JTZL's Bot Maze

JTZL’s Bot Maze protects your WordPress site from unwanted AI crawlers and scrapers by planting invisible trap links that only bots will follow. When a bot enters the trap maze, it gets lost in an ever-expanding maze of realistic-looking fake pages while it quietly builds a suspicion score based on its behavior.

How it works:

1. Trap link injection — Invisible links are added to your real pages. Legitimate visitors never see them, but bots following every link on the page will enter the trap maze.
2. Lazy maze generation — Trap pages link to more trap pages, generated on demand. The deeper a bot goes, the more time it wastes.
3. Bot scoring — Each trap page visit adds suspicion points. Deeper traversal earns bonus points. Once a threshold is reached, the visitor is flagged as a bot.
4. Blocking and tarpitting — Flagged bots can be blocked outright (403), served decoy pages (light tarpit), or slowed down with a deliberate delay (full tarpit).
5. Crawler verification — Known search engine crawlers (Googlebot, Bingbot, etc.) are verified via reverse DNS and exempted from scoring.

Features:

• Zero impact on legitimate visitors — trap links are hidden from humans and search engines
• Configurable injection method (content, footer, or both)
• Adjustable scoring thresholds and blocking behavior
• robots.txt integration to signal trap paths as disallowed
• Analytics dashboard showing bot activity, top IPs, and score distribution
• Blocked Bots detail page showing full user agent, score, visit history
• Optional comprehensive tracking mode to monitor blocked bot persistence
• Automatic log retention and maintenance via WP-Cron
• Privacy policy suggestion for GDPR compliance
• Geographic heat map of bot activity by country with two GeoIP provider options
• MaxMind GeoLite2 local database — all lookups on your server, GDPR-friendly (recommended)
• ip-api.com external API — simple setup, no license key required
• Lightweight — minimal footprint, geographic tracking is fully optional

Third-Party Services

This plugin offers optional geographic tracking with two provider options. No data is sent to any external service unless a site administrator explicitly enables one of these providers.

MaxMind GeoLite2 (Recommended)

When MaxMind GeoLite2 is selected as the GeoIP provider (Settings > Bot Maze > Geographic Tracking), the plugin downloads the GeoLite2-Country database from MaxMind and performs all IP-to-country lookups locally. No visitor data leaves your server.

• What is downloaded: The GeoLite2-Country database (~60 MB), updated weekly via WP-Cron.
• What is sent to MaxMind: Only your license key during database downloads. No visitor IP addresses are shared.
• Requires: A free MaxMind license key from maxmind.com/en/geolite2/signup.
• Service website: https://www.maxmind.com
• License: GeoLite2 databases are licensed under CC BY-SA 4.0.
• Terms of service: https://www.maxmind.com/en/geolite2/eula

ip-api.com

When ip-api.com is selected as the GeoIP provider, the plugin sends visitor IP addresses to ip-api.com to resolve their country of origin. This data is used to display a geographic heat map of bot activity in the admin dashboard.

• What is sent: The visitor’s IP address only, over unencrypted HTTP.
• When it is sent: At the time a trap page visit is recorded, only while this provider is selected.
• Service website: http://ip-api.com
• Terms of service: https://ip-api.com/docs/legal
• Privacy policy: ip-api.com does not log queries from the free API endpoint.
• Note: The free tier only supports HTTP (not HTTPS). If your site must comply with GDPR, use the MaxMind local database option instead.

Geographic tracking is off by default and requires explicit opt-in by a site administrator.