Version: 1.0.0
Author: FlowAxy
Developer: iTeffa (iteffa@flowaxy.com)
Studio: FlowAxy
Website: https://flowaxy.com
License: Proprietary
Bot Blocker plugin for Flowaxy CMS provides automatic blocking of bots and automated scripts from accessing your website. The plugin analyzes User-Agent headers and blocks suspicious requests while allowing legitimate search engine crawlers.
- 🛡️ Automatic Bot Detection — Analyzes User-Agent strings to identify bots
- 🚫 Blocking System — Blocks suspicious requests with 403 Forbidden
- ✅ Allowed Bots List — Configure which bots should have access (e.g., Google, Bing, Yandex)
- 📊 Statistics — View blocking statistics and top blocked IPs
- 📝 Logging — All blocked requests are logged to the database
- ⚙️ Settings Page — Easy configuration through admin panel
- 🔒 Admin Panel Protected — Admin panel and API are always accessible
- Early request interception via
handle_early_requesthook - Pattern-based bot detection
- Database-backed settings and logging
- Integration with Flowaxy CMS access control system
- PHP >= 8.4.0
- Flowaxy CMS with plugin support
- MySQL/MariaDB database
- Admin access for configuration
- Copy the plugin directory to
plugins/bot-blocker/. - Activate the plugin via the admin panel (Settings → Plugins).
- The plugin will automatically create necessary database tables.
The plugin will automatically register its route and menu item upon activation.
- Log in to the admin panel.
- Navigate to System → Блокування ботів in the menu.
- Or go directly to
/admin/bot-blocker.
- Toggle the "Увімкнути блокування ботів" switch to enable or disable bot blocking.
Add bots that should have access to your website (one per line):
googlebot
bingbot
yandexbot
baiduspider
These bots will bypass the blocking system.
-
Request Interception — All incoming requests (except admin/API) are intercepted early in the request lifecycle.
-
User-Agent Analysis — The plugin analyzes the User-Agent header to identify bots.
-
Pattern Matching — Known bot patterns are checked:
- Social media bots (Facebook, Twitter, LinkedIn, etc.)
- Scrapers and crawlers
- Automated tools (curl, wget, Python requests, etc.)
- Archive bots
-
Allowed Bots Check — If the bot is in your allowed list, it's permitted.
-
Blocking — Suspicious bots receive a 403 Forbidden response and are logged.
The plugin provides:
- Today's Blocks — Number of bots blocked today
- Total Blocks — Total number of blocked requests
- Top Blocked IPs — IP addresses with the most blocked attempts
bot-blocker/
├── assets/
│ └── styles/
│ └── bot-blocker.css # Styles for the settings page
├── src/
│ ├── admin/
│ │ └── pages/
│ │ └── BotBlockerAdminPage.php # Admin settings page
│ └── Services/
│ └── BotBlockerService.php # Core blocking service
├── templates/
│ └── bot-blocker.php # Settings page template
├── init.php # Plugin initialization
├── plugin.json # Plugin metadata
└── README.md # Documentation
The plugin uses a service-oriented architecture:
- BotBlockerService — Core service for bot detection and blocking
- BotBlockerAdminPage — Admin panel page for configuration
- Templates — PHP templates for HTML rendering
Logs all blocked requests:
id— Unique identifierip_address— IP address of blocked requestuser_agent— User-Agent stringurl— Requested URLblocked_at— Block timestampcreated_at— Creation timestamp
- ✅ CSRF protection for all write operations
- ✅ Access permission checks before executing operations
- ✅ Admin panel and API are always accessible
- ✅ SQL injection protection via prepared statements
- ✅ XSS protection via output sanitization
The plugin detects bots by checking for common patterns in User-Agent strings:
- Social media bots:
facebookexternalhit,twitterbot,linkedinbot, etc. - Scrapers:
scrape,crawl,spider,bot - Automated tools:
curl,wget,python-requests,java, etc. - Archive bots:
archive,wayback,ia_archiver
The plugin uses the following hooks:
handle_early_request(priority: 1) — Early request interception for blockingadmin_register_routes— Register admin routeadmin_menu— Add menu item
By default, the plugin:
- Blocks all bots except those in the allowed list
- Allows admin panel and API access
- Logs all blocked requests
- Blocks empty User-Agent strings
You can customize bot detection by:
- Adding allowed bots in the admin panel
- Modifying bot patterns in
BotBlockerService::initializeBotPatterns() - Adjusting blocking logic in
BotBlockerService::isBot()
The plugin uses the following components from the Engine:
engine/core/support/base/BasePlugin.phpengine/core/support/helpers/DatabaseHelper.phpengine/interface/admin-ui/includes/AdminPage.phpengine/core/support/helpers/UrlHelper.phpengine/core/support/helpers/SecurityHelper.php
To extend the plugin:
- Add new bot patterns — Edit
initializeBotPatterns()inBotBlockerService.php - Customize blocking logic — Modify
isBot()method - Add new statistics — Extend
getBlockStats()method - Customize UI — Edit
templates/bot-blocker.phpandassets/styles/bot-blocker.css
If you find a bug or have questions:
- Check log files for errors
- Verify database tables are created
- Ensure PHP has proper permissions
The easiest way to test bot blocking is using curl:
# Test 1: Normal browser (should pass)
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" http://your-domain.com/
# Expected: HTTP 200
# Test 2: Bot (should be blocked)
curl -A "TestBot/1.0" http://your-domain.com/
# Expected: HTTP 403
# Test 3: Empty User-Agent (should be blocked)
curl -A "" http://your-domain.com/
# Expected: HTTP 403Proprietary. All rights reserved.
- ✨ Initial release
- ✅ Bot detection and blocking
- ✅ Admin settings page
- ✅ Statistics and logging
- ✅ Allowed bots configuration
- ✅ Integration with Flowaxy CMS Engine
- ✅ Database timezone support
FlowAxy
Developer: iTeffa
Email: iteffa@flowaxy.com
Studio: flowaxy.com
Website: https://flowaxy.com
Developed with ❤️ for Flowaxy CMS