Add-ons XF Bot Guard 1.0.6

XF Bot Guard
Challenge suspicious bots before they scrape your forum.

XF Bot Guard is a XenForo-native anti-scraping and bot challenge layer for public forums. It sits where generic firewalls cannot: inside XenForo, with access to routes, sessions, users, content context, CAPTCHA state, request flow, crawler verification, browser evidence and visitor reputation.

It is built for forum owners dealing with aggressive guests, content scrapers, fake crawlers, no-JavaScript clients, headless browsers, automated enumeration, repeated page traversal, datacentre traffic and browser-like bots that basic blocks miss.

This is not a “CAPTCHA everyone” add-on. Normal browsers are allowed through, supported real crawlers are verified, and suspicious visitors are forced through browser validation or XenForo CAPTCHA before they can freely consume protected pages.



What it does

• Validates fresh browsers before protected forum content is rendered.
• Collects local browser proof using bundled FingerprintJS; no paid fingerprinting account is required.
• Scores risk from browser proof, cookies, JavaScript continuity, request velocity, route behaviour, automation artefacts, fingerprint/IP relationships, crawler evidence and CAPTCHA history.
• Uses your configured XenForo CAPTCHA provider for challenges.
• Verifies supported crawlers before scoring using official IP feeds or confirmed reverse DNS where supported.
• Shows clear dashboard, event log, health checks, reason codes and current visitor visibility.
• Can optionally sync repeat high-confidence abusive IPs to Cloudflare for Managed Challenge at the edge.

First-request browser validation
Fresh visitors without Bot Guard browser proof receive a lightweight validation page before the requested protected page is rendered.



A real browser runs the collector and continues automatically. No-JavaScript crawlers, curl-style clients and many bot frameworks never complete that step, so they do not receive the protected page.

The validation page is intentionally small. It is rendered by the add-on, but it does not render the requested thread, forum, controller or full XenForo page container before browser proof exists.

Browser proof, not blind blocking

Bot Guard records a hashed visitor signal and lightweight browser/coherence metadata: browser platform, language, timezone, screen data, cookie capability, Client Hints, WebDriver/automation indicators, resource-loading shape and related signals.



Collector submissions are tied to short-lived server-issued proof values. Missing, expired, reused, invalid or mismatched proof is not accepted as trusted browser evidence.

Explainable risk scoring

Every challenge has reasons. Bot Guard does not just say “blocked”. It shows why a visitor was allowed, validated, challenged, trusted, failed or observed.

Risk can increase from signals such as:

• Missing browser proof, JavaScript confirmation or server cookie continuity.
• Unconfirmed, new, reused or suspicious browser identity signals.
• WebDriver, headless browser, automation markers or automation user-agent artefacts.
• Browser/platform/screen/language/timezone/header contradictions.
• One identity appearing across many IPs, or one IP appearing with many identities.
• High request velocity, repeated error routes, sensitive-route probing and scraping-style route patterns.
• Search, find-new, listing, member/profile and deep-pagination behaviour.
• Confirmed hosting/datacentre reverse-DNS matches on public IPs.
• Recent CAPTCHA failure.

You control the scope:

• Guests only, guests plus registered users, or guests plus registered users except staff.
• Excluded user groups and excluded IPs/CIDRs.
• All public pages, threads only, threads plus forums, selected route prefixes, selected content types or custom path lists.
• Risk threshold, CAPTCHA trust duration, challenge methods, AJAX exclusion, logging, sampling, retention, crawler trust and Cloudflare Edge settings.

The defaults are production-safe: disabled until enabled, guests-only scope, GET-only challenges, AJAX excluded, hard deny off, verified crawler/fetcher allowing on, known crawler header trust off, browser validation on and low-value event logging suppressed.

Privacy-conscious by design

By default, Bot Guard is designed not to store raw IP addresses or raw browser fingerprint IDs in its own tables. Reputation decisions use hashed identifiers and compact anti-abuse metadata.

The bundled FingerprintJS library runs locally. No external fingerprinting account is required, and raw FingerprintJS component entropy is not stored by default.

Site owners should still update their privacy policy because Bot Guard performs anti-abuse fingerprinting, behavioural monitoring, challenge decisions and, if enabled, Cloudflare edge candidate handling.

No external service account required for core protection

For normal XenForo-layer protection, XF Bot Guard does not require a paid subscription, API key, external bot-detection SaaS, CDN account or third-party XenForo add-on.

Optional Cloudflare Edge Enforcement is separate and requires Cloudflare account/zone details, a suitable API token, a Cloudflare-proxied site and raw IP storage enabled.

Works alongside your existing security

Cloudflare, WAF rules, server firewall rules and rate limits can block traffic before it reaches XenForo. XF Bot Guard works inside XenForo, where it can see forum-specific behaviour and make application-aware challenge decisions.

Use it as an additional XenForo-native layer, not as a replacement for good server/CDN security. Protected public HTML should not be force-cached by a shared full-page cache before XenForo and Bot Guard can run.

What this is not

XF Bot Guard's core protection is not a firewall, reverse proxy, CDN, WAF, nginx rule, Apache rule, LiteSpeed rule or iptables block. On its own, the XenForo-layer protection does not stop requests before they reach PHP.

A sophisticated scraper using a real browser, stable cookies, JavaScript execution, careful timing and CAPTCHA solving can still pass. Bot Guard is built to stop, slow and expose unwanted automated visitors by forcing risky traffic through an explainable XenForo validation/challenge flow.

Requirements

• Xenoro 2.1.0+
• PHP 7.2+
• A configured XenForo CAPTCHA provider for CAPTCHA challenge use
• A theme that includes standard PAGE_CONTAINER output
• Optional: XenForo cache configured for counter read-load reduction
• Optional for Cloudflare Edge Enforcement: Cloudflare-proxied site, Cloudflare account/zone access, suitable Cloudflare API token and raw IP storage enabled

Installation

1. Upload the add-on files to your XenForo installation.
2. Install XF Bot Guard from the XenForo admin control panel.
3. Configure XenForo CAPTCHA if it is not already configured.
4. Review Bot Guard options.
5. Review the health/status page.
6. Confirm official crawler/fetcher source and crawler verification health.
7. Enable the add-on.