https://github.com/equalitie/baskerville
Baskerville Wordpress Plugin
https://github.com/equalitie/baskerville
ai-bots bot-detection country-blocking crawler-detection ddos-protection privacy security web-security wordpress wordpress-plugin
Last synced: about 2 months ago
JSON representation
Baskerville Wordpress Plugin
- Host: GitHub
- URL: https://github.com/equalitie/baskerville
- Owner: equalitie
- License: gpl-3.0
- Created: 2025-09-26T11:22:03.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2026-04-03T11:52:10.000Z (2 months ago)
- Last Synced: 2026-04-03T16:28:25.374Z (2 months ago)
- Topics: ai-bots, bot-detection, country-blocking, crawler-detection, ddos-protection, privacy, security, web-security, wordpress, wordpress-plugin
- Language: PHP
- Homepage:
- Size: 703 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: license.txt
Awesome Lists containing this project
README
# Baskerville WordPress Plugin
A WordPress security plugin with GeoIP-based access control, AI-powered bot detection, Cloudflare Turnstile integration, and advanced fingerprinting.
## Features
- 🛡️ **AI-Powered Bot Detection** - Classification of bots vs. humans with configurable thresholds
- 🌍 **GeoIP Access Control** - Block or allow traffic by country (whitelist/blacklist)
- 🔍 **Browser Fingerprinting** - Advanced client-side fingerprinting with Canvas, WebGL, Audio
- ☁️ **Cloudflare Turnstile** - CAPTCHA challenge for borderline bot scores with precision analytics
- 🍯 **Honeypot Detection** - Hidden links to catch AI crawlers
- 📊 **Traffic Analytics** - Real-time statistics, live feed, and Turnstile precision metrics
- ⚡ **Performance Optimized** - Minimal overhead (~1ms with page cache, ~30-50ms without)
- 🔐 **IP Whitelist** - Bypass firewall for trusted IPs
- 🚀 **Caching** - APCu + file-based caching for GeoIP lookups
- 🚨 **Under Attack Mode** - Emergency mode to challenge all visitors
## Building
Run from the **parent directory** of the plugin folder:
```bash
cd .. # from baskerville/ go to parent directory
zip -r9 baskerville.zip baskerville/ \
-x "*.DS_Store" \
-x "baskerville/.git/*" \
-x "baskerville/.gitignore" \
-x "baskerville/.idea/*" \
-x "baskerville/.claude/*" \
-x "baskerville/vendor/*" \
-x "*.log" \
-x "*.txt" \
-x "*.sh" \
-x "*.html" \
-x "baskerville/test-*.php" \
-x "baskerville/composer.json" \
-x "baskerville/deployment.md" \
-x "baskerville/bot-detector*.js" \
-x "baskerville/ab" \
-x "baskerville/done" \
-x "baskerville/sleep"
```
**Note**: The `vendor/` folder is excluded. After plugin installation, go to **Settings → Baskerville → Settings** and click "Install MaxMind Library" to enable GeoIP features.
## Installation
1. Upload `baskerville.zip` in WordPress Admin → Plugins → Add New → Upload Plugin
2. Activate the plugin
3. Go to Settings → Baskerville to configure
## Configuration
### GeoIP Setup
1. Go to **Settings → Baskerville → Settings**
2. Install MaxMind GeoLite2 database (one-click installer)
3. Configure access mode:
- **Allow All** (default) - No country restrictions
- **Blacklist** - Block specific countries
- **Whitelist** - Allow only specific countries
### IP Whitelist
1. Go to **Settings → Baskerville → IP Whitelist**
2. Click "Add My IP" to whitelist your current IP
3. Or manually add IPs (one per line or comma-separated)
**Use cases**:
- Load testing with Apache Bench
- Whitelisting office network
- Development environments
- Monitoring services
### Cloudflare Turnstile
Turnstile provides a CAPTCHA-like challenge for visitors with borderline bot scores, allowing legitimate users to prove they're human instead of being blocked outright.
1. Go to **Settings → Baskerville → Turnstile**
2. Get your Site Key and Secret Key from [Cloudflare Dashboard](https://dash.cloudflare.com/?to=/:account/turnstile)
3. Enter the keys and enable Turnstile
4. Configure the borderline score range (default: 40-70)
**Settings**:
- **Bot Score Challenge** - Show Turnstile to visitors with scores in the borderline range
- **Score Range** - Define min/max bot score for challenge (e.g., 40-70)
- **Under Attack Mode** - Emergency mode that challenges ALL visitors (use during attacks)
- **Form Protection** - Protect login, registration, and comment forms
**Score interpretation**:
- 0-39: Likely human (allowed)
- 40-70: Borderline (show Turnstile challenge)
- 71-100: Likely bot (blocked)
**Precision Analytics**:
The Analytics tab shows Turnstile effectiveness:
- **Redirects** - Number of challenges shown
- **Passed** - Visitors who completed the challenge
- **Failed** - Visitors who failed or abandoned (likely bots)
- **Precision** - % of challenges that caught bots: `(redirects - passes) / redirects`
### Bot Control
Configure how bots are detected and banned.
1. Go to **Settings → Baskerville → Bot Control**
**Settings**:
- **Ban All Detected Bots** - Ban all `bot` classifications, not just `bad_bot`
- **Instant Ban Threshold** - Score threshold (0-100) for immediate ban without waiting for burst protection. Visitors with scores >= threshold are banned instantly if they don't look like a browser and aren't verified crawlers.
**Example**: With threshold set to 70, a visitor with score 75 and suspicious headers will be banned immediately.
### Performance Optimization Tips
#### 1. Enable Page Caching (Critical!)
**Impact**: -95% response time
```bash
# Install one of:
- WP Super Cache (free)
- W3 Total Cache (free)
- LiteSpeed Cache (free)
- WP Rocket (paid)
```
**Why it helps**:
- Cached pages bypass WordPress PHP execution
- Baskerville firewall is not executed for cached pages
- Overhead drops from 50ms → 0ms
---
#### 2. Enable APCu for Object Caching
**Impact**: 10x faster cache operations
```bash
# Ubuntu/Debian
sudo apt install php-apcu
sudo systemctl restart php-fpm
# Verify
php -m | grep apcu
```
**Why it helps**:
- GeoIP lookups cached in memory (not disk)
- Ban cache uses RAM (faster than file I/O)
- APCu: 0.05ms, File: 0.5ms per operation
---
#### 3. Use NGINX GeoIP2 Module
**Impact**: 10x faster GeoIP lookups
```nginx
# /etc/nginx/nginx.conf
load_module modules/ngx_http_geoip2_module.so;
http {
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
auto_reload 5m;
$geoip2_data_country_code country iso_code;
}
fastcgi_param GEOIP2_COUNTRY_CODE $geoip2_data_country_code;
}
```
**Why it helps**:
- NGINX does GeoIP lookup (not PHP)
- Result passed via `$_SERVER['GEOIP2_COUNTRY_CODE']`
- Baskerville uses NGINX result (no MaxMind DB lookup needed)
---
#### 4. Enable PHP OPcache
**Impact**: 30-50% faster PHP execution
```bash
# Check if enabled
php -i | grep opcache.enable
# Enable in php.ini
opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.validate_timestamps=0 # Production only
```
### Logging Mode Comparison
| Mode | Overhead | Analytics | Shared Hosting | Recommended For |
|------|----------|-----------|----------------|-----------------|
| **File** | ~50-70ms (5%) | ✅ Full (5min delay) | ✅ Perfect | Production |
| **Disabled** | ~0ms (0%) | ❌ None | ✅ Perfect | Testing/Dev |
| **Database** | ~500ms (36%) | ✅ Instant | ❌ Slow | VPS only |
---
### Conclusion
Baskerville with **File Logging** adds **5% overhead** while providing:
- ✅ GeoIP-based access control
- ✅ AI-powered bot detection with configurable thresholds
- ✅ Cloudflare Turnstile for borderline cases
- ✅ Honeypot detection for AI crawlers
- ✅ Advanced fingerprinting
- ✅ Real-time traffic analytics with precision metrics
- ✅ Rate limiting & ban management
**Recommendations**:
- ✅ Use **File Logging** mode for production (default)
- ✅ Enable page caching (WP Super Cache, etc.)
- ✅ Install APCu if available (10x faster cache)
- ✅ Whitelist monitoring/testing IPs
- ✅ Configure Turnstile for borderline scores (40-70)
- ✅ Set Instant Ban Threshold for high-risk visitors (e.g., 85)
---
## Troubleshooting
### Slow Performance
**Symptom**: Page loads take >5 seconds
**Solutions**:
1. ✅ Enable page caching (WP Super Cache)
2. ✅ Install APCu: `apt install php-apcu`
3. ✅ Enable PHP OPcache
4. ✅ Use NGINX GeoIP2 module (optional)
### Cache Issues
**Symptom**: GeoIP shows wrong country after VPN change
**Solution**: Clear GeoIP cache
1. Go to **Settings → Baskerville → GeoIP Test**
2. Click "Clear GeoIP Cache" button
3. Page will reload with updated country
### Load Testing Blocked
**Symptom**: Apache Bench gets 403 errors
**Solution**: Whitelist your IP
1. Go to **Settings → Baskerville → IP Whitelist**
2. Click "Add My IP" button
3. Run tests again
---
## Development
### File Structure
```
baskerville/
├── admin/
│ └── class-baskerville-admin.php # Admin UI, settings, analytics
├── includes/
│ ├── class-baskerville-core.php # Core functions, caching, GeoIP
│ ├── class-baskerville-firewall.php # Firewall logic, blocking rules
│ ├── class-baskerville-ai-ua.php # AI bot detection & classification
│ ├── class-baskerville-stats.php # Analytics & database logging
│ ├── class-baskerville-rest.php # REST API for fingerprinting
│ ├── class-baskerville-turnstile.php # Cloudflare Turnstile integration
│ └── class-baskerville-honeypot.php # Honeypot for AI crawler detection
├── assets/
│ ├── js/baskerville.js # Frontend fingerprinting script
│ └── css/ # Styles
├── vendor/ # MaxMind GeoIP2 library (auto-installed)
└── baskerville.php # Main plugin file
```
### Database Schema
```sql
CREATE TABLE wp_baskerville_stats (
id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
visit_key VARCHAR(64),
ip VARCHAR(45),
country_code VARCHAR(2), -- Added in v1.0.0
baskerville_id VARCHAR(32),
timestamp_utc DATETIME,
score INT,
classification VARCHAR(32),
user_agent TEXT,
evaluation_json LONGTEXT,
score_reasons TEXT,
classification_reason TEXT,
block_reason VARCHAR(120),
event_type VARCHAR(16),
had_fp TINYINT(1),
INDEX idx_timestamp (timestamp_utc),
INDEX idx_ip (ip),
INDEX idx_country_code (country_code), -- Added in v1.0.0
INDEX idx_event_type (event_type)
);
```
---
## License
GPL v3 or later - Compatible with WordPress.org plugin directory requirements.
## Support
For issues and feature requests, please open an issue on GitHub.