WordPress attracts spam registrations, comment bots and login brute-force. This guide adds explainable bot detection with a small snippet you can drop into a site-specific plugin or your theme's functions.php. The browser is fingerprinted by the collector tag; PHP fetches a verdict and blocks automated clients. See the live demo.
1. Load the collector tag
Enqueue the collector so visitors get a session token:
add_action('wp_enqueue_scripts', function () {
wp_enqueue_script(
'detectip-collector',
'https://detectip.ai/collector.js',
array(), null, true
);
});
// add the data-key attribute
add_filter('script_loader_tag', function ($tag, $handle) {
if ($handle === 'detectip-collector') {
return str_replace(' src=', ' data-key="pk_live_..." src=', $tag);
}
return $tag;
}, 10, 2);2. A helper that fetches the verdict
Use the WordPress HTTP API; store your secret key in wp-config.php as a constant DETECTIP_KEY.
function detectip_is_bot() {
if (empty($_COOKIE['botd_token'])) return false;
$res = wp_remote_get(
'https://detectip.ai/api/v1/verdict?token=' . rawurlencode($_COOKIE['botd_token']),
array(
'timeout' => 2,
'headers' => array('X-API-Key' => DETECTIP_KEY),
)
);
if (is_wp_error($res)) return false; // fail open
$body = json_decode(wp_remote_retrieve_body($res), true);
return isset($body['action']) && $body['action'] === 'block';
}3. Block spam registrations
add_filter('registration_errors', function ($errors) {
if (detectip_is_bot()) {
$errors->add('botd', 'Registration blocked.');
}
return $errors;
}, 10, 1);4. Block comment spam
add_filter('preprocess_comment', function ($commentdata) {
if (detectip_is_bot()) {
wp_die('Comment blocked.', 'Blocked', array('response' => 403));
}
return $commentdata;
});5. Harden wp-login (optional)
Hook wp_authenticate to challenge or block automated login attempts the same way. Pair with rate limiting for brute-force defense — see stopping credential stuffing.
Why not just a plugin blacklist?
IP blacklists miss fresh proxies and residential botnets. detectip.ai scores the network fingerprint, IP intelligence and behavior together and shows every signal, so it catches automation that rotates IPs. Background: how to detect proxies and VPNs.
FAQ
Will real users be blocked? Only clients the engine scores as bots; tune by acting on challenge vs block. Good crawlers are verified, not blocked.
Performance? The 2-second timeout fails open, and you only check on submit actions, not every page load.