內容簡介
總結:OpenBotAuth 外掛可幫助出版者控制AI爬蟲和代理人的自動訪問,透過 RFC 9421 HTTP 訊息簽章進行請求驗證,並應用網站或文章級別的政策,如允許、拒絕、預覽摘要和需付費等响应。還可提供AI友好的端點,如 llms.txt、JSON 資訊流和每篇文章的 Markdown。
下面是針對上述內容製作的問題與答案:
1. OpenBotAuth 外掛的主要功能是什麼?
- 控制自動化訪問,驗證請求,並應用政策
2. 使用 OpenBotAuth 外掛可以看到什麼指標?
- 可以看到 AI 機器人流量,如 GPTBot、ClaudeBot、PerplexityBot 等
3. 如何確認機器人身份?
- 透過加密簽章 (RFC 9421) 進行驗證
4. OpenBotAuth 外掛提供哪些 AI 友好端點?
- llms.txt、JSON 資訊流和每篇文章的 Markdown 內容
5. 外掛如何處理 AI 代理的請求?
- AI 代理使用私鑰對 HTTP 請求進行簽名,外掛提取簽名檔頭並發送至驗證服務進行驗證
希望這些問題和答案能幫助您更好地了解 OpenBotAuth 外掛的功能和操作。
外掛標籤
開發者團隊
② 後台搜尋「OpenBotAuth – AI Crawler Access Control」→ 直接安裝(推薦)
原文外掛簡介
OpenBotAuth helps publishers control automated access from AI crawlers and agents. It verifies requests using RFC 9421 HTTP Message Signatures (via a configurable verifier) and applies per-site or per-post policies like allow, deny, teaser previews, and 402 payment-required responses. It also publishes AI-friendly endpoints like llms.txt, a JSON feed, and per-post Markdown.
Instead of blocking all bots or allowing unrestricted access, you can:
See AI bot traffic – Local-only analytics showing which bots are crawling your site
Verify bot identity using cryptographic signatures (RFC 9421)
Show teasers to unverified bots (first N words)
Rate limit bot access per agent
Whitelist/blacklist specific bots
Key Features
Bot Traffic Analytics – See which AI bots (GPTBot, ClaudeBot, PerplexityBot, etc.) are visiting your site
Signature Verification – Verifies RFC 9421 HTTP Message Signatures using Ed25519 cryptography
Content Teasers – Show first N words to unverified bots with customizable per-post settings
Rate Limiting – Per-agent rate limits with configurable time windows
Access Control – Whitelist/blacklist with wildcard pattern matching
Local Analytics – Visual dashboard with charts, stats cards, and decision breakdowns (no external tracking)
AI-Ready Endpoints – Serve llms.txt, JSON feed, and markdown for AI crawlers
Tabbed Admin Interface – Clean organization with Analytics, AI Endpoints, and Configuration tabs
AI-Ready Endpoints
OpenBotAuth provides machine-readable endpoints for AI systems:
/llms.txt – Standardized AI feed discovery (also at /.well-known/llms.txt)
/.well-known/openbotauth-feed.json – JSON list of all published posts
/.well-known/openbotauth/posts/{ID}.md – Per-post markdown content
Configure which post types to include (posts, pages, or custom types) and set the feed limit (up to 500 items). All data is served locally from your WordPress database. No external tracking or telemetry. Only published, non-password-protected posts are exposed.
How It Works
AI agent signs HTTP request with its private key (RFC 9421 signature)
WordPress plugin extracts signature headers and sends them to a verifier service
Verifier fetches agent’s public key from registry and verifies signature
Plugin applies policy: allow full content, show teaser, require payment, or deny
External Service Disclosure
This plugin connects to an external verifier service. When a signed bot request is received, the plugin sends the following data to your configured verifier URL via wp_remote_post:
HTTP method (GET, POST, etc.)
The accessed URL (including query string, if present)
HTTP signature headers (Signature, Signature-Input, Signature-Agent)
Additional HTTP header values explicitly listed in the Signature-Input header (e.g., content-type, accept, user-agent)
Privacy protection: Sensitive headers (cookies, authorization, proxy-authorization, www-authenticate) are NEVER forwarded, even if present in the request. If a bot’s signature covers a sensitive header, verification will fail with a clear error.
No WordPress user accounts or personal data is transmitted. Only the headers explicitly covered by the bot’s signature are forwarded to enable cryptographic verification. Note that the URL may include query parameters depending on your site’s structure.
You can:
* Use the hosted verifier at https://verifier.openbotauth.org/verify
* Self-host the verifier service (see documentation)
* The verifier service may log requests server-side depending on your configuration
Analytics are local-only. Decision counts (allow/teaser/deny/pay/rate_limit) and bot traffic observations (User-Agent based) are stored in your WordPress database. No analytics data is sent to external servers.
For more information, please review our Terms of Service and Privacy Policy.
Developer Hooks
Filters
openbotauth_policy
Modify policy before applying:
add_filter('openbotauth_policy', function($policy, $post) {
if ($post->post_type === 'premium') {
$policy['price_cents'] = 1000;
}
return $policy;
}, 10, 2);
Actions
openbotauth_verified
Triggered when a bot is verified:
add_action('openbotauth_verified', function($agent, $post) {
error_log("Bot {$agent['jwks_url']} accessed post {$post->ID}");
}, 10, 2);
openbotauth_payment_required
Triggered when 402 is returned:
add_action('openbotauth_payment_required', function($agent, $post, $price) {
// Track payment requests
}, 10, 3);
AI Endpoint Filters (v0.1.2+)
openbotauth_should_serve_llms_txt
Disable llms.txt endpoint (e.g., when using Yoast):
add_filter('openbotauth_should_serve_llms_txt', '__return_false');
openbotauth_should_serve_feed
Disable JSON feed endpoint:
add_filter('openbotauth_should_serve_feed', '__return_false');
openbotauth_should_serve_markdown
Disable markdown endpoints:
add_filter('openbotauth_should_serve_markdown', '__return_false');
openbotauth_feed_item
Modify feed items:
add_filter('openbotauth_feed_item', function($item, $post) {
$item['custom_field'] = get_post_meta($post->ID, 'my_field', true);
return $item;
}, 10, 2);
openbotauth_markdown_content
Post-process markdown output:
add_filter('openbotauth_markdown_content', function($markdown, $post) {
return $markdown . "\n\n---\nCopyright notice here";
}, 10, 2);
