=== Voho bot manager ===
Contributors: voho8
Tags: security, privacy, administration, utilities, firewall
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 1.2.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Stop OpenClaw-class AI crawlers and allied headless automation: enforce HTTP 403 and keep an auditable interception log in WordPress.

== Description ==

**Voho bot manager** hardens WordPress against the new wave of **AI-driven crawlers**—including stacks associated with **OpenClaw**—that attempt to scrape, snapshot, and probe your content through non-interactive, headless browsing pipelines.

When a high-risk automation session is identified, the plugin **terminates the request with HTTP 403**, returns a concise English denial page, and **persists structured telemetry** (UTC timestamp, client IP, requested URL, and an intercepted flag reserved for richer policy engines) inside `{prefix}voho_bot_manager_intercepted_log`.

**Operational visibility**

* Dedicated **Voho Bot Manager** admin hub with paginated history.
* Timestamps rendered in your configured WordPress timezone so responders can correlate events quickly.
* **View log** shortcut on the Plugins screen for one-click access.

**Roadmap-aware positioning:** automated threat actors evolve weekly; Voho bot manager ships iterative detection upgrades so your perimeter keeps pace with emerging AI browsing agents without waiting for a full rewrite.

OpenClaw and similar names refer to widely discussed AI browsing ecosystems; Voho bot manager is an independent security tool and is not affiliated with any third-party vendor.

== Installation ==

1. Upload the `voho-bot-manager` folder to `/wp-content/plugins/`.
2. Activate **Voho bot manager** through the **Plugins** menu in WordPress.
3. Open **Voho Bot Manager** in the admin sidebar (or use **View log** on the plugin row) to review intercepted requests.

On activation the plugin creates the `{prefix}voho_bot_manager_intercepted_log` table automatically.

== Frequently Asked Questions ==

= How does this help against OpenClaw-style AI crawlers? =

The plugin blocks the non-human automation paths these agents rely on, answers with HTTP 403, and logs each attempt so you can audit abuse, tune upstream controls, and brief stakeholders with concrete evidence.

= Will it catch every crawler on the internet? =

No defensive layer can promise universal coverage. Voho bot manager focuses on the high-risk automation families behind modern AI scrapers and continuously expands detection as new behaviours appear.

= Does the plugin work with caching or CDN layers? =

If a cache or proxy serves a response without executing WordPress/PHP for matching requests, interception must happen at that layer instead. Otherwise behaviour is unchanged.

= What data is stored? =

Each intercepted request stores UTC time, client IP (or the first value from `X-Forwarded-For` when present), full requested URL, and a boolean intercepted flag.

== Screenshots ==

1. Intercepted requests log table in the WordPress admin.

== Changelog ==

= 1.2.0 =
* Server-side blocking uses automation User-Agent patterns (e.g. python-requests, Go-http-client, curl, HeadlessChrome) while allowlisting common search/index crawlers (Google, Bing, Yandex, Baidu, etc.). Filters: `voho_bot_manager_search_bot_allowlist`, `voho_bot_manager_automation_ua_patterns`, `voho_bot_manager_should_block_request`.

= 1.1.0 =
* Split codebase into `includes/` for maintainability; forbidden HTML lives in `templates/forbidden.php`.
* Public forbidden screen at `/voho-bot-forbidden/` (flush permalinks after update) with plain-URL fallback.
* Front-end script `assets/js/bot-check.js` detects common automation signals in the browser and redirects to the forbidden screen (logged when `voho_js=1`).

= 1.0.5 =
* Themed HTTP 403 page: loads the active (and parent, if child) theme stylesheet, uses block-theme CSS variables when present, and returns JSON errors for REST/JSON requests.

= 1.0.4 =
* Harden input handling (`wp_unslash`, sanitization), use `wpdb::prepare()` identifier placeholders for custom table queries, and document direct DB usage for Plugin Check.

= 1.0.3 =
* Show log timestamps in the site timezone with an explanatory note.

= 1.0.2 =
* Top-level admin menu and **View log** plugin action link.

= 1.0.1 =
* Admin log viewer with pagination.

= 1.0.0 =
* Initial release: AI crawler mitigation, HTTP 403 enforcement, database log on activation.

== Upgrade Notice ==

= 1.2.0 =
Tighter server-side rules for script HTTP clients; search crawlers on the allowlist stay unaffected.

= 1.1.0 =
Re-save Permalinks once (Settings → Permalinks → Save) so the `/voho-bot-forbidden/` route works.

= 1.0.5 =
403 responses now use a themed HTML page (and JSON for REST). Interception runs after the theme loads.

= 1.0.4 =
Requires WordPress 6.2 or newer (identifier placeholders in database queries).

= 1.0.3 =
Timezone-aware display for log timestamps.
