You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<spanclass="notranslate">AI Bot Management</span> (bot classification and per-category rate limiting) is controlled through configuration keys rather than a dedicated subcommand. The plugin must be installed first (see <spanclass="notranslate">`security_plugin_enabled`</span>). Site owners can also manage it from the WordPress dashboard — see <spanclass="notranslate">[AI Bot Management](/wordpress_plugin/#ai-bot-management)</span>.
Set the default preset applied to sites that have not chosen their own — one of <spanclass="notranslate">`balanced`</span>, <spanclass="notranslate">`strict`</span>, or <spanclass="notranslate">`monitor`</span>:
A site owner can override the server default from the WordPress dashboard, and a <spanclass="notranslate">`define()`</span> in <spanclass="notranslate">`wp-config.php`</span> overrides both.
<td># block (<spanclass="notranslate">True</span>) access to a specific server port being attacked. The ports include FTP (21), SSH (any port) and SMTP (25, 465, 587). The default value is <spanclass="notranslate">False</span>.</td></tr>
376
+
<tr>
377
+
<tdcolspan="2">
378
+
379
+
<spanclass="notranslate">Active Response</span> is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
380
+
381
+
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
382
+
383
+
In order to activate <spanclass="notranslate">Active Response, </span>the following lines should be added into <spanclass="notranslate">_/etc/sysconfig/imunify360/imunify360.config_</span>:
<td># your email to receive reports about critical issues, security alerts or system misconfigurations detected on your servers.</td></tr>
@@ -422,36 +449,18 @@ If a non-eligible interval is configured, the agent will ignore it and keep the
422
449
<td># enable (<spanclass="notranslate">True</span>) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, that only WordPress, Joomla, and Magento databases are supported now.</td></tr>
<td># installs the <spanclass="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin and its WordPress WAF. Default is <spanclass="notranslate">False</span>.</td></tr>
452
+
<td># installs the <spanclass="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin, its WordPress WAF, and AI Bot Management. Default is <spanclass="notranslate">False</span>.</td></tr>
<td># enables the WordPress WAF (virtual patching) for WordPress sites on the server. When set to <spanclass="notranslate">False</span>, WAF rules are removed from all sites. Can also be set per hosting account. Default is <spanclass="notranslate">True</span>.</td></tr>
<td># whether the WordPress WAF is enabled automatically for newly created hosting accounts. Default is <spanclass="notranslate">False</span>.</td></tr>
<td># enables AI Bot Management (bot classification and per-category rate limiting) for WordPress sites on the server. Can also be set per hosting account; a site owner may override it from the WordPress dashboard. Default is <spanclass="notranslate">False</span>.</td></tr>
<td># the default AI Bot Management preset applied to sites that have not chosen their own. One of <spanclass="notranslate">balanced</span>, <spanclass="notranslate">strict</span>, or <spanclass="notranslate">monitor</span>. Default is <spanclass="notranslate">balanced</span>.</td></tr>
430
461
</tbody>
431
462
</table>
432
463
433
-
<spanclass="notranslate">Active Response</span> is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
434
-
435
-
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
436
-
437
-
In order to activate <spanclass="notranslate">Active Response, </span>the following lines should be added into <spanclass="notranslate">_/etc/sysconfig/imunify360/imunify360.config_</span>:
438
-
<divclass="notranslate">
439
-
440
-
```
441
-
OSSEC:
442
-
active_response: True
443
-
```
444
-
445
-
</div>
446
-
and then restart Imunify360 service:
447
-
<divclass="notranslate">
448
-
449
-
```
450
-
systemctl restart imunify360
451
-
```
452
-
453
-
</div>
454
-
455
464
#### How to apply changes from CLI
456
465
457
466
In order to apply changes via command-line interface (CLI), you can use the following command:
Copy file name to clipboardExpand all lines: docs/wordpress_plugin/README.md
+93-4Lines changed: 93 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,10 +13,6 @@ The **Imunify Security plugin for WordPress** is available to all Imunify custom
13
13
***Imunify360**: 8.4.1 or higher
14
14
***ImunifyAV/AV+**: 8.6.0 or higher
15
15
16
-
::: tip Note
17
-
The <spanclass="notranslate">Web Application Firewall</span> (virtual patching) described below requires the <spanclass="notranslate">Imunify Security</span> WordPress plugin (<spanclass="notranslate">`imunify-wp-security`</span>) <spanclass="notranslate">`wp-3.0.1-2`</span> or later, together with a supported Imunify agent — <spanclass="notranslate">ImunifyAV/AV+</span> (<spanclass="notranslate">`imunify-antivirus`</span>) <spanclass="notranslate">`av-8.7.1-2`</span> or later, or <spanclass="notranslate">Imunify360</span> (<spanclass="notranslate">`imunify360-firewall`</span>) <spanclass="notranslate">`8.12.5-3`</span> or later.
18
-
:::
19
-
20
16
## Installation
21
17
22
18
The plugin is not available in the WordPress plugin repository. To install:
@@ -40,6 +36,7 @@ The plugin adds a dashboard widget that helps administrators keep track of their
40
36
- Real-time security status
41
37
- Proactive Defense status
42
38
- Web Application Firewall status and recent WAF incidents (see <spanclass="notranslate">[Web Application Firewall](/wordpress_plugin/#web-application-firewall-virtual-patching)</span>)
39
+
- Bot Protection status and recent bot activity (see <spanclass="notranslate">[AI Bot Management](/wordpress_plugin/#ai-bot-management)</span>)
43
40
- Timestamps for last and next scheduled scans
44
41
- Detailed list of detected and cleaned malware (file path, signature, detection or clean-up time)
45
42
@@ -88,6 +85,8 @@ ImunifyAV users are shown a limited interface and prompted to upgrade to Imunify
88
85
The <spanclass="notranslate">Imunify Security</span> plugin includes a **Web Application Firewall (WAF)** that provides *virtual patching* for WordPress. It protects your sites against known vulnerabilities (CVEs) in WordPress plugins, themes, and core — **without modifying any of your site's files**. When a plugin or theme you use has a known security flaw, the WAF blocks attempts to exploit it, giving you time to apply the real update.
89
86
90
87
::: tip Note
88
+
The <spanclass="notranslate">Web Application Firewall</span> (virtual patching) described below requires the <spanclass="notranslate">Imunify Security</span> WordPress plugin (<spanclass="notranslate">`imunify-wp-security`</span>) <spanclass="notranslate">`wp-3.0.1-2`</span> or later, together with a supported Imunify agent — <spanclass="notranslate">ImunifyAV/AV+</span> (<spanclass="notranslate">`imunify-antivirus`</span>) <spanclass="notranslate">`av-8.7.1-2`</span> or later, or <spanclass="notranslate">Imunify360</span> (<spanclass="notranslate">`imunify360-firewall`</span>) <spanclass="notranslate">`8.12.5-3`</span> or later.
89
+
91
90
This WordPress WAF is a separate layer from the server-side <spanclass="notranslate">[WAF (ModSecurity)](/dashboard/#waf-settings)</span> and from <spanclass="notranslate">[WordPress Account Brute-force Protection](/dashboard/#wordpress-account-brute-force-protection)</span>. It runs inside the WordPress plugin and focuses on blocking exploit attempts against vulnerable plugins and themes. In the Imunify control panel it is presented on the <spanclass="notranslate">_CMS WAF_</span> tab.
92
91
:::
93
92
@@ -188,3 +187,93 @@ The WordPress WAF requires the <span class="notranslate">Imunify Security</span>
188
187
189
188
***Server administrators** enable or disable the WAF server-wide, and can choose whether it is on by default for new hosting accounts. See <spanclass="notranslate">[WordPress plugin settings](/dashboard/#wordpress-plugin)</span> and the <spanclass="notranslate">[command-line reference](/command_line_interface/#wordpress-plugin)</span>.
190
189
***Hosting-account owners** can turn the WAF off for their own account, unless the administrator has locked it server-wide (shown as *This value is set by server administrator*).
190
+
191
+
## AI Bot Management
192
+
193
+
<spanclass="notranslate">Imunify Security</span> includes **AI Bot Management** — a layer that identifies automated traffic (search-engine crawlers, AI/LLM crawlers, scrapers, and malicious bots) *before WordPress finishes loading* and applies a per-minute request limit to each kind of bot, while leaving real visitors untouched. It protects sites from aggressive crawling and bot-driven resource abuse — increasingly from the wave of AI training and scraping crawlers — without slowing down legitimate users.
194
+
195
+
::: tip Note
196
+
AI Bot Management requires the <span class="notranslate">Imunify Security</span> WordPress plugin (<span class="notranslate">`imunify-wp-security`</span>) <span class="notranslate">`wp-4.0.2-2`</span> or later, together with a supported Imunify agent — <span class="notranslate">ImunifyAV/AV+</span> (<span class="notranslate">`imunify-antivirus`</span>) <span class="notranslate">`av-8.8.3-6`</span> or later, or <span class="notranslate">Imunify360</span> (<span class="notranslate">`imunify360-firewall`</span>) <span class="notranslate">`8.13.6-6`</span> or later. It is a separate layer from the server-side <span class="notranslate">[WAF (ModSecurity)](/dashboard/#waf-settings)</span>, from <span class="notranslate">[WordPress Account Brute-force Protection](/dashboard/#wordpress-account-brute-force-protection)</span>, and from the plugin's own <span class="notranslate">[Web Application Firewall](#web-application-firewall-virtual-patching)</span>. In the WordPress dashboard it appears as <span class="notranslate">_Bot Protection_</span>.
197
+
:::
198
+
199
+
### How it works
200
+
201
+
The feature runs as a *must-use* plugin, so it evaluates each request before the rest of WordPress (and other plugins) load. For every request it:
202
+
203
+
1.**Classifies** the visitor into one category — a verified search engine, a verified AI crawler, an unknown automated client, an unverified bot, a malicious bot, or a human. Clients that claim to be a known crawler (for example, Googlebot) are confirmed by *forward-confirmed reverse DNS*, so a spoofed user-agent does not earn a crawler's higher limit.
204
+
2.**Applies the category's limit.** Each non-human category has a requests-per-minute allowance set by the active preset. Requests over the limit are refused with <spanclass="notranslate">HTTP 429 (Too Many Requests)</span> and a <spanclass="notranslate">`Retry-After`</span> hint; malicious bots are blocked outright with <spanclass="notranslate">HTTP 403 (Forbidden)</span>. Clients that keep exceeding their limit can be escalated to a temporary block.
205
+
206
+
Human visitors are never rate-limited. The check is *fail-open*: if anything goes wrong (for example, the backing storage is unavailable), the request is allowed through, so the feature can never take a site down.
207
+
208
+
### Bot categories
209
+
210
+
| Category | What it is |
211
+
|---|---|
212
+
| <spanclass="notranslate">_Verified search engines_</span> | Crawlers confirmed by reverse DNS to belong to a search engine (Google, Bing, and similar). Given a high allowance so indexing is never disrupted. |
213
+
| <spanclass="notranslate">_Verified AI crawlers_</span> | Confirmed crawlers from AI/LLM providers (training or retrieval). |
214
+
| <spanclass="notranslate">_Unknown automated_</span> | Automated clients that do not match a known, verified crawler. |
215
+
| <spanclass="notranslate">_Unverified bots_</span> | Clients claiming to be a known bot but failing reverse-DNS verification. |
216
+
| <spanclass="notranslate">_Malicious bots_</span> | Known-bad clients, and clients caught by the honeypot. Blocked in every preset except <spanclass="notranslate">_Monitor only_</span>. |
217
+
| <spanclass="notranslate">_Humans_</span> | Regular visitors. Never rate-limited. |
218
+
219
+
### Protection presets
220
+
221
+
The active **preset** decides the per-minute limits. <spanclass="notranslate">_Balanced_</span> is the default.
* <spanclass="notranslate">_Balanced_</span> — sensible limits for a typical site. Recommended for most sites.
232
+
* <spanclass="notranslate">_Strict_</span> — tighter limits for sites under heavy bot pressure.
233
+
* <spanclass="notranslate">_Monitor only_</span> — classifies traffic but does not block or limit anything. Useful for trying the feature out before enforcing it.
234
+
235
+
### In the WordPress dashboard widget
236
+
237
+
Once your hosting provider has enabled AI Bot Management, the <spanclass="notranslate">Imunify Security</span> dashboard widget shows a <spanclass="notranslate">_Bot Protection_</span> row with the current status, the active preset, and the number of requests blocked in the last 24 hours.
238
+
239
+
<imgsrc="/images/wordpress-plugin/bot-widget.png"alt="The Imunify Security dashboard widget with the Bot Protection row"width="420">
240
+
241
+
*The <spanclass="notranslate">Imunify Security</span> dashboard widget. The <spanclass="notranslate">_Bot Protection_</span> row shows the active preset and the number of requests blocked in the last 24 hours.*
242
+
243
+
Click the row to open the detail pane, where you can:
244
+
245
+
* see the current <spanclass="notranslate">_Status_</span> and <spanclass="notranslate">_Blocked (24h)_</span> count;
246
+
* view the active **preset** and its live <spanclass="notranslate">_Rate limits (requests / minute)_</span> table, and switch preset with <spanclass="notranslate">_change_</span> → <spanclass="notranslate">_Save_</span>;
247
+
* turn protection **off for this site** — or back on.
248
+
249
+
<imgsrc="/images/wordpress-plugin/bot-widget-pane.png"alt="The Bot Protection detail pane inside the Imunify Security widget"width="420">
250
+
251
+
*The detail pane: status, the 24-hour blocked counter, the preset picker, and the per-category rate limits for the selected preset.*
252
+
253
+
Only WordPress administrators (users who can <spanclass="notranslate">_manage options_</span>) can change these settings.
254
+
255
+
::: tip Note
256
+
If your site cannot reach itself over HTTP, the pane shows a <spanclass="notranslate">_"Your site can't reach itself"_</span> warning — scheduled tasks, including automatic bot-data updates, may not run. Fix the loopback connectivity (for example, a local DNS or firewall issue) and click <spanclass="notranslate">_Re-check_</span>.
257
+
:::
258
+
259
+
### Turning it on or off
260
+
261
+
AI Bot Management is controlled at three levels:
262
+
263
+
1.**Hosting provider (server-wide).** The provider enables the feature and sets the default preset. When it is off at the server level, the <spanclass="notranslate">_Bot Protection_</span> row does not appear. Providers control it from the command line — see the <spanclass="notranslate">[configuration file reference](/config_file_description/)</span> (<spanclass="notranslate">`ai_bot_protection`</span>, <spanclass="notranslate">`ai_bot_protection_preset`</span>) and the <spanclass="notranslate">[command-line reference](/command_line_interface/#wordpress-plugin)</span>.
264
+
2.**Site owner (WordPress admin).** Once the provider has enabled it, the WordPress administrator turns it on or off for their own site and chooses the preset from the <spanclass="notranslate">_Bot Protection_</span> widget.
265
+
3.**`wp-config.php` (advanced).** Definitions in <spanclass="notranslate">`wp-config.php`</span> override the widget:
266
+
267
+
<divclass="notranslate">
268
+
269
+
```php
270
+
// Force AI Bot Management off for this site (overrides the widget):
271
+
define( 'IMUNIFY_AI_BOT_PROTECTION', false );
272
+
273
+
// Force a specific preset (balanced | strict | monitor):
When AI Bot Management is disabled in <spanclass="notranslate">`wp-config.php`</span>, the widget shows <spanclass="notranslate">_Disabled in wp-config.php_</span> and the controls are locked.
0 commit comments