Most shared hosting and budget PaaS platforms (Railway, Vercel, Render, etc.) have no built-in protection against spam traffic, scanners, brute-force attempts, and cache-flooding bots. This leads to: slower TTFB, overloaded caches, higher hosting bills, and an increased attack surface.
Bot Blocker instantly filters suspicious requests by User-Agent or path, blocks brute-force and flood attempts, and keeps a persistent ban list in SQLite for 7 days β all without root access or complex setup. In real-world use, it cuts response times, reduces hosting costs, and keeps logs almost bot-free.
Problem: This results in:
- Increased TTFB β sometimes by +1 second (hurts Google PageSpeed score)
- Cache overload β forcing CDN and app caches to store junk responses
- Higher hosting bills β on pay-per-use tariffs, you pay for βgarbageβ traffic
- Security risks β open attack surface for automated exploits
Bot Blocker is a lightweight, self-contained PHP traffic filter built for real-world problem solving on shared hosting and PaaS platforms:
- Instantly detects and blocks suspicious requests by User-Agent or path (URI).
- Automatically bans an IP after 3 bad requests or if it exceeds 10 requests in 5 seconds.
- Stores the ban list in SQLite (local, no MySQL/PostgreSQL) with automatic cleanup after 7 days.
- Detects real visitor IPs behind proxy/CDN (
HTTP_X_FORWARDED_FOR,HTTP_CF_CONNECTING_IP, etc.). - Requires no root access or complex setup β integrates with one line in
index.php. - Database and logs are protected β
.dbis stored above the web root +.htaccessblocking.
- π Local β no network delays
- β‘ Fast β read/write in ms
- π Safe β DB stored outside public webroot
- π Zero config β works on PHP β₯ 5.4 out of the box
-
Place files:
bot-blocker.phpβ in your PHP project root.bot-blocker.dbβ stored one directory above web root for security.
-
Protect database: Add to
.htaccess:<Files "bot-blocker.db"> Order allow,deny Deny from all </Files>
-
Include in your scripts (e.g., at the top of
index.php):require_once __DIR__ . '/bot-blocker.php';
- WordPress attack entry points (
wp-login.php,xmlrpc.php,wp-admin, etc.) - Database & config files (
.env,.db,.sql,.zip,.tar,.gz,.log,.bak,.git,.svn) - Dev/project files (
composer.json,package.json,node_modules) - Security-related text files (
security.txt,.well-known/security.txt,ads.txt,humans.txt,llms.txt,list.txt,sitemap.xml)
- CLI tools (
curl,wget,python,sqlmap,nmap, etc.) - Vulnerability scanners (
acunetix,nikto,netsparker, etc.) - Crawlers/bots (
crawler,scrapy,search,spider, etc.) - Data mining tools (
Dataprovider,SimilarWeb,DataForSEO, etc.) - Performance auditing tools (
Chrome-Lighthouse,GTmetrix,WebPageTest, etc.) - AI crawlers/assistants (
ClaudeBot,ChatGPT-User,PerplexityBot, etc.)
| Problem | How Bot Blocker Solves It |
|---|---|
| Junk requests from bad User-Agents (bots, scrapers, scanners) | Detects and blocks instantly by matching against an extended bad UA list (including Dataprovider, Chrome-Lighthouse, ClaudeBot, ChatGPT, vulnerability scanners, CLI tools). |
Access to sensitive files (wp-login.php, .env, .sql, .git, etc.) |
Blocks requests to known dangerous paths and files, including CMS admin pages, config files, backups, and spam .txt files (ads.txt, humans.txt, security.txt, sitemap.xml). |
| Brute-force & vulnerability scanning | Tracks repeated suspicious requests from the same IP and bans offenders after a set number of attempts (default: 3). |
| Flood / rate-based attacks | Implements rate limiting: more than 10 requests in 5 seconds from one IP β instant ban. |
| Temporary bans that reset on restart | Stores bans in a local SQLite database for 7 days β persistent across server restarts. |
| Database overload with request logs | Automatic cleanup of old request logs every minute to keep storage small and performance high. |
| Wrong IP bans behind proxy/CDN | Detects real visitor IP from Cloudflare and proxy headers (HTTP_X_FORWARDED_FOR, HTTP_CF_CONNECTING_IP, etc.), not just REMOTE_ADDR. |