WebDecoy for WordPress: Bot Protection Without the Setup

Most WordPress security plugins ask you to configure rules, connect APIs, tune thresholds, and then hope you got it right. WebDecoy v2.0 takes a different approach: install, activate, done. Every protection layer works immediately with zero configuration and no API key required.

GitHub: github.com/WebDecoy/wordpress-plugin

Why We Built a WordPress Plugin

WordPress powers over 40% of the web. It is also the most targeted CMS for automated attacks. Comment spam, brute force logins, fake registrations, credential stuffing, and WooCommerce carding are daily realities for site owners.

The existing solutions fall into two camps:

CAPTCHA-based plugins force every visitor to prove they are human. Conversion rates drop. Accessibility suffers. And vision AI agents like Claude Computer Use and OpenAI Operator can now solve image challenges programmatically.

API-dependent plugins require accounts, keys, and external services. They charge per request, which means costs spike during attacks — exactly when you need protection most. If the API goes down, your protection disappears.

WebDecoy works differently. All detection runs locally on your server and in the visitor’s browser. No external dependencies. No per-request billing. No CAPTCHAs. Humans never see a challenge.

What v2.0 Changes

The v2.0 release is a full architecture redesign built around one principle: protection should work the moment you activate the plugin.

Zero-Config Freemium Model

Previous versions required an API key for protection hooks to activate. v2.0 removes that requirement entirely. Every detection layer — server-side analysis, client-side fingerprinting, proof-of-work challenges, rate limiting — runs locally without any external connection.

The optional WebDecoy Cloud integration (available in Settings) adds threat intelligence feeds, VPN detection, and cross-site threat sharing for teams managing multiple WordPress installations. But the core protection needs nothing.

SHA-256 Proof-of-Work Challenges

Instead of showing CAPTCHAs, WebDecoy issues invisible SHA-256 proof-of-work challenges to visitors. The browser must compute a valid hash before form submissions are accepted. For humans on modern hardware, this takes milliseconds and is completely invisible. For bots running thousands of concurrent sessions, the computational cost makes attacks economically unviable.

This is the same principle that underpins FCaptcha, our open-source CAPTCHA system, adapted for WordPress’s form handling.

4-Factor Behavioral Scoring

Every form submission is evaluated against four signal categories:

1. Behavioral signals — interaction timing, keystroke patterns, mouse movement characteristics
2. Environmental signals — browser consistency checks, headless browser detection, automation framework markers
3. Temporal signals — time-on-page analysis, submission velocity, session duration anomalies
4. Form signals — honeypot field triggers, field completion order, paste detection

Each category contributes a weighted score. The combined result determines whether the submission is allowed, flagged, or blocked. No single signal is decisive — the system looks at the full picture.

Statistics Dashboard

v2.0 adds a statistics page with Chart.js-powered trend visualization. You can see:

• Detection trends over the last 30 days
• Threat type distribution (spam bots, scrapers, credential stuffing, carding attempts)
• Top blocked IPs and their attack patterns
• Source analysis showing where attacks originate

The detections interface now supports date filtering, CSV export, and bulk operations for managing blocked IPs.

What It Protects

Comment and Form Spam

The plugin injects invisible detection into WordPress comment forms, login pages, and registration forms. Honeypot fields catch simple bots. Proof-of-work challenges stop headless browsers. Behavioral scoring catches everything in between.

No configuration needed. The hooks activate automatically for all standard WordPress forms.

Login and Registration Attacks

Brute force login attempts and fake account registrations are blocked through rate limiting and behavioral analysis. The plugin tracks failed login velocity per IP and automatically blocks sources that exceed thresholds.

WooCommerce Carding

Carding attacks — where fraudsters test stolen credit cards against your checkout — are one of the most expensive bot problems for ecommerce stores. Every declined transaction generates processor fees. Enough declines and your payment provider drops you.

WebDecoy detects carding patterns: multiple small transactions from the same IP, rapid checkout velocity, different card numbers in quick succession, and headless browser signatures on the checkout page. Detected carders are blocked before they reach your payment processor.

We covered the technical details of carding defense in our deep dive on carding attacks.

Content Scraping and AI Crawlers

The plugin identifies and blocks unauthorized scrapers including GPTBot, ClaudeBot, and other AI crawlers. Legitimate search engine bots — Googlebot, Bingbot, and 60+ others — are verified through reverse DNS and always allowed through. Your SEO stays intact.

MITRE ATT&CK Path Analysis

WebDecoy analyzes request paths against known reconnaissance patterns from the MITRE ATT&CK framework. Requests probing for wp-config.php, admin endpoints, backup files, and other sensitive paths are flagged as potential threat activity — not just logged, but used as scoring signals for the behavioral model.

How It Works Under the Hood

The detection system runs in two layers that cross-reference each other:

Server-side analysis examines every request before WordPress processes it. User-agent patterns, HTTP header consistency, request rates, IP reputation, and path analysis all contribute to a threat score. Known good bots are verified via reverse DNS and exempted immediately.

Client-side fingerprinting runs JavaScript in the visitor’s browser to check for headless browser markers, automation framework signatures (Playwright, Puppeteer, Selenium), browser API consistency, and environmental anomalies. The fingerprint data is submitted alongside form data and validated server-side.

When the two layers disagree — a request claims to be Chrome but client-side checks detect Playwright markers — the threat score increases significantly.

IP Management

The admin interface supports granular IP blocking:

• Individual addresses and CIDR ranges
• IPv4 and IPv6
• Optional expiration (temporary blocks that auto-release)
• Bulk operations for managing large block lists

Installation

From GitHub (v2.0.0):

1. Download webdecoy-2.0.0.zip from the releases page
2. WordPress Admin → Plugins → Add New → Upload Plugin
3. Activate

Protection starts immediately. There is no step 4.

Requirements:

• WordPress 5.6+
• PHP 7.4+

What Is Coming Next

The plugin is actively developed. Planned additions include:

• Extended WooCommerce hooks for cart manipulation and coupon abuse detection
• Multisite support with centralized threat management
• REST API protection for headless WordPress installations
• WebDecoy Cloud dashboard integration for cross-site analytics

Open Source

The plugin is GPL v2 licensed and open source on GitHub. Contributions, bug reports, and feature requests are welcome.

GitHub: github.com/WebDecoy/wordpress-plugin

Running WordPress or WooCommerce? Download the plugin and activate it. Protection starts in under two minutes with zero configuration.

Want the full platform with threat intelligence and cross-site management? See our plans.

Share this post

Like this post? Share it with your friends!

• Share on Facebook, opens in a new tab
• Share on Twitter, opens in a new tab
• Share on LinkedIn, opens in a new tab