JTZL's Bot Maze

1.2.0

• robots.txt: the settings page now verifies whether the trap Disallow rule is actually live in the robots.txt your site serves, and reports the result right under the checkbox. Previously the rule could silently have no effect when a static robots.txt file at your site root overrode the one WordPress generates.
• Added an admin notice when the Disallow rule is enabled but missing from the served robots.txt, with the exact lines to add and a one-click option to append them to an existing writable robots.txt file.
• SEO-plugin compatibility: the Disallow rule is now added at a late filter priority so it survives plugins that replace the generated robots.txt (such as Rank Math’s editor). When a static file or another plugin manages your robots.txt, the settings page and admin notice point you to add the rule there.
• The verification re-checks daily in the background and never runs a blocking request on every admin page; a failed check retries within minutes instead of staying stale, and the rule is recognized regardless of spacing or inline comments.
• Clarified that the robots.txt modification applies to WordPress’s generated robots.txt and cannot take effect alongside a static robots.txt file or when search-engine visibility is switched off.

1.1.0

• Cloudflare support: selecting the Cloudflare trusted client IP header now loads Cloudflare’s official IP ranges automatically — no manual entry required. Sites behind Cloudflare record the real visitor IP (and country) instead of Cloudflare’s edge servers.
• Cloudflare’s IP ranges refresh automatically each week via WP-Cron, falling back to a bundled, validated list if a refresh fails.
• Added an admin notice that detects when your site is served through Cloudflare and offers one-click setup of the correct trusted client IP header.
• Clarified the Trusted Proxy IPs field as an optional override and made clear that only the Cloudflare preset ships built-in ranges (other headers still require manual entry).
• Improved IPv6 handling when matching manually entered trusted-proxy addresses.

1.0.1

• WordPress.org review compliance: removed non-distributable files from the plugin package and removed an unused class.
• Bumped “Tested up to” to WordPress 7.0.

1.0.0-rc.6

• Added MaxMind GeoLite2 as a GDPR-friendly local GeoIP provider option.
• Added 3-way GeoIP provider selector: Disabled, MaxMind GeoLite2 (local), or ip-api.com (external).
• MaxMind database auto-updates weekly via WP-Cron.
• Added clear privacy warnings for each provider option in the settings UI.
• Updated privacy policy text to describe both provider options.
• Geographic map section now hidden entirely when geo tracking is disabled.
• Migrates existing geo tracking setting to new provider architecture.
• Added Vitest job to CI with coverage reporting.

1.0.0-rc.5

• Added geographic heat map of bot activity by country using Leaflet.js choropleth.
• Added GeoIP service for resolving visitor IP addresses to country codes.
• Added AJAX endpoint for dynamic country data loading.
• Added the “Full Tarpit Delay (ms)” setting.
• UI improvements on the Analytics page.

1.0.0-rc.4

• Added Blocked Bots detail page showing full user agent, score, visit count, and timestamps.
• Added Recent Activity page with 7-day filter, pagination, and request type badges (Trap Visit, Blocked, Exempted).
• All dashboard summary cards are now clickable links to their own detail pages.
• Added comprehensive bot tracking mode (opt-in setting) to continue recording blocked bot visits on trap pages.
• Added request type badges to distinguish trap visits, blocked bot visits, and exempted crawler visits.
• Removed Recent Activity table from analytics dashboard (moved to dedicated page).

1.0.0-rc.3

• Added privacy policy suggestion for GDPR compliance.

1.0.0-rc.2

• Added the About Page.
• Added the Trap Pages.
• Improved the Analytics Page.

1.0.0-rc.1

• Hardened settings with server-side upper bounds on all numeric options
• Centralized option sanitization — single source of truth for bounds
• Added length truncation for stored user-agent, referrer, and request URI values
• Per-request slug cache in trap router eliminates duplicate DB queries
• Extracted shared rightmost-IP logic into a reusable helper
• Validated injection method and blocking behavior enums at read time
• Added bot scoring options (points_per_visit, depth_bonus, block_threshold) to bounded sanitization
• Routed maintenance cron through container config for consistent bounds enforcement
• Full test coverage across all source files (100% lines, 100% methods)

1.0.0-alpha.4

• Light tarpit as default blocking behavior
• Clearer blocking settings descriptions

1.0.0-alpha.3

• Bot blocking and tarpitting with configurable behavior
• Robots.txt integration
• Trusted proxy header support
• Race condition guards for concurrent trap page generation

1.0.0-alpha.2

• Full test suite and CI workflow
• Frontend build tooling for admin assets
• Bug fixes for bot score threshold and URL normalization

1.0.0-alpha.1

• Initial release
• Trap link injection into post content and footer
• Lazy maze generation with configurable depth and branching
• Bot scoring based on trap page visits and traversal depth
• IP tracking with proxy-aware detection
• Admin settings page
• Analytics dashboard