[WordPress] 外掛分享: Royal AI Firewall

首頁外掛目錄 › Royal AI Firewall
WordPress 外掛 Royal AI Firewall 的封面圖片
全新外掛
安裝啟用
尚無評分
2 天前
最後更新
問題解決
WordPress 6.4+ PHP 8.0+ v1.0.1 上架:2026-07-01

內容簡介

Royal AI Firewall 是一款專為 WordPress 設計的外掛,能夠記錄並控制 AI 機器人流量,幫助網站擁有者管理訪問其網站的各種 AI 爬蟲,確保網站安全。

【主要功能】
• 實時儀表板顯示過去 24 小時的 AI 訪客
• 可允許、阻擋或僅記錄 55 種以上的 AI 機器人
• 每個儀表板載入都有「阻擋所有 AI 機器人」的緊急按鈕
• 首次設置向導可檢測 Cloudflare 設定
• 與 GuardPress 等流行安全外掛的相容性檢測
• 自動更新的機器人指紋目錄

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.0.1) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Royal AI Firewall」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

Royal AI Firewall logs and controls AI bot traffic at the WordPress layer. Every site on the public web is now visited by AI crawlers — GPTBot, ClaudeBot, PerplexityBot, ByteSpider, CCBot, and dozens of others — and most site owners have no way to see what’s happening or decide who gets through.
This plugin gives you:

A live dashboard of which AI agents have visited your site in the last 24 hours
A per-bot dropdown to allow, block, or log-only any of 55+ recognized AI bots
A master “Block all AI bots” panic button on every dashboard load
A first-run setup wizard that detects Cloudflare and tells you exactly which CF settings to dial down so this plugin can take over the AI-bot layer
Compatibility detection for GuardPress and other popular security plugins
A bundled bot fingerprint catalog that refreshes on every plugin update, with an optional opt-in to fetch fresher catalogs daily from fingerprints.royalplugins.com (see External Services below)

Free, Self-Hosted, Fully Featured
Royal AI Firewall is fully featured in its free, GPL-licensed release. There is no Pro version — every feature ships in the wp.org plugin, and updates go through the standard WordPress plugin updater.
Your data stays on your server. The plugin makes no outbound network calls by default. The bundled bot catalog ships with each plugin release and refreshes automatically when you update Royal AI Firewall, so customers who never opt in to live updates still get fresh bot definitions on every plugin update. If you want even fresher catalogs between releases, an optional toggle in Settings (and on the final wizard step) opts in to one HTTP GET per day to fingerprints.royalplugins.com. The plugin never sends your site’s traffic, customer data, IP addresses, or credentials to any third party regardless of toggle state.
AI Bots Recognized (55+ as of v1.0.0)
The bundled catalog covers the major AI bot families. Each entry includes the bot’s owner, intended purpose, default policy, and the blocking consequences (for example, “blocking GPTBot may remove your site from ChatGPT search results”).
Training crawlers: GPTBot, ClaudeBot, anthropic-ai, Bytespider, TikTokSpider, FacebookBot, Meta-ExternalAgent, GoogleOther, GoogleOther-AI, Google-Extended, MistralBot, ai2bot, ai2bot-dolma, cohere-ai, Amazonbot, PetalBot
Retrieval bots (on-demand): ChatGPT-User, ClaudeBot-User, Claude-Web, Perplexity-User, Meta-ExternalFetcher, facebookexternalhit, APIs-Google
AI search engines: OAI-SearchBot, PerplexityBot, Applebot-Extended, MicrosoftCopilotBot, DuckAssistBot, YouBot, PhindBot, iAsk, Komo, Liner, Brave Leo, Andi
Search engines (always-allow guarded): Googlebot, Googlebot-Image, Googlebot-Video, Googlebot-News, Bingbot, BingPreview, Applebot, DuckDuckBot
Agent browsers (newer category): OperatorAgent, ChatGPT-Atlas, Claude-Computer-Use
Dataset scrapers: CCBot (Common Crawl), Diffbot, ImagesiftBot, Omgilibot, Timpibot
Other Google crawlers: Storebot-Google, Mediapartners-Google, AdsBot-Google, adidxbot
The Dashboard
Open the AI Firewall menu in your WordPress admin to see:

A hero metric — total AI bot hits in the last 24 hours and the number of distinct bots involved
A per-bot list with hit count, bandwidth used, and a one-click policy dropdown for each row
An MCP / Abilities API activity widget when an MCP server plugin (Royal MCP or any plugin implementing the WordPress Abilities API) is detected on your site
A Cloudflare visibility status card with an honest estimate of how many AI bots may have been filtered by Cloudflare at the edge before reaching WordPress
Click any bot row to expand a drill-down view: top URLs the bot hit, recent activity, and what blocking the bot would cost you

Per-Bot Policy Controls
Each recognized bot row has a dropdown with four options:

Use default policy — falls back to your global mode (Log only, Block training, or Block all)
Always allow — bot is allowed regardless of default mode
Log only — bot is allowed and recorded; never blocked
Block — bot receives a 403 response immediately, before WordPress runs any heavy work

Major search engines (Googlebot, Bingbot, Applebot, DuckDuckBot) are protected from accidental blocking. The per-bot dropdown is disabled for these bots, and the API rejects block requests for them unless you explicitly enable the “Search engine override” toggle in Settings — with a clear warning that blocking Googlebot removes your site from Google Search.
Cloudflare Compatibility
If your site is behind Cloudflare, the setup wizard’s Cloudflare screen tells you exactly which CF settings to turn off so this plugin can take over the AI-bot layer:

AI Audit → set to “Allow”
AI Labyrinth → OFF
Custom WAF rules blocking AI bots → DELETE (the per-bot controls in this plugin replace them)
Security Level → Medium or Low

And which CF settings to leave on (they don’t conflict):

DDoS protection
Managed WAF rules
SSL/TLS
Bot Fight Mode (basic tier)
Browser Integrity Check
Caching

The dashboard also detects Cloudflare on every admin page load (looking for cf-ray, cf-connecting-ip, or CDN-Loop: cloudflare headers) and shows a status card with the detection state. A persistent 24-hour state ensures the UI stays stable even when an occasional admin request doesn’t pass through CF.
Other Security Plugin Compatibility
The plugin auto-detects these plugins when they’re active and shows compatibility notes on the dashboard and Settings page:

Edge-firewall security plugins — their firewalls run before WordPress loads. AI bots they block at their layer won’t appear in this plugin’s dashboard, but the two layers don’t conflict.
WordPress-layer security plugins — coexist cleanly at the WordPress layer.
GuardPress (Royal Plugins) — first-party Royal Plugins integration.
Royal MCP (Royal Plugins) — when Royal MCP is detected, MCP tool invocations from connected AI agents appear in the MCP Activity widget on the dashboard.

WordPress Abilities API & MCP Server Integration
This plugin listens for the WordPress Abilities API hooks wp_before_execute_ability and wp_after_execute_ability (WP 6.9+) and logs every ability invocation regardless of which MCP server triggers it. If you have any MCP server plugin installed and an AI agent calls an ability, you’ll see it in the MCP Activity widget on the dashboard.
If Royal MCP 1.4.33 or later is installed, an additional first-party bridge captures every MCP tool call from that server with full tool name and result status.
Search Engine Guard
Major search engines are protected from accidental blocking by default. The dashboard dropdown is disabled for Googlebot, Bingbot, Applebot, and DuckDuckBot. The REST API endpoints reject block attempts on these bots with a 409 Conflict response unless the customer has explicitly enabled the “Search engine override” toggle in Settings. The override toggle includes a clear warning that blocking Googlebot removes the site from Google Search.
Telemetry and Data
The plugin is off by default for telemetry. The “Anonymous usage data” toggle in Settings is unchecked on activation. If you explicitly opt in, the plugin sends:

Plugin version
Wizard completion status
Count of customized per-bot policies
Bucketed bot count (e.g., “between 10 and 50 bots seen”)

The following are NEVER sent, regardless of toggle state:

Your site URL or domain
Customer email addresses
Invocation log contents
Specific IP addresses
Specific bot identities
User-Agent strings of visitors

Log retention defaults to 7 days. The retention window is filterable via raif_log_retention_days for developers who need a different value.
How Activation Works
On activation the plugin:

Creates three custom database tables: raif_invocation_log, raif_daily_rollup, raif_bot_policy
Seeds safe default options (Log only mode; telemetry off; uninstall data-delete off; live catalog updates off)
Schedules two WP-Cron events (hourly rollup, daily log prune) — both run entirely inside your WordPress install with no network calls
Loads the bundled bot fingerprint catalog from the plugin zip
Redirects the activating admin to the 4-step setup wizard
The wizard is skippable from any step

No outbound HTTP calls are made until the customer explicitly opts in to live catalog updates on the wizard’s final screen or via Settings → Bot fingerprint database. The plugin is fully functional without ever making a network call — the bundled catalog refreshes from the plugin zip on every plugin update.
On deactivation the plugin unschedules all WP-Cron events. Data is preserved by default so a re-activation continues where you left off. To remove all data on uninstall, check the “Delete all logs, tables, and options when the plugin is uninstalled” toggle in Settings → Data before deactivating.
External Services
The plugin makes no outbound HTTP calls by default. The bot fingerprint catalog is bundled with the plugin zip and refreshes automatically on every plugin update — customers who never opt in still get fresh bot definitions through the normal WordPress plugin update channel.
If — and only if — the customer explicitly enables the “Keep catalog updated between releases” toggle (off by default, found on the final wizard step and in Settings → Bot fingerprint database), the plugin will then make one HTTP GET per day to the service described below. No outbound HTTP call is made before that explicit opt-in.
Service: Royal AI Firewall Fingerprint Catalog (opt-in only)

Endpoint: https://fingerprints.royalplugins.com/v1/index.json
When it runs: Only when the customer enables the “Keep catalog updated between releases” toggle. Off by default.
Frequency: Once per day via WordPress cron (raif_fingerprint_update), scheduled at opt-in time and unscheduled if the customer disables the toggle.
Data sent: None. The request body is empty. Only the plugin version in the User-Agent header (e.g. royal-ai-firewall/1.0.0) and a standard If-None-Match cache validator. No site URL, no IP address, no customer information, no telemetry payload.
Data received: A JSON catalog of recognized AI bot fingerprints (bot names, owners, User-Agent patterns, recommended default policies). Approximately 37 KB.
Purpose: Keeps the plugin’s bot classifier current between plugin releases for customers who want fresher catalogs than the per-release refresh cadence provides.
How to disable: Untick the “Keep catalog updated between releases” toggle in Settings → Bot fingerprint database. Developers can also use the raif_fingerprint_endpoint filter to point at an empty string, or set WP_HTTP_BLOCK_EXTERNAL in wp-config.php to block all external requests.
Privacy Policy: royalplugins.com/privacy/
Terms of Service: royalplugins.com/terms/

This is the only outbound request the plugin can ever make. There is no telemetry, license check, license activation, traffic beacon, analytics call, or any other call to Royal Plugins servers — even when the opt-in is enabled. Dashboard rendering, bot classification, policy decisions, and logging all run entirely inside your WordPress install.

延伸相關外掛

文章
Filter
Mastodon