WordPress.org
Get WordPress

Plugin Directory

Changeset 3479447


Ignore:
Timestamp:
03/10/2026 06:22:49 PM (3 weeks ago)
Author:
globusstudio
Message:

1.6.14

Add automatic DDoS protection service compatibility (DDoS-Guard, Stormwall, etc.)
Add docs/DDOS-COMPATIBILITY.md documentation
Update cache compatibility layer
Update 2FA libraries
Update translation files

Location:
botblocker-security
Files:
855 added
11 deleted
14 edited

Legend:

Unmodified
Added
Removed

  • botblocker-security/trunk/admin/css/botblocker-admin.css

    r3476781 r3479447  
    33 *
    44 * @package     BotBlocker
    5  * @version     1.6.13
     5 * @version     1.6.14
    66 * @author      BotBlocker Team
    77 * @copyright   Copyright (c) 2025 BotBlocker

  • botblocker-security/trunk/botblocker-mu-phase.php

    r3473139 r3479447  
    5858            if (!defined('DONOTCACHEDB'))     define('DONOTCACHEDB', true);
    5959            // phpcs:enable WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound
    60         }
     60
     61            $this->register_wpfc_no_cache_filter();
     62        }
     63    }
     64
     65    /**
     66     * Make WP Fastest Cache respect DONOTCACHEPAGE.
     67     */
     68    private function register_wpfc_no_cache_filter(): void
     69    {
     70        if (defined('BBCS_WPFC_COMPAT')) return;
     71        define('BBCS_WPFC_COMPAT', true);
     72
     73        add_filter('wpfc_buffer_callback_filter', static function ($buffer) {
     74            if (defined('DONOTCACHEPAGE') && DONOTCACHEPAGE) {
     75                return '';
     76            }
     77            return $buffer;
     78        }, 1);
    6179    }
    6280

  • botblocker-security/trunk/botblocker-security.php

    r3476781 r3479447  
    1111 * @link              https://globus.studio
    1212 * @package           botblocker-security
    13  * @version           1.6.13
     13 * @version           1.6.14
    1414 *
    1515 * @wordpress-plugin
     
    1717 * Plugin URI:        https://botblocker.top/
    1818 * Description:       BotBlocker Security is a powerful WordPress plugin designed to safeguard your website from unwanted bots and malicious activities. With advanced detection algorithms, BotBlocker identifies and blocks harmful bots, reducing spam and protecting your site's resources. The plugin provides real-time monitoring and customizable rules, allowing you to control access and enhance site security effortlessly. Easy to install and configure, BotBlocker ensures a smooth user experience while keeping your site safe from automated threats. Keep your WordPress site secure and running efficiently with BotBlocker.
    19  * Version:           1.6.13
     19 * Version:           1.6.14
    2020 * Author:            Yevhen Leonidov
    2121 * Author URI:        https://leonidov.dev/
     
    2323 * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
    2424 * Requires at least: 5.0
    25  * Tested up to:      6.9
     25 * Tested up to:      6.9.2
    2626 * Requires PHP:      7.4
    2727 * Text Domain:       botblocker-security

  • botblocker-security/trunk/composer.json

    r3436805 r3479447  
    11{
     2    "name": "botblocker/security",
     3    "description": "BotBlocker Security Plugin with Google2FA v8.0 for PHP < 8.1 (=< 8.0)",
     4    "type": "wordpress-plugin",
    25    "require": {
    3         "php": ">=7.4",
     6        "php": ">=7.4,<8.1",
    47        "pragmarx/google2fa": "^8.0",
    58        "paragonie/constant_time_encoding": "^2.6"
    69    },
    710    "config": {
    8         "vendor-dir": "vendor/2FA"
    9     }
     11        "vendor-dir": "vendor/2FA/v8",
     12        "allow-plugins": {
     13            "composer/installers": true
     14        }
     15    },
     16    "minimum-stability": "stable"
    1017}

  • botblocker-security/trunk/includes/botblocker/class-botblocker.php

    r3476781 r3479447  
    88 * It handles detections, logging, and blocking of suspicious bot activities.
    99 *
    10  * @version    1.6.13
     10 * @version    1.6.14
     11 * @author     BotBlocker Team
    1112 * @package    Botblocker
    1213 * @subpackage Botblocker/includes

  • botblocker-security/trunk/includes/botblocker/traits/class-botblocker-response-trait.php

    r3474081 r3479447  
    7373        if (!defined('DONOTCACHEDB'))     define('DONOTCACHEDB', true);
    7474        // phpcs:enable WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound
     75
     76        $this->register_wpfc_no_cache_filter();
     77    }
     78
     79    /**
     80     * Make WP Fastest Cache respect DONOTCACHEPAGE.
     81     */
     82    private function register_wpfc_no_cache_filter(): void {
     83        if (defined('BBCS_WPFC_COMPAT')) return;
     84        define('BBCS_WPFC_COMPAT', true);
     85
     86        add_filter('wpfc_buffer_callback_filter', static function ($buffer) {
     87            if (defined('DONOTCACHEPAGE') && DONOTCACHEPAGE) {
     88                return '';
     89            }
     90            return $buffer;
     91        }, 1);
    7592    }
    7693

  • botblocker-security/trunk/includes/inc-botblocker-counters.php

    r3388456 r3479447  
    7171    }
    7272    // REVIEWER NOTE: Custom BotBlocker-Security table. Query is prepared, cached, and sanitized. No direct unsanitized SQL is executed.
    73     // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
    74     $wpdb->query("UPDATE `{$wpdb->bbcs_counters}` SET today_hits = today_hits + 1, total_hits = total_hits + 1, last_update = NOW() WHERE id = 1");
     73    // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
     74    $wpdb->query("UPDATE `{$wpdb->bbcs_counters}`
     75        SET today_hits = today_hits + 1, total_hits = total_hits + 1,
     76        last_update = CONVERT_TZ(NOW(), '+00:00', '{$gmt_offset_str}')
     77        WHERE id = 1");
    7578    if (BOTBLOCKER_CACHE_WP) {
    7679        wp_cache_set($cache_key, $current_date->format('Y-m-d H:i:s'), 'botblocker-security', 86400);
    7780    }
     81    // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
    7882}
    7983
     
    112116    }
    113117    // REVIEWER NOTE: Custom BotBlocker-Security table. Query is prepared, cached, and sanitized. No direct unsanitized SQL is executed.
    114     // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
    115     $wpdb->query("UPDATE `{$wpdb->bbcs_counters}` SET today_blocked = today_blocked + 1, total_blocked = total_blocked + 1, last_update = NOW() WHERE id = 1");
     118    // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
     119    $wpdb->query("UPDATE `{$wpdb->bbcs_counters}`
     120        SET today_blocked = today_blocked + 1, total_blocked = total_blocked + 1,
     121        last_update = CONVERT_TZ(NOW(), '+00:00', '{$gmt_offset_str}')
     122        WHERE id = 1");
    116123    if (BOTBLOCKER_CACHE_WP) {
    117124        wp_cache_set($cache_key, $current_date->format('Y-m-d H:i:s'), 'botblocker-security', 86400);
    118125    }
     126    // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
    119127}
    120128

  • botblocker-security/trunk/includes/inc-botblocker-define.php

    r3476781 r3479447  
    77define('BOTBLOCKER_PREFIX', 'bb_'); // The prefix used for settings and options
    88
    9 define('BOTBLOCKER_VERSION', '1.6.13'); // The version number of the plugin
     9define('BOTBLOCKER_VERSION', '1.6.14'); // The version number of the plugin
    1010define('BOTBLOCKER_DB_VERSION', '2.2.0'); // The database version of the plugin
    1111define('BOTBLOCKER_WIZARD_ON_UPDATE', false); // Show setup wizard after plugin update

  • botblocker-security/trunk/includes/utilites/2FA/inc-botblocker-2fa.php

    r3436805 r3479447  
    66 * Two-Factor Authentication (2FA) with Google Authenticator
    77 *
     8 * Conditionally loads Google2FA v8.0 (PHP < 8.1) or v9.0 (PHP >= 8.1)
     9 *
    810 * @package botblocker-security
    9  * @version 2.1
     11 * @version 2.2
    1012 */
    1113
    12 // Try to load local Composer autoloader for 2FA vendor packages if present.
    13 $bbcs_2fa_autoload = BOTBLOCKER_DIR . 'vendor/2FA/autoload.php';
     14// Determine which version to load based on PHP version
     15$bbcs_php_version = PHP_MAJOR_VERSION . '.' . PHP_MINOR_VERSION;
     16
     17if (version_compare($bbcs_php_version, '8.1', '>=')) {
     18    // PHP 8.1+: Load Google2FA v9.0
     19    $bbcs_2fa_autoload = BOTBLOCKER_DIR . 'vendor/2FA/v9/autoload.php';
     20} else {
     21    // PHP < 8.1: Load Google2FA v8.0
     22    $bbcs_2fa_autoload = BOTBLOCKER_DIR . 'vendor/2FA/v8/autoload.php';
     23}
     24
     25// Load the appropriate version
    1426if (file_exists($bbcs_2fa_autoload)) {
    1527    require_once $bbcs_2fa_autoload;
     28} else {
     29    // Log error for debugging
     30    // error_log('BotBlocker: Google2FA autoload not found at ' . $bbcs_2fa_autoload);
     31    // Continue running without 2FA fallback
    1632}
    1733

  • botblocker-security/trunk/public/captcha/render-color-button-trait.php

    r3473139 r3479447  
    3838            ob_start();
    3939            imagepng($img);
    40             imagedestroy($img);
     40            if (PHP_VERSION_ID < 80000) {
     41                imagedestroy($img);
     42            }
    4143            $btnImgData = base64_encode(ob_get_clean());
    4244
     
    5557        ob_start();
    5658        imagepng($targetImg);
    57         imagedestroy($targetImg);
     59        if (PHP_VERSION_ID < 80000) {
     60            imagedestroy($targetImg);
     61        }
    5862        $targetImgData = base64_encode(ob_get_clean());
    5963

  • botblocker-security/trunk/public/captcha/render-image-button-trait.php

    r3474081 r3479447  
    8989        imagepng( $image_for_check );
    9090        $image_data = ob_get_contents();
    91         imagedestroy( $image_for_check );
     91        if ( PHP_VERSION_ID < 80000 ) {
     92            imagedestroy( $image_for_check );
     93        }
    9294        ob_end_clean();
    9395

  • botblocker-security/trunk/public/class-botblocker-captcha-renderer-full.php

    r3474081 r3479447  
    162162        ob_start();
    163163        imagepng($imageForCheck);
    164         imagedestroy($imageForCheck);
     164        if (PHP_VERSION_ID < 80000) {
     165            imagedestroy($imageForCheck);
     166        }
    165167        $image_data = ob_get_contents();
    166168        ob_end_clean();
     
    223225        imagepng($image_for_check);
    224226        $image_data = ob_get_contents();
    225         imagedestroy($image_for_check);
     227        if (PHP_VERSION_ID < 80000) {
     228            imagedestroy($image_for_check);
     229        }
    226230        ob_end_clean();
    227231

  • botblocker-security/trunk/public/template-botblocker-js.php

    r3474081 r3479447  
    9797 
    9898    bbcsDebugLog('<?php echo esc_js(BOTBLOCKER_SHORT_NAME); ?> v.<?php echo esc_js($BBCS->version); ?>');
     99
     100    var bbcsDdosRetryCount = 0;
     101    var bbcsDdosMaxRetries = 2;
     102
     103    function bbcs_extractDdosCookie(responseText) {
     104        if (!responseText) return false;
     105        if (responseText.indexOf('document.cookie') !== -1 && responseText.indexOf('<script') !== -1) {
     106            var cookieMatch = responseText.match(/document\.cookie\s*=\s*"([^"]+)"/);
     107            if (cookieMatch && cookieMatch[1]) {
     108                bbcsDebugLog('DDoS protection response detected, setting cookie and retrying');
     109                document.cookie = cookieMatch[1];
     110                return true;
     111            }
     112        }
     113        return false;
     114    }
    99115
    100116    function bbcs_detectAll() {
     
    172188        grecaptcha.ready(function() {
    173189          grecaptcha.execute('<?php echo esc_js($BBCS->settings->recaptcha_key3); ?>', {
    174             action: '<?php echo esc_js($BBCS->country); ?>'
     190            action: '<?php echo esc_js(preg_replace('/[^A-Za-z0-9\/_]/', '_', $BBCS->country)); ?>'
    175191          }).then(function(token) {
    176192            rct = token;
     
    352368            } catch (e) {
    353369                bbcsDebugError('Error parsing JSON:', e);
    354                 bbcsDebugLog('Response text received:', xhr.responseText);
     370                bbcsDebugLog('Response text received:', xhr.responseText);
     371                if (bbcsDdosRetryCount < bbcsDdosMaxRetries && bbcs_extractDdosCookie(xhr.responseText)) {
     372                    bbcsDdosRetryCount++;
     373                    setTimeout(function() {
     374                        <?php echo esc_js($botblocker_check_function_name); ?>(s, d, x);
     375                    }, 1000);
     376                    return;
     377                }
    355378                botblocker_captcha_render();
    356379            }
     
    358381        } else {
    359382            bbcsDebugLog('Error: ' + xhr.status);
     383            if (bbcsDdosRetryCount < bbcsDdosMaxRetries && bbcs_extractDdosCookie(xhr.responseText)) {
     384                bbcsDdosRetryCount++;
     385                setTimeout(function() {
     386                    <?php echo esc_js($botblocker_check_function_name); ?>(s, d, x);
     387                }, 1000);
     388                return;
     389            }
    360390            botblocker_captcha_render();
    361391        }

  • botblocker-security/trunk/readme.md

    r3476781 r3479447  
    33Tags: security, firewall, anti-spam, captcha, brute force
    44Requires at least: 5.0
    5 Tested up to: 6.9
     5Tested up to: 6.9.2
    66Requires PHP: 7.4
    7 Stable tag: 1.6.13
     7Stable tag: 1.6.14
    88License: GPLv2 or later
    99License URI: https://www.gnu.org/licenses/gpl-2.0.html
     
    7676* **Lightweight & Fast** - negligible overhead in normal conditions. Reduces database and server load during attacks
    7777* **Built-in Caching** - Redis and Memcached support for high-traffic environments
    78 * **Cache Plugin Compatibility** - automatic `DONOTCACHEPAGE` + `Cache-Control: no-store` on verification pages. Works with WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, and more. Server-level caches (Nginx FastCGI, Varnish, Cloudflare) may need a cookie-based bypass rule - see `CACHE-COMPATIBILITY.md`
     78* **Cache Plugin Compatibility** - automatic `DONOTCACHEPAGE` + `Cache-Control: no-store` on verification pages. Works with WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, Hummingbird, and more. Server-level caches (Nginx FastCGI, Varnish, Cloudflare) may need a cookie-based bypass rule - see `docs/CACHE-COMPATIBILITY.md`
     79* **DDoS Protection Compatibility** - automatic detection of JS-challenges from DDoS-Guard, Stormwall, and similar services. See `docs/DDOS-COMPATIBILITY.md` for advanced configuration
    7980* **Seamless Compatibility** - works with Cloudflare, CDN services, caching plugins, and optimizers
    8081* **Full IPv6 Support** - all security functions work with both IPv4 and IPv6
     
    160161= Does the plugin collect personal data? =
    161162
    162 BotBlocker does **not** collect any visitor PII - only technical request parameters (IP, headers, User-Agent) are analyzed locally. Full details are available in `PRIVACY.md` included with the plugin.
     163BotBlocker does **not** collect any visitor PII - only technical request parameters (IP, headers, User-Agent) are analyzed locally. Full details are available in `docs/PRIVACY.md` included with the plugin.
    163164
    164165= Do I need an external service? =
     
    170171Yes. BotBlocker recognizes proxy headers to resolve the real client IP and can block origin bypass attempts. Fully compatible with Cloudflare and other CDN services.
    171172
     173= Does BotBlocker work behind DDoS protection services (DDoS-Guard, Stormwall, etc.)? =
     174
     175Yes. Since version 1.6.13, BotBlocker automatically detects and handles simple JS-challenge responses from external DDoS protection services. For advanced challenges (Proof-of-Work, interactive CAPTCHA from the DDoS provider), add `/wp-admin/admin-ajax.php` to the challenge bypass list in your DDoS service control panel. See `docs/DDOS-COMPATIBILITY.md` included with the plugin for detailed configuration examples.
     176
    172177= Does BotBlocker work with caching plugins? =
    173178
    174 Yes. BotBlocker automatically sets `DONOTCACHEPAGE` and `Cache-Control: no-store` headers on verification/denied pages, preventing PHP-based cache plugins from caching them. WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, and Hummingbird work out of the box. For server-level caches (Nginx FastCGI, Varnish) or WP Super Cache Expert (mod_rewrite) mode, add a cookie-based bypass rule - see `CACHE-COMPATIBILITY.md` included with the plugin. The MU-plugin phase also defines `DONOTCACHEPAGE` for visitors without a BotBlocker cookie.
     179Yes. BotBlocker automatically sets `DONOTCACHEPAGE` and `Cache-Control: no-store` headers on verification/denied pages, preventing PHP-based cache plugins from caching them. WP Super Cache (PHP mode), W3 Total Cache, WP Rocket, LiteSpeed Cache, and Hummingbird work out of the box. For server-level caches (Nginx FastCGI, Varnish) or WP Super Cache Expert (mod_rewrite) mode, add a cookie-based bypass rule - see `docs/CACHE-COMPATIBILITY.md` included with the plugin. The MU-plugin phase also defines `DONOTCACHEPAGE` for visitors without a BotBlocker cookie.
    175180
    176181= Can I protect XML-RPC/REST API or login/comments? =
     
    213218== Changelog ==
    214219 
     220= 1.6.14 =
     221Add automatic DDoS protection service compatibility (DDoS-Guard, Stormwall, etc.)
     222Add docs/DDOS-COMPATIBILITY.md documentation
     223Update cache compatibility layer
     224Update 2FA libraries
     225Update translation files
     226
    215227= 1.6.13 =
    216228Improve support for shared hosting environments with dynamic self-IP detection and allowlist management
    217229Improve statistics sammary generation
    218 Upadte browser detection
     230Update browser detection
    219231Update OS detection
    220232Add privacy readme file
     
    233245Add Vary: Cookie header option (Settings → Cookies → Cache Compatibility)
    234246Add cache plugin incompatibility detection and admin alerts
    235 Add CACHE-COMPATIBILITY.md with Nginx, Varnish, Apache, Cloudflare config examples
     247Add docs/CACHE-COMPATIBILITY.md with Nginx, Varnish, Apache, Cloudflare config examples
    236248Add new security rules to block emerging threats
    237249Import data security improvements
Note: See TracChangeset for help on using the changeset viewer.