Bot Protection row" width="420">
240+
241+
*The <span class="notranslate">Imunify Security</span> dashboard widget. The <span class="notranslate">_Bot Protection_</span> row shows the active preset and the number of requests blocked in the last 24 hours.*
242+
243+
Click the row to open the detail pane, where you can:
244+
245+
* see the current <span class="notranslate">_Status_</span> and <span class="notranslate">_Blocked (24h)_</span> count;
246+
* view the active **preset** and its live <span class="notranslate">_Rate limits (requests / minute)_</span> table, and switch preset with <span class="notranslate">_change_</span> → <span class="notranslate">_Save_</span>;
247+
* turn protection **off for this site** — or back on.
248+
249+
<img src="/images/wordpress-plugin/bot-widget-pane.png" alt="The Bot Protection detail pane inside the Imunify Security widget" width="420">
250+
251+
*The detail pane: status, the 24-hour blocked counter, the preset picker, and the per-category rate limits for the selected preset.*
252+
253+
Only WordPress administrators (users who can <span class="notranslate">_manage options_</span>) can change these settings.
254+
255+
::: tip Note
256+
If your site cannot reach itself over HTTP, the pane shows a <span class="notranslate">_"Your site can't reach itself"_</span> warning — scheduled tasks, including automatic bot-data updates, may not run. Fix the loopback connectivity (for example, a local DNS or firewall issue) and click <span class="notranslate">_Re-check_</span>.
257+
:::
258+
259+
### Turning it on or off
260+
261+
AI Bot Management is controlled at three levels:
262+
263+
1. **Hosting provider (server-wide).** The provider enables the feature and sets the default preset. When it is off at the server level, the <span class="notranslate">_Bot Protection_</span> row does not appear. Providers control it from the command line — see the <span class="notranslate">[configuration file reference](/config_file_description/)</span> (<span class="notranslate">`ai_bot_protection`</span>, <span class="notranslate">`ai_bot_protection_preset`</span>) and the <span class="notranslate">[command-line reference](/command_line_interface/#wordpress-plugin)</span>.
264+
2. **Site owner (WordPress admin).** Once the provider has enabled it, the WordPress administrator turns it on or off for their own site and chooses the preset from the <span class="notranslate">_Bot Protection_</span> widget.
265+
3. **`wp-config.php` (advanced).** Definitions in <span class="notranslate">`wp-config.php`</span> override the widget:
266+
267+
<div class="notranslate">
268+
269+
```php
270+
// Force AI Bot Management off for this site (overrides the widget):
271+
define( 'IMUNIFY_AI_BOT_PROTECTION', false );
272+
273+
// Force a specific preset (balanced | strict | monitor):
274+
define( 'IMUNIFY_AI_BOT_PROTECTION_PRESET', 'strict' );
275+
```
276+
277+
</div>
278+
279+
When AI Bot Management is disabled in <span class="notranslate">`wp-config.php`</span>, the widget shows <span class="notranslate">_Disabled in wp-config.php_</span> and the controls are locked.

0 commit comments

Comments
 (0)