Crawlantix AI Bot Tracker

Crawlantix AI Bot Tracker monitors visits from 30+ AI crawlers and gives you visibility into how bots interact with your site. See which bots visit, what pages they crawl, and catch misbehaving bots with a built-in logging-only honeypot. Lightweight, privacy-first, and fully functional out of the box.

Free forever — no artificial limits on bot detection.

Tracked Bots (30+):

• GPTBot / ChatGPT-User / OAI-SearchBot (OpenAI)
• ClaudeBot / Claude-Web / anthropic-ai (Anthropic)
• Googlebot / Google-Extended (Google / Gemini)
• bingbot (Microsoft / Copilot)
• PerplexityBot (Perplexity)
• DeepSeek, Qwen (Alibaba), Mistral AI
• Applebot-Extended (Apple Intelligence)
• Meta-ExternalAgent (Meta AI)
• Bytespider (ByteDance)
• CCBot (Common Crawl), Amazonbot, YouBot, DuckDuckBot
• AI2Bot, Diffbot, Timpibot, PetalBot
• SemrushBot, AhrefsBot, DataForSeoBot, MJ12bot, DotBot

Features:

Lightweight Bot Detection (30+ Bots)

Hooks into WordPress init with a priority-1 action. Bails immediately on non-AI User-Agents — zero performance cost for human visitors. All 30+ bots tracked.

Dashboard with Charts

Clean dashboard with trend chart and provider breakdown pie chart (Chart.js, bundled locally). Summary cards show total visits, unique bots, pages crawled, and daily averages. No external dependencies.

Bot Activity Table

Dedicated tab showing all detected bots with visits, bytes transferred, 24h sparklines, verification status, and honeypot hit counts.

Crawled Pages

See which pages bots visit most, which bots crawl them, and when they were last seen.

Honeypot Endpoint (Logging Only)

A CSS-hidden, aria-hidden, rel=nofollow link is injected in the footer. Only raw link-extracting bots will follow it. Visits are logged for transparency. Active defense (blocking, tarpit, rate-limit, decoy, shadowban) is reserved for the paid build.

Bot Verification

Reverse DNS (FCrDNS) verification for major bots — confirms Googlebot, GPTBot, ClaudeBot, etc. are actually who they claim to be.

Privacy First

IP addresses are SHA-256 hashed with a per-install salt before storage. Raw IPs are never saved. Includes WordPress Privacy API exporter and eraser hooks so data-subject access and erasure requests can flow through the standard WordPress Tools → Personal Data workflow.

AI Discovery Layer

Serves ai-plugin.json (a discovery manifest that tells visiting AI agents the site is monitored) and llms.txt / llms-full.txt (text content authored by the admin via WordPress pages with slugs llms-txt and llms-full-txt) at the site root.

Data Retention

Bot visit data is retained for 30 days. Older records are automatically pruned via WP-Cron.

External Services

This plugin connects to the following external services:

Reverse DNS Lookups

The bot verification feature performs reverse DNS (FCrDNS) lookups using PHP’s gethostbyaddr() and gethostbyname() functions to verify that bots are who they claim to be (e.g., confirming a request claiming to be Googlebot actually originates from Google’s network). These lookups send the bot’s IP address to your server’s configured DNS resolver and the authoritative DNS servers for the IP address’s reverse DNS zone. Under some privacy regimes, IP addresses may be considered personal data. This feature runs automatically when a known AI bot visits your site and cannot currently be disabled via the admin UI (a filter hook crawlantix_enable_verification is available for developers).

No other external services, third-party APIs, or remote requests are used by this plugin. All analytics data is stored locally in your WordPress database. Chart.js is bundled locally — no CDN requests are made.

Privacy Policy

Crawlantix AI Bot Tracker is designed with privacy as a core principle:

• Bot traffic only. The plugin only tracks automated bot traffic identified by User-Agent strings. Human visitors are not tracked and no cookies are set.
• No raw IP addresses stored. All IP addresses are SHA-256 hashed with a per-install random salt before storage (or AUTH_SALT when defined in wp-config.php). The original IP address cannot be recovered from the hash. Note: pseudonymous IP hashes may still be considered personal data under GDPR.
• Data stored per bot visit: IP hash, User-Agent string, requested URL, HTTP referrer URL, request method, timestamp, and derived fields (bytes transferred, bot verification status). Referrer URLs may contain personal data depending on the referring site.
• WordPress Privacy API integration. The plugin registers exporter and eraser callbacks with WordPress core, so data-subject access and erasure requests filed through Tools → Personal Data flow correctly.
• No external data transmission. All analytics data remains in your local WordPress database. No data is sent to Crawlantix or third-party services. The only external communication is DNS lookups for bot verification (see External Services above).
• Data retention controls. Bot visit data is automatically pruned after 30 days. Administrators can delete all collected data on uninstall via the “Delete Data on Uninstall” Settings toggle.

For sites that require a formal privacy policy disclosure, you may note: “We use the Crawlantix AI Bot Tracker plugin to monitor automated AI bot traffic to our site. This plugin records bot User-Agent strings, pseudonymous IP hashes, pages visited, referrer URLs, and timestamps for detected bot traffic only. Raw IP addresses are cryptographically hashed before storage. No human visitor data is collected.”

Premium Version

Crawlantix also offers paid tiers at crawlantix.com for site owners who need active bot defense in addition to monitoring. The paid build adds the following features on top of everything in this free version:

Protect tier

• Active honeypot responses: HTTP 403 block, tarpit (random 5–25s delay with worker-exhaustion safeguards), rate limit 429, decoy content, shadowban.
• Auto-block of repeat honeypot offenders, with configurable thresholds.
• Per-IP response rules — apply a chosen response strategy to specific IP hashes (up to 200 rules).
• Custom honeypot paths (up to 5) with a reserved-route safety list.
• Email alerts for honeypot hits and parameter explosion patterns.
• Robots.txt trap entries that catch non-compliant scrapers.
• Optional override that suppresses the WordPress core /wp/v2/users REST endpoints (username-enumeration hardening, off by default and easy to opt back in).

Optimize tier

• Full REST API at /wp-json/ai-tracker/v1/ with API key authentication and 13 endpoints (status, stats, page, trends, bots, top-pages, report, export, alerts, honeypot, crawled-pages, etc.).
• GeoIP location tracking with MaxMind GeoLite2.
• Crawl Analytics tab with deeper traffic-quality metrics.
• Extended data retention up to 365 days.

Scale tier

• Backup & restore — export all data as JSON; import with merge or replace modes.
• Unlimited retention.
• Priority support.

The paid build is a drop-in upgrade: same plugin slug, same database tables, same option keys, so all your historical bot data carries over with no migration step on your part.