JTZL's Bot Maze

1.1.0

• Cloudflare support: selecting the Cloudflare trusted client IP header now loads Cloudflare’s official IP ranges automatically — no manual entry required. Sites behind Cloudflare record the real visitor IP (and country) instead of Cloudflare’s edge servers.
• Cloudflare’s IP ranges refresh automatically each week via WP-Cron, falling back to a bundled, validated list if a refresh fails.
• Added an admin notice that detects when your site is served through Cloudflare and offers one-click setup of the correct trusted client IP header.
• Clarified the Trusted Proxy IPs field as an optional override and made clear that only the Cloudflare preset ships built-in ranges (other headers still require manual entry).
• Improved IPv6 handling when matching manually entered trusted-proxy addresses.

1.0.1

• WordPress.org review compliance: removed non-distributable files from the plugin package and removed an unused class.
• Bumped “Tested up to” to WordPress 7.0.

1.0.0-rc.6

• Added MaxMind GeoLite2 as a GDPR-friendly local GeoIP provider option.
• Added 3-way GeoIP provider selector: Disabled, MaxMind GeoLite2 (local), or ip-api.com (external).
• MaxMind database auto-updates weekly via WP-Cron.
• Added clear privacy warnings for each provider option in the settings UI.
• Updated privacy policy text to describe both provider options.
• Geographic map section now hidden entirely when geo tracking is disabled.
• Migrates existing geo tracking setting to new provider architecture.
• Added Vitest job to CI with coverage reporting.

1.0.0-rc.5

• Added geographic heat map of bot activity by country using Leaflet.js choropleth.
• Added GeoIP service for resolving visitor IP addresses to country codes.
• Added AJAX endpoint for dynamic country data loading.
• Added the “Full Tarpit Delay (ms)” setting.
• UI improvements on the Analytics page.

1.0.0-rc.4

• Added Blocked Bots detail page showing full user agent, score, visit count, and timestamps.
• Added Recent Activity page with 7-day filter, pagination, and request type badges (Trap Visit, Blocked, Exempted).
• All dashboard summary cards are now clickable links to their own detail pages.
• Added comprehensive bot tracking mode (opt-in setting) to continue recording blocked bot visits on trap pages.
• Added request type badges to distinguish trap visits, blocked bot visits, and exempted crawler visits.
• Removed Recent Activity table from analytics dashboard (moved to dedicated page).

1.0.0-rc.3

• Added privacy policy suggestion for GDPR compliance.

1.0.0-rc.2

• Added the About Page.
• Added the Trap Pages.
• Improved the Analytics Page.

1.0.0-rc.1

• Hardened settings with server-side upper bounds on all numeric options
• Centralized option sanitization — single source of truth for bounds
• Added length truncation for stored user-agent, referrer, and request URI values
• Per-request slug cache in trap router eliminates duplicate DB queries
• Extracted shared rightmost-IP logic into a reusable helper
• Validated injection method and blocking behavior enums at read time
• Added bot scoring options (points_per_visit, depth_bonus, block_threshold) to bounded sanitization
• Routed maintenance cron through container config for consistent bounds enforcement
• Full test coverage across all source files (100% lines, 100% methods)

1.0.0-alpha.4

• Light tarpit as default blocking behavior
• Clearer blocking settings descriptions

1.0.0-alpha.3

• Bot blocking and tarpitting with configurable behavior
• Robots.txt integration
• Trusted proxy header support
• Race condition guards for concurrent trap page generation

1.0.0-alpha.2

• Full test suite and CI workflow
• Frontend build tooling for admin assets
• Bug fixes for bot score threshold and URL normalization

1.0.0-alpha.1

• Initial release
• Trap link injection into post content and footer
• Lazy maze generation with configurable depth and branching
• Bot scoring based on trap page visits and traversal depth
• IP tracking with proxy-aware detection
• Admin settings page
• Analytics dashboard