Title: OpenBotAuth – AI Crawler Access Control
Author: hammadtq
Published: <strong>2026-يىلى 19-يانۋار</strong>
Last modified: 2026-يىلى 19-يانۋار

---

قىستۇرما ئىزدە

![](https://ps.w.org/openbotauth/assets/banner-772x250.png?rev=3442835)

![](https://ps.w.org/openbotauth/assets/icon-256x256.png?rev=3442835)

# OpenBotAuth – AI Crawler Access Control

 يازغۇچى [hammadtq](https://profiles.wordpress.org/hammadtq/)

[چۈشۈر](https://downloads.wordpress.org/plugin/openbotauth.1.0.0.zip)

 * [تەپسىلاتلار](https://ug.wordpress.org/plugins/openbotauth/#description)
 * [باھالاشلار](https://ug.wordpress.org/plugins/openbotauth/#reviews)
 *  [ئورنىتىش](https://ug.wordpress.org/plugins/openbotauth/#installation)
 * [ئىجادىيەت](https://ug.wordpress.org/plugins/openbotauth/#developers)

 [قوللاش](https://wordpress.org/support/plugin/openbotauth/)

## چۈشەندۈرۈش

**OpenBotAuth** helps publishers control automated access from AI crawlers and agents.
It verifies requests using RFC 9421 HTTP Message Signatures (via a configurable 
verifier) and applies per-site or per-post policies like allow, deny, teaser previews,
and 402 payment-required responses. It also publishes AI-friendly endpoints like
llms.txt, a JSON feed, and per-post Markdown.

Instead of blocking all bots or allowing unrestricted access, you can:

 * **See AI bot traffic** – Local-only analytics showing which bots are crawling
   your site
 * **Verify bot identity** using cryptographic signatures (RFC 9421)
 * **Show teasers** to unverified bots (first N words)
 * **Rate limit** bot access per agent
 * **Whitelist/blacklist** specific bots

#### Key Features

 * **Bot Traffic Analytics** – See which AI bots (GPTBot, ClaudeBot, PerplexityBot,
   etc.) are visiting your site
 * **Signature Verification** – Verifies RFC 9421 HTTP Message Signatures using 
   Ed25519 cryptography
 * **Content Teasers** – Show first N words to unverified bots with customizable
   per-post settings
 * **Rate Limiting** – Per-agent rate limits with configurable time windows
 * **Access Control** – Whitelist/blacklist with wildcard pattern matching
 * **Local Analytics** – Visual dashboard with charts, stats cards, and decision
   breakdowns (no external tracking)
 * **AI-Ready Endpoints** – Serve llms.txt, JSON feed, and markdown for AI crawlers
 * **Tabbed Admin Interface** – Clean organization with Analytics, AI Endpoints,
   and Configuration tabs

#### AI-Ready Endpoints

OpenBotAuth provides machine-readable endpoints for AI systems:

 * **/llms.txt** – Standardized AI feed discovery (also at /.well-known/llms.txt)
 * **/.well-known/openbotauth-feed.json** – JSON list of all published posts
 * **/.well-known/openbotauth/posts/{ID}.md** – Per-post markdown content

Configure which post types to include (posts, pages, or custom types) and set the
feed limit (up to 500 items). All data is served locally from your WordPress database.
No external tracking or telemetry. Only published, non-password-protected posts 
are exposed.

#### How It Works

 1. AI agent signs HTTP request with its private key (RFC 9421 signature)
 2. WordPress plugin extracts signature headers and sends them to a verifier service
 3. Verifier fetches agent’s public key from registry and verifies signature
 4. Plugin applies policy: allow full content, show teaser, require payment, or deny

#### External Service Disclosure

**This plugin connects to an external verifier service.** When a signed bot request
is received, the plugin sends the following data to your configured verifier URL
via `wp_remote_post`:

 * HTTP method (GET, POST, etc.)
 * The accessed URL (including query string, if present)
 * HTTP signature headers (Signature, Signature-Input, Signature-Agent)
 * Additional HTTP header values explicitly listed in the Signature-Input header(
   e.g., content-type, accept, user-agent)

**Privacy protection:** Sensitive headers (cookies, authorization, proxy-authorization,
www-authenticate) are NEVER forwarded, even if present in the request. If a bot’s
signature covers a sensitive header, verification will fail with a clear error.

**No WordPress user accounts or personal data is transmitted.** Only the headers
explicitly covered by the bot’s signature are forwarded to enable cryptographic 
verification. Note that the URL may include query parameters depending on your site’s
structure.

You can:
 * Use the hosted verifier at `https://verifier.openbotauth.org/verify`*
Self-host the verifier service (see documentation) * The verifier service may log
requests server-side depending on your configuration

**Analytics are local-only.** Decision counts (allow/teaser/deny/pay/rate_limit)
and bot traffic observations (User-Agent based) are stored in your WordPress database.
No analytics data is sent to external servers.

For more information, please review our [Terms of Service](https://openbotauth.org/terms)
and [Privacy Policy](https://openbotauth.org/privacy).

### Developer Hooks

#### Filters

**openbotauth_policy**
 Modify policy before applying:

    ```
    add_filter('openbotauth_policy', function($policy, $post) {
        if ($post->post_type === 'premium') {
            $policy['price_cents'] = 1000;
        }
        return $policy;
    }, 10, 2);
    ```

#### Actions

**openbotauth_verified**
 Triggered when a bot is verified:

    ```
    add_action('openbotauth_verified', function($agent, $post) {
        error_log("Bot {$agent['jwks_url']} accessed post {$post->ID}");
    }, 10, 2);
    ```

**openbotauth_payment_required**
 Triggered when 402 is returned:

    ```
    add_action('openbotauth_payment_required', function($agent, $post, $price) {
        // Track payment requests
    }, 10, 3);
    ```

#### AI Endpoint Filters (v0.1.2+)

**openbotauth_should_serve_llms_txt**
 Disable llms.txt endpoint (e.g., when using
Yoast):

    ```
    add_filter('openbotauth_should_serve_llms_txt', '__return_false');
    ```

**openbotauth_should_serve_feed**
 Disable JSON feed endpoint:

    ```
    add_filter('openbotauth_should_serve_feed', '__return_false');
    ```

**openbotauth_should_serve_markdown**
 Disable markdown endpoints:

    ```
    add_filter('openbotauth_should_serve_markdown', '__return_false');
    ```

**openbotauth_feed_item**
 Modify feed items:

    ```
    add_filter('openbotauth_feed_item', function($item, $post) {
        $item['custom_field'] = get_post_meta($post->ID, 'my_field', true);
        return $item;
    }, 10, 2);
    ```

**openbotauth_markdown_content**
 Post-process markdown output:

    ```
    add_filter('openbotauth_markdown_content', function($markdown, $post) {
        return $markdown . "\n\n---\nCopyright notice here";
    }, 10, 2);
    ```

## ئورنىتىش

 1. Upload the `wordpress-openbotauth` folder to `/wp-content/plugins/`
 2. Activate the plugin through the ›Plugins‹ menu in WordPress
 3. Go to **Settings > OpenBotAuth** to configure
 4. Configure your **Verifier Service**:
 5.  * Check «Use hosted OpenBotAuth verifier» to use the hosted service, OR
     * Enter your self-hosted verifier URL (e.g., `http://localhost:8081/verify` for
       local dev)
     * Leave empty to disable verification (all signed requests treated as unverified)
 6. Configure your default policy (Allow, Teaser, or Deny)

## FAQ

### Do I need to run my own verifier service?

No, you can enable the hosted verifier in Settings by checking «Use hosted OpenBotAuth
verifier». For privacy requirements or custom configurations, you can self-host 
the verifier service. The plugin does not contact any external service until you
explicitly configure it.

### Will this block normal human visitors?

No. The plugin only applies to requests that include RFC 9421 signature headers.
Normal browser requests without signature headers see full content and bypass OpenBotAuth
entirely.

### What is a teaser?

A teaser shows the first N words of your content to unverified bots, with a notice
that authenticated bots can access full content. You can configure the word count
globally or per-post.

### Does the 402 payment feature process actual payments?

No. The 402 response is a stub that returns the configured price and payment URL.
Actual payment processing requires custom integration.

### What data does the plugin send externally?

Only signature verification requests are sent to your configured verifier URL. The
request includes the URL being accessed and the signature headers. No personal data,
cookies, or user information is transmitted.

### Does the plugin send any data to external servers?

The only external call is signature verification (if configured). All analytics 
are stored locally in your WordPress database. No telemetry or tracking data is 
sent to any external server.

### Does OpenBotAuth work with Yoast SEO?

Yes. OpenBotAuth works alongside Yoast SEO without conflicts. By default, OpenBotAuth
serves llms.txt (works standalone). If Yoast is installed and you’ve enabled Yoast’s
llms.txt feature, use the «Use Yoast llms.txt» toggle in AI Endpoints settings to
let Yoast handle it. OpenBotAuth’s unique feed and markdown endpoints remain active
either way.

### How is the admin interface organized?

The settings page has three tabs:

 * **Analytics** – Visual dashboard showing bot traffic, charts, stats cards, and
   decision breakdown
 * **AI Endpoints** – llms.txt, JSON feed, markdown settings with copyable URLs
 * **Configuration** – Verifier URL, default policy, whitelist/blacklist, rate limits

### Do AI endpoints bypass membership or paywall plugins?

The AI endpoints (llms.txt, JSON feed, markdown) serve content directly on early
request interception and only check if content is published and not password-protected.
If you use a membership or paywall plugin that restricts content via later WordPress
hooks, that content may still be accessible via AI endpoints.

To control this, you can:

 * Disable specific AI endpoints in Settings > OpenBotAuth > AI Endpoints
 * Use the `openbotauth_should_serve_feed`, `openbotauth_should_serve_llms_txt`,
   or `openbotauth_should_serve_markdown` filters to add custom logic
 * Exclude specific post types from AI endpoints using the post types setting

## باھالاشلار

بۇ قىستۇرمىغا تېخى باھا يېزىلمىدى.

## تۆھپىكار ۋە ئىجادكار

«OpenBotAuth – AI Crawler Access Control» كودى ئوچۇق يۇمشاق دېتال. تۆۋەندىكى كىشىلەر
بۇ قىستۇرمىغا تۆھپە قوشقان.

تۆھپىكار

 *   [ hammadtq ](https://profiles.wordpress.org/hammadtq/)

[«OpenBotAuth – AI Crawler Access Control» نى تىلىڭىزغا تەرجىمە قىلىڭ](https://translate.wordpress.org/projects/wp-plugins/openbotauth)

### ئىجادىيەتكە قىزىقامسىز؟

[كودقا كۆز يۈگۈرتۈپ](https://plugins.trac.wordpress.org/browser/openbotauth/)، [SVN خەزىنە](https://plugins.svn.wordpress.org/openbotauth/)
تەكشۈرۈپ ياكى [RSS](https://plugins.trac.wordpress.org/log/openbotauth/?limit=100&mode=stop_on_copy&format=rss)
ئارقىلىق [ئىجادىيەت خاتىرىسى](https://plugins.trac.wordpress.org/log/openbotauth/)
گە مۇشتەرى بولغىلى بولىدۇ.

## ئۆزگىرىش خاتىرىسى

#### 1.0.0

 * First stable release for WordPress.org directory
 * AI referrer tracking via utm_source parameter (ChatGPT, Claude, Gemini, Perplexity,
   Copilot)
 * AI feed options enabled by default on fresh install
 * Feed limit default increased to 100 posts
 * Improved plugin activation defaults

#### 0.1.3

 * Analytics is now the default tab (see bot traffic immediately on first visit)
 * Bot traffic tracking: see which AI bots (GPTBot, ClaudeBot, PerplexityBot, etc.)
   are crawling your site
 * Yoast SEO compatibility: user-controlled toggle to let Yoast manage llms.txt
 * Default: OpenBotAuth llms.txt stays ON (no silent failures if Yoast llms.txt 
   not configured)
 * Added «Use Yoast llms.txt» toggle when Yoast is detected (OFF by default)
 * Shows «Managed by Yoast» badge when toggle is enabled
 * Feed + markdown endpoints work alongside Yoast (OpenBotAuth’s unique value)
 * Renamed «AI Artifacts» tab to «AI Endpoints» for clarity
 * Configurable post types for AI endpoints (posts, pages, custom types)
 * Empty post types setting now correctly returns empty feed
 * Markdown endpoint respects post types setting
 * Fixed disabled endpoints returning proper 404 (not falling through to WordPress)
 * Fixed subdirectory install routing to prevent /blog matching /blog2
 * Visual analytics dashboard with charts and stats cards
 * Improved first-run UX and WP-admin-friendly copy

#### 0.1.2

 * Added llms.txt endpoint for AI discovery (/llms.txt and /.well-known/llms.txt)
 * Added JSON feed at /.well-known/openbotauth-feed.json
 * Added per-post markdown at /.well-known/openbotauth/posts/{ID}.md
 * Added metadata provider abstraction for future Yoast/SEO plugin integration
 * Supports subdirectory WordPress installs
 * Implements HTTP conditional GET (304 Not Modified responses)
 * Added AI Artifacts settings tab in admin
 * No rewrite rules – uses early request interception
 * Filter hooks for endpoint customization: openbotauth_should_serve_llms_txt, openbotauth_should_serve_feed,
   openbotauth_should_serve_markdown
 * Content filters: openbotauth_feed_item, openbotauth_markdown_content

#### 0.1.1

 * Added local-only analytics dashboard
 * Added openbotauth_policy filter for custom policy logic
 * Added openbotauth_verified action for tracking verified requests
 * Added openbotauth_payment_required action for payment events
 * Improved whitelist-only semantics: non-whitelisted agents are now denied
 * Fixed HTTP status codes for deny (403) and rate_limit (429) responses
 * Human visitors without signature headers now bypass gating entirely
 * Added URL sanitization for verifier and payment URL settings
 * Softened payment UI text to clarify 402 stub functionality

#### 0.1.0

 * Initial release
 * RFC 9421 signature verification
 * Content teaser support
 * Rate limiting
 * Whitelist/blacklist support
 * Per-post policy overrides
 * REST API for policy retrieval

## Meta

 *  Version **1.0.0**
 *  ئاخىرقى يېڭىلانغان ۋاقىت **3 ئاي بۇرۇن**
 *  ئاكتىپ ئورنىتىش سانى **10 دىن ئاز**
 *  WordPress نەشرى ** 6.0 ياكى يۇقىرى **
 *  **6.9.4** دا سىنالغان
 *  PHP نەشرى ** 7.4 ياكى يۇقىرى **
 *  تىل
 * [English (US)](https://wordpress.org/plugins/openbotauth/)
 * بەلگە
 * [AI](https://ug.wordpress.org/plugins/tags/ai/)[bots](https://ug.wordpress.org/plugins/tags/bots/)
   [crawler](https://ug.wordpress.org/plugins/tags/crawler/)[llms.txt](https://ug.wordpress.org/plugins/tags/llms-txt/)
   [security](https://ug.wordpress.org/plugins/tags/security/)
 *  [ئالىي كۆرۈنۈش](https://ug.wordpress.org/plugins/openbotauth/advanced/)

## دەرىجە

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/openbotauth/reviews/#new-post)

[بارلىق ئىنكاسنى كۆرسەت](https://wordpress.org/support/plugin/openbotauth/reviews/)

## تۆھپىكار

 *   [ hammadtq ](https://profiles.wordpress.org/hammadtq/)

## قوللاش

چۈشەندۈرۈشىڭىز بارمۇ؟ ياردەم لازىممۇ؟

 [قوللاش مۇنبىرىنى كۆرسەت](https://wordpress.org/support/plugin/openbotauth/)