FacetFence Product Filters

FacetFence Product Filters is a defensive WooCommerce plugin for expensive layered-filter URLs such as:

/product-category/active-equipment/?filter_poe=donthave&query_type_poe=or&filter_brand=cisco&query_type_brand=or

These URLs can create heavy WordPress/WooCommerce execution paths, consume PHP-FPM workers, and waste crawl budget. The plugin provides a safe default Monitor mode and lets administrators gradually enable stronger controls.

Major features:

• Real Event Log and admin dashboard for blocked, allowed, SEO, mode, self-test, XML-RPC, and rule-generation events.
• Privacy modes for IP logging: full, anonymized, or hash-only.
• Query Complexity Scoring for filter_, query_type_, query length, multi-value filters, and WooCommerce query keys.
• SEO Soft Mode: allow normal filtered URLs while applying noindex, nofollow, X-Robots-Tag, and clean canonical URLs.
• Signed HMAC human cookie with optional daily rotating cookie name, User-Agent binding, and IP-prefix binding.
• Best-effort transient/object-cache based rate limiting, disabled by default so Monitor mode never blocks unexpectedly. Server/CDN rate limits are still recommended for very high-volume attacks.
• Auto Emergency Mode with strict/emergency thresholds, recovery period, and filtered-request pressure counting even in Monitor mode.
• Verified Googlebot and Bingbot checks using reverse DNS plus forward DNS confirmation.
• Apache/LiteSpeed .htaccess, Nginx, and Cloudflare rule generator with mode-aware, public-root-aware, subdirectory-aware, signed-cookie-pattern server checks, Cloudflare args.names query matching, and emergency rules aligned with configured query keys.
• Health Check / Self-Test after changes with real signed-cookie tests, separate bypass-token test, optional rollback, redirect following, and configurable real WooCommerce test paths.
• Rollback backups for public-root .htaccess, robots.txt, and blocked-light.html.
• robots.txt virtual and physical managed blocks, disabled in Off/Monitor modes.
• Optional XML-RPC blocking.
• Multisite-aware activation/deactivation/uninstall cleanup; network activation creates per-site runtime tables and options.

The default mode is Monitor Only: it logs and scores only and does not modify SEO tags, cookies, robots, rate limits, XML-RPC, or server-level rules.

Privacy

FacetFence Product Filters can record security events related to expensive filtered URL requests. Depending on settings, logs may include event type, timestamp, method, URI, query length, filter count, User-Agent hash, IP hash, anonymized IP or full IP, referer/cookie presence, action taken, response status, protection mode, and complexity score.

Default privacy behavior:

• IP logging mode: hash-only.
• Event retention: 14 days.
• Rate-limit counters use best-effort short-lived WordPress transients/object cache entries.
• NDJSON event files and rollback backups are stored under the WordPress uploads directory in a facetfence-product-filters/ subdirectory with deny rules and index files. NDJSON mode uses scoped append locking and remains optional; database logging is the default. For Nginx deployments, apply the generated internal-data deny rules or equivalent server restrictions.
• Event database table and plugin-owned uploads-based runtime/log directories are removed on uninstall.