Title: Royal AI Firewall
Author: Royal Plugins
Published: <strong>2 Luulyo, 2026</strong>
Last modified: 2 Luulyo, 2026

---

Raadi kaabayaal

![](https://ps.w.org/royal-ai-firewall/assets/banner-772x250.png?rev=3594606)

![](https://ps.w.org/royal-ai-firewall/assets/icon-256x256.png?rev=3594606)

# Royal AI Firewall

 Qore [Royal Plugins](https://profiles.wordpress.org/royalpluginsteam/)

[Soo Rog](https://downloads.wordpress.org/plugin/royal-ai-firewall.1.0.0.zip)

 * [Faahfaahin](https://so.wordpress.org/plugins/royal-ai-firewall/#description)
 * [Dibu-eegisyo](https://so.wordpress.org/plugins/royal-ai-firewall/#reviews)
 *  [Rakibaad](https://so.wordpress.org/plugins/royal-ai-firewall/#installation)
 * [Horumarinta](https://so.wordpress.org/plugins/royal-ai-firewall/#developers)

 [Taageero](https://wordpress.org/support/plugin/royal-ai-firewall/)

## Sharraxaad

Royal AI Firewall logs and controls AI bot traffic at the WordPress layer. Every
site on the public web is now visited by AI crawlers — GPTBot, ClaudeBot, PerplexityBot,
ByteSpider, CCBot, and dozens of others — and most site owners have no way to see
what’s happening or decide who gets through.

This plugin gives you:

 * A live dashboard of which AI agents have visited your site in the last 24 hours
 * A per-bot dropdown to allow, block, or log-only any of 55+ recognized AI bots
 * A master “Block all AI bots” panic button on every dashboard load
 * A first-run setup wizard that detects Cloudflare and tells you exactly which 
   CF settings to dial down so this plugin can take over the AI-bot layer
 * Compatibility detection for GuardPress and other popular security plugins
 * A bundled bot fingerprint catalog that refreshes on every plugin update, with
   an optional opt-in to fetch fresher catalogs daily from fingerprints.royalplugins.
   com (see External Services below)

#### Free, Self-Hosted, Fully Featured

Royal AI Firewall is fully featured in its free, GPL-licensed release. There is 
no Pro version — every feature ships in the wp.org plugin, and updates go through
the standard WordPress plugin updater.

Your data stays on your server. The plugin makes **no outbound network calls by 
default**. The bundled bot catalog ships with each plugin release and refreshes 
automatically when you update Royal AI Firewall, so customers who never opt in to
live updates still get fresh bot definitions on every plugin update. If you want
even fresher catalogs between releases, an optional toggle in Settings (and on the
final wizard step) opts in to one HTTP GET per day to `fingerprints.royalplugins.
com`. The plugin never sends your site’s traffic, customer data, IP addresses, or
credentials to any third party regardless of toggle state.

#### AI Bots Recognized (55+ as of v1.0.0)

The bundled catalog covers the major AI bot families. Each entry includes the bot’s
owner, intended purpose, default policy, and the blocking consequences (for example,“
blocking GPTBot may remove your site from ChatGPT search results”).

**Training crawlers:** GPTBot, ClaudeBot, anthropic-ai, Bytespider, TikTokSpider,
FacebookBot, Meta-ExternalAgent, GoogleOther, GoogleOther-AI, Google-Extended, MistralBot,
ai2bot, ai2bot-dolma, cohere-ai, Amazonbot, PetalBot

**Retrieval bots (on-demand):** ChatGPT-User, ClaudeBot-User, Claude-Web, Perplexity-
User, Meta-ExternalFetcher, facebookexternalhit, APIs-Google

**AI search engines:** OAI-SearchBot, PerplexityBot, Applebot-Extended, MicrosoftCopilotBot,
DuckAssistBot, YouBot, PhindBot, iAsk, Komo, Liner, Brave Leo, Andi

**Search engines (always-allow guarded):** Googlebot, Googlebot-Image, Googlebot-
Video, Googlebot-News, Bingbot, BingPreview, Applebot, DuckDuckBot

**Agent browsers (newer category):** OperatorAgent, ChatGPT-Atlas, Claude-Computer-
Use

**Dataset scrapers:** CCBot (Common Crawl), Diffbot, ImagesiftBot, Omgilibot, Timpibot

**Other Google crawlers:** Storebot-Google, Mediapartners-Google, AdsBot-Google,
adidxbot

#### The Dashboard

Open the AI Firewall menu in your WordPress admin to see:

 * A hero metric — total AI bot hits in the last 24 hours and the number of distinct
   bots involved
 * A per-bot list with hit count, bandwidth used, and a one-click policy dropdown
   for each row
 * An MCP / Abilities API activity widget when an MCP server plugin (Royal MCP or
   any plugin implementing the WordPress Abilities API) is detected on your site
 * A Cloudflare visibility status card with an honest estimate of how many AI bots
   may have been filtered by Cloudflare at the edge before reaching WordPress
 * Click any bot row to expand a drill-down view: top URLs the bot hit, recent activity,
   and what blocking the bot would cost you

#### Per-Bot Policy Controls

Each recognized bot row has a dropdown with four options:

 * **Use default policy** — falls back to your global mode (Log only, Block training,
   or Block all)
 * **Always allow** — bot is allowed regardless of default mode
 * **Log only** — bot is allowed and recorded; never blocked
 * **Block** — bot receives a 403 response immediately, before WordPress runs any
   heavy work

Major search engines (Googlebot, Bingbot, Applebot, DuckDuckBot) are protected from
accidental blocking. The per-bot dropdown is disabled for these bots, and the API
rejects block requests for them unless you explicitly enable the “Search engine 
override” toggle in Settings — with a clear warning that blocking Googlebot removes
your site from Google Search.

#### Cloudflare Compatibility

If your site is behind Cloudflare, the setup wizard’s Cloudflare screen tells you
exactly which CF settings to turn off so this plugin can take over the AI-bot layer:

 * **AI Audit**  set to “Allow”
 * **AI Labyrinth**  OFF
 * **Custom WAF rules** blocking AI bots  DELETE (the per-bot controls in this plugin
   replace them)
 * **Security Level**  Medium or Low

And which CF settings to leave on (they don’t conflict):

 * DDoS protection
 * Managed WAF rules
 * SSL/TLS
 * Bot Fight Mode (basic tier)
 * Browser Integrity Check
 * Caching

The dashboard also detects Cloudflare on every admin page load (looking for `cf-
ray`, `cf-connecting-ip`, or `CDN-Loop: cloudflare` headers) and shows a status 
card with the detection state. A persistent 24-hour state ensures the UI stays stable
even when an occasional admin request doesn’t pass through CF.

#### Other Security Plugin Compatibility

The plugin auto-detects these plugins when they’re active and shows compatibility
notes on the dashboard and Settings page:

 * **Edge-firewall security plugins** — their firewalls run before WordPress loads.
   AI bots they block at their layer won’t appear in this plugin’s dashboard, but
   the two layers don’t conflict.
 * **WordPress-layer security plugins** — coexist cleanly at the WordPress layer.
 * **GuardPress (Royal Plugins)** — first-party Royal Plugins integration.
 * **Royal MCP (Royal Plugins)** — when Royal MCP is detected, MCP tool invocations
   from connected AI agents appear in the MCP Activity widget on the dashboard.

#### WordPress Abilities API & MCP Server Integration

This plugin listens for the WordPress Abilities API hooks `wp_before_execute_ability`
and `wp_after_execute_ability` (WP 6.9+) and logs every ability invocation regardless
of which MCP server triggers it. If you have any MCP server plugin installed and
an AI agent calls an ability, you’ll see it in the MCP Activity widget on the dashboard.

If Royal MCP 1.4.33 or later is installed, an additional first-party bridge captures
every MCP tool call from that server with full tool name and result status.

#### Search Engine Guard

Major search engines are protected from accidental blocking by default. The dashboard
dropdown is disabled for Googlebot, Bingbot, Applebot, and DuckDuckBot. The REST
API endpoints reject block attempts on these bots with a 409 Conflict response unless
the customer has explicitly enabled the “Search engine override” toggle in Settings.
The override toggle includes a clear warning that blocking Googlebot removes the
site from Google Search.

#### Telemetry and Data

The plugin is off by default for telemetry. The “Anonymous usage data” toggle in
Settings is unchecked on activation. If you explicitly opt in, the plugin sends:

 * Plugin version
 * Wizard completion status
 * Count of customized per-bot policies
 * Bucketed bot count (e.g., “between 10 and 50 bots seen”)

The following are NEVER sent, regardless of toggle state:

 * Your site URL or domain
 * Customer email addresses
 * Invocation log contents
 * Specific IP addresses
 * Specific bot identities
 * User-Agent strings of visitors

Log retention defaults to 7 days. The retention window is filterable via `raif_log_retention_days`
for developers who need a different value.

#### How Activation Works

On activation the plugin:

 * Creates three custom database tables: `raif_invocation_log`, `raif_daily_rollup`,`
   raif_bot_policy`
 * Seeds safe default options (Log only mode; telemetry off; uninstall data-delete
   off; live catalog updates off)
 * Schedules two WP-Cron events (hourly rollup, daily log prune) — both run entirely
   inside your WordPress install with no network calls
 * Loads the bundled bot fingerprint catalog from the plugin zip
 * Redirects the activating admin to the 4-step setup wizard
 * The wizard is skippable from any step

**No outbound HTTP calls are made until the customer explicitly opts in** to live
catalog updates on the wizard’s final screen or via Settings  Bot fingerprint database.
The plugin is fully functional without ever making a network call — the bundled 
catalog refreshes from the plugin zip on every plugin update.

On deactivation the plugin unschedules all WP-Cron events. **Data is preserved by
default** so a re-activation continues where you left off. To remove all data on
uninstall, check the “Delete all logs, tables, and options when the plugin is uninstalled”
toggle in Settings  Data before deactivating.

### External Services

**The plugin makes no outbound HTTP calls by default.** The bot fingerprint catalog
is bundled with the plugin zip and refreshes automatically on every plugin update—
customers who never opt in still get fresh bot definitions through the normal WordPress
plugin update channel.

If — and only if — the customer explicitly enables the “Keep catalog updated between
releases” toggle (off by default, found on the final wizard step and in Settings
Bot fingerprint database), the plugin will then make one HTTP GET per day to the
service described below. No outbound HTTP call is made before that explicit opt-
in.

**Service: Royal AI Firewall Fingerprint Catalog (opt-in only)**

 * **Endpoint:** https://fingerprints.royalplugins.com/v1/index.json
 * **When it runs:** Only when the customer enables the “Keep catalog updated between
   releases” toggle. Off by default.
 * **Frequency:** Once per day via WordPress cron (`raif_fingerprint_update`), scheduled
   at opt-in time and unscheduled if the customer disables the toggle.
 * **Data sent:** None. The request body is empty. Only the plugin version in the
   User-Agent header (e.g. `royal-ai-firewall/1.0.0`) and a standard `If-None-Match`
   cache validator. No site URL, no IP address, no customer information, no telemetry
   payload.
 * **Data received:** A JSON catalog of recognized AI bot fingerprints (bot names,
   owners, User-Agent patterns, recommended default policies). Approximately 37 
   KB.
 * **Purpose:** Keeps the plugin’s bot classifier current between plugin releases
   for customers who want fresher catalogs than the per-release refresh cadence 
   provides.
 * **How to disable:** Untick the “Keep catalog updated between releases” toggle
   in Settings  Bot fingerprint database. Developers can also use the `raif_fingerprint_endpoint`
   filter to point at an empty string, or set `WP_HTTP_BLOCK_EXTERNAL` in `wp-config.
   php` to block all external requests.
 * **Privacy Policy:** [royalplugins.com/privacy/](https://royalplugins.com/privacy/)
 * **Terms of Service:** [royalplugins.com/terms/](https://royalplugins.com/terms/)

This is the only outbound request the plugin can ever make. There is no telemetry,
license check, license activation, traffic beacon, analytics call, or any other 
call to Royal Plugins servers — even when the opt-in is enabled. Dashboard rendering,
bot classification, policy decisions, and logging all run entirely inside your WordPress
install.

## Sawir-shaashado

[⌊Dashboard — hero metric of AI bot hits in the last 24 hours, per-bot list with
dropdown controls, MCP Activity widget when applicable, and Cloudflare visibility
status when Cloudflare is detected.⌉⌊Dashboard — hero metric of AI bot hits in the
last 24 hours, per-bot list with dropdown controls, MCP Activity widget when applicable,
and Cloudflare visibility status when Cloudflare is detected.⌉[

Dashboard — hero metric of AI bot hits in the last 24 hours, per-bot list with dropdown
controls, MCP Activity widget when applicable, and Cloudflare visibility status 
when Cloudflare is detected.

[⌊Setup wizard, welcome step — one-screen summary of what the plugin does before
the walkthrough starts.⌉⌊Setup wizard, welcome step — one-screen summary of what
the plugin does before the walkthrough starts.⌉[

Setup wizard, welcome step — one-screen summary of what the plugin does before the
walkthrough starts.

[⌊Setup wizard, environment detection — the wizard reports which security plugins
and MCP servers it found on the site and how it will coexist with each.⌉⌊Setup wizard,
environment detection — the wizard reports which security plugins and MCP servers
it found on the site and how it will coexist with each.⌉[

Setup wizard, environment detection — the wizard reports which security plugins 
and MCP servers it found on the site and how it will coexist with each.

[⌊Setup wizard, Cloudflare screen — step-by-step list of which Cloudflare settings
to turn off so this plugin can take over the AI-bot layer.⌉⌊Setup wizard, Cloudflare
screen — step-by-step list of which Cloudflare settings to turn off so this plugin
can take over the AI-bot layer.⌉[

Setup wizard, Cloudflare screen — step-by-step list of which Cloudflare settings
to turn off so this plugin can take over the AI-bot layer.

[⌊Setup wizard, default policy — pick the global stance (Log only, Block training
crawlers, or Block all) with a plain-language description of what each mode does.⌉⌊
Setup wizard, default policy — pick the global stance (Log only, Block training 
crawlers, or Block all) with a plain-language description of what each mode does
.⌉[

Setup wizard, default policy — pick the global stance (Log only, Block training 
crawlers, or Block all) with a plain-language description of what each mode does.

[⌊Settings page — default policy, search engine override, Cloudflare detection diagnostic,
security plugin compatibility, bot fingerprint database status, log retention, telemetry
opt-in.⌉⌊Settings page — default policy, search engine override, Cloudflare detection
diagnostic, security plugin compatibility, bot fingerprint database status, log 
retention, telemetry opt-in.⌉[

Settings page — default policy, search engine override, Cloudflare detection diagnostic,
security plugin compatibility, bot fingerprint database status, log retention, telemetry
opt-in.

## Rakibaad

 1. In your WordPress dashboard, go to **Plugins  Add New** and search for **Royal 
    AI Firewall**.
 2. Click **Install Now**, then **Activate**.
 3. The 4-step setup wizard runs automatically on first activation. Walk through it
    to detect Cloudflare and pick a default policy. The wizard is skippable.
 4. Open **AI Firewall** in the admin menu to see the dashboard.
 5. Wait 2–6 hours for the first AI bot hits to appear, or run a manual test with curl:
 6. curl -A “GPTBot/1.2” https://your-site.com/

## SBI

### Do I still need Cloudflare?

Yes, if you use Cloudflare for DDoS protection, general WAF rules, SSL/TLS, or caching.
Keep Cloudflare’s core protections on. This plugin handles only the AI-bot-specific
layer at WordPress, so you can dial down Cloudflare’s AI Audit / AI Labyrinth / 
custom AI-blocking WAF rules. The setup wizard’s Cloudflare screen lists exactly
which CF toggles to flip.

### Will this block Googlebot?

No. Googlebot, Bingbot, Applebot, and DuckDuckBot are protected from accidental 
blocking. The per-bot dropdown is disabled for these bots by default. To block any
of them, you must explicitly enable the “Search engine override” toggle in Settings,
which warns clearly that blocking Googlebot removes your site from Google Search.

### Does this work with other security plugins?

Yes. Edge-firewall security plugins run their own firewalls before WordPress loads,
so AI bots they block won’t appear in this plugin’s dashboard — but the two layers
don’t conflict. The plugin auto-detects popular security plugins on activation and
shows compatibility notes.

### Does this work with Royal MCP and other MCP server plugins?

Yes. The plugin hooks into the WordPress Abilities API (WP 6.9+) and logs every 
ability invocation regardless of which MCP server triggers it. If Royal MCP 1.4.33
or later is installed, an additional first-party bridge captures every MCP tool 
call with full detail.

### What happens to my data if I uninstall?

By default, data is **preserved**. The plugin’s tables and logs survive uninstall
so a reinstall picks up where you left off. To delete everything on uninstall, check
the “Delete all logs, tables, and options when the plugin is uninstalled” toggle
in Settings  Data before deactivating.

### My dashboard shows zero hits even though AI bots are visiting my site. What’s wrong?

Almost always a caching plugin caching the REST API response. The plugin already
does four things to prevent this — a cache-buster query string on every dashboard
request, `nocache_headers()` + `DONOTCACHEPAGE` constant on the handler, explicit`
Cache-Control: no-store` response headers, and built-in compatibility filters that
opt out of caching for the most common cache plugins.

If you use a different cache plugin or a server-side cache (nginx `fastcgi_cache`,
Cloudflare Page Rules, Varnish), exclude the path `/wp-json/royal-ai-firewall/*`
from REST API caching in that plugin’s settings.

### How often is the bot catalog updated?

A fresh bot catalog ships with every Royal AI Firewall release, so every time you
update the plugin through your wp-admin  Plugins screen you get the newest catalog
automatically — no outbound network call required. Plugin updates typically ship
every 2–4 weeks, faster after major AI-vendor launches.

If you want catalogs fresher than the per-release cadence, an optional Settings 
toggle (“Keep catalog updated between releases”) opts in to one HTTP GET per day
to `fingerprints.royalplugins.com`. That toggle is off by default; no outbound HTTP
call is ever made until you turn it on.

### Does the plugin phone home or make outbound network calls?

**No, not by default.** Out of the box the plugin makes zero outbound HTTP calls.
The bot catalog ships bundled with the plugin and refreshes on every plugin update.
If you explicitly enable the “Keep catalog updated between releases” toggle in Settings
or on the final wizard step, the plugin will then make one HTTP GET per day to fetch
a fresher catalog — but only after that opt-in, and only that one call. Turning 
the toggle back off immediately unschedules the cron. No telemetry, license checks,
or analytics calls are ever made regardless of toggle state.

### Is there a Pro version?

No. Every feature ships in the free release on WordPress.org. No upgrade prompts,
no license keys, no SaaS subscription.

### What if I’m behind a different CDN?

The plugin’s classifier and per-bot controls work at the WordPress layer regardless
of which CDN sits in front. The dedicated Cloudflare detection and setup wizard 
step are Cloudflare-specific because Cloudflare’s AI controls are the most common
source of operator confusion. Other CDNs that pass AI bot traffic through to WordPress
will appear normally in the dashboard.

### Does the plugin slow down my site?

The hot-path classification logic has a hard budget of under 5 milliseconds per 
request and is enforced by a continuous-integration test. The classifier runs in-
process against a 55-entry pre-compiled pattern list. Logging is buffered and flushed
on the WordPress `shutdown` hook (after the response is sent), so the response latency
a visitor sees is not affected by database writes.

### How is bot identity verified — can a bad actor just pretend to be Googlebot?

This release identifies bots by matching the User-Agent header against the bundled
fingerprint catalog. A spoofed User-Agent will match a real bot’s record, so treat
the dashboard as the answer to “what’s claiming to be each bot” rather than a verified
attribution. For the search-engine guard, blocking is still off by default — a spoofed
Googlebot UA can’t be blocked unless you explicitly enable the Search engine override
toggle, and managing the actual edge layer (Cloudflare, your CDN, or a security 
plugin running before WordPress) remains the right place to enforce identity at 
the network level.

## Dibu-eegisyo

Ma jiraan wax dibu-eegis ah oo ku saabsan kaabahan.

## Ka-qaybgalayaasha & Horumariyayaasha

“Royal AI Firewall” waa softiweer il furan. Dadka soo socda ayaa wax ku biiriyay
kaabahan.

Ka-qaybgalayaasha

 *   [ Royal Plugins ](https://profiles.wordpress.org/royalpluginsteam/)

[Ku tarjun “Royal AI Firewall” luqaddaada.](https://translate.wordpress.org/projects/wp-plugins/royal-ai-firewall)

### Ma xiisaynaysaa horumarinta?

[Baadh koodka](https://plugins.trac.wordpress.org/browser/royal-ai-firewall/), fiiri
[bakhaarka SVN](https://plugins.svn.wordpress.org/royal-ai-firewall/), ama iska 
qor [diiwaanka horumarinta](https://plugins.trac.wordpress.org/log/royal-ai-firewall/)
adigoo adeegsanaya [RSS](https://plugins.trac.wordpress.org/log/royal-ai-firewall/?limit=100&mode=stop_on_copy&format=rss).

## Isbeddellada

#### 1.0.0

 * Initial release.
 * AI bot classifier with 55 recognized bots across 6 categories.
 * Live dashboard with per-bot rows, drill-down, and Cloudflare visibility status.
 * Per-bot policy dropdown — allow, block, log-only, or use default.
 * Master “Block all AI bots” panic button with search-engine guard.
 * 4-step setup wizard with Cloudflare detection and dial-down guide.
 * Security plugin compatibility detection for popular firewall plugins including
   GuardPress and Royal MCP.
 * WordPress Abilities API integration (WP 6.9+) — logs ability invocations.
 * Royal MCP first-party bridge — logs MCP tool calls when Royal MCP 1.4.33+ is 
   installed.
 * Bot fingerprint daily auto-update from fingerprints.royalplugins.com with bundled
   fallback.
 * 7-day log retention, configurable via filter.
 * Opt-in telemetry (off by default).
 * Opt-in data deletion on uninstall (off by default — data preserved).

## Meta

 *  Version **1.0.0**
 *  Last updated **2 maalmood kahor**
 *  Active installations **In ka yar 10**
 *  WordPress version ** 6.4 ama ka sareeya **
 *  Tested up to **7.0**
 *  PHP version ** 8.0 ama ka sareeya **
 *  Language
 * [English (US)](https://wordpress.org/plugins/royal-ai-firewall/)
 * Tags
 * [AI](https://so.wordpress.org/plugins/tags/ai/)[bot](https://so.wordpress.org/plugins/tags/bot/)
   [firewall](https://so.wordpress.org/plugins/tags/firewall/)[mcp](https://so.wordpress.org/plugins/tags/mcp/)
   [security](https://so.wordpress.org/plugins/tags/security/)
 *  [Aragti Sare](https://so.wordpress.org/plugins/royal-ai-firewall/advanced/)

## Qiimeynta

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/royal-ai-firewall/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/royal-ai-firewall/reviews/)

## Ka-qaybgalayaasha

 *   [ Royal Plugins ](https://profiles.wordpress.org/royalpluginsteam/)

## Taageero

Ma heysaa waxaad dhahdo? Caawimaad ma u baahan tahay?

 [Eeg madasha taageerada](https://wordpress.org/support/plugin/royal-ai-firewall/)

## Ku deeq

Ma jeclaan lahayd inaad taageerto horumarinta kaabahan?

 [ Ugu deeq kaabahan ](https://www.royalplugins.com)