Royal AI Firewall is live on WordPress.org today. Free forever, no upgrade prompt. See every AI bot hitting your WordPress site — GPTBot, ClaudeBot, PerplexityBot, ByteSpider, and 50+ others — and decide who gets in with one-click per-bot controls.
The Problem: You Can’t See Who’s Reading Your Site Anymore
Every WordPress site on the public web is now visited by AI crawlers. GPTBot pulls content for OpenAI model training. ClaudeBot pulls content for Anthropic model training. PerplexityBot indexes for AI search results. Bytespider feeds ByteDance’s models. CCBot populates the Common Crawl dataset that dozens of other AI systems draw from.
Most site owners have no idea any of this is happening. Server logs are noisy. Analytics tools filter out bots by design. Cloudflare’s bot dashboards focus on threats, not attribution. And the trade-off — block a bot and possibly disappear from ChatGPT search results, allow one and get your content used for training — is invisible until you can actually see it happening.
Royal AI Firewall was built for that gap: a live, plain-language dashboard of every AI agent that hit your site in the last 24 hours, with a per-bot dropdown to allow, block, or log-only each one.
What Royal AI Firewall Does
Five things, all shipped in the free wp.org release:
- Live AI bot dashboard. A hero metric of total AI bot hits in the last 24 hours, a per-bot list with hit count, bandwidth, and a one-click policy dropdown for each row. Click any row to expand a drill-down: top URLs the bot hit, recent activity, and a plain-language note on what blocking would cost you (e.g. “blocking GPTBot may remove your site from ChatGPT search results”).
- Per-bot policy controls. Four states per bot: use default policy, always allow, log only, or block. Blocked bots receive a 403 response before WordPress runs any heavy work. Search engines (Googlebot, Bingbot, Applebot, DuckDuckBot) are protected from accidental blocking by default, with a clear override toggle for advanced use.
- Master “block all AI bots” panic button. One click, applied at the WordPress layer, no config file edits.
- Cloudflare setup wizard. The first-run wizard detects Cloudflare on your site and tells you exactly which CF settings to dial down (AI Audit, AI Labyrinth, custom AI-blocking WAF rules) so this plugin can take over the AI-bot layer, and which settings to keep on (DDoS, managed WAF, SSL/TLS, caching, Bot Fight Mode).
- MCP / Abilities API activity widget. If you have Royal MCP or any other Model Context Protocol server plugin installed, MCP tool invocations from connected AI agents (Claude, ChatGPT, Gemini) appear alongside HTTP-layer bot traffic on the dashboard.
Why Cloudflare Compatibility Is a Feature, Not a Footnote
If you’re behind Cloudflare, most existing “block AI bots” guides break something: they tell you to enable Cloudflare’s AI Audit or AI Labyrinth, then leave you unable to see or override the decisions those tools make. Or they tell you to install a WordPress plugin without mentioning that CF is silently intercepting AI-bot traffic upstream, so nothing you do inside WordPress has any effect.
The setup wizard’s Cloudflare screen tells you exactly which CF settings to turn off:
- AI Audit → set to “Allow”
- AI Labyrinth → OFF
- Custom WAF rules blocking AI bots → delete (the per-bot controls in this plugin replace them)
- Security Level → Medium or Low
And which CF settings to keep on (they don’t conflict): DDoS protection, managed WAF rules, SSL/TLS, Bot Fight Mode (basic tier), Browser Integrity Check, and caching. Step-by-step click-path with screenshots for each CF setting is in the Cloudflare Setup Guide. If you want the full explanation of why this split matters, we wrote about it here: Cloudflare’s Block AI Bots silently breaks MCP.
The dashboard also detects Cloudflare on every admin page load and shows a status card with an honest estimate of how many AI bots may have been filtered by Cloudflare at the edge before reaching WordPress — because if CF is doing 90% of the blocking, you deserve to know that’s where the credit belongs.
Under the Hood: Free, Self-Hosted, No Phone Home
The plugin makes no outbound HTTP calls by default. The bundled bot fingerprint catalog (currently 55 AI bots across 6 categories: training crawlers, retrieval bots, AI search engines, agent browsers, dataset scrapers, and traditional search engines) ships with each plugin release and refreshes automatically when you update Royal AI Firewall through the standard WordPress plugin updater.
If you want catalogs fresher than the per-release cadence provides, an optional Settings toggle opts in to one HTTP GET per day to fingerprints.royalplugins.com. That toggle is off by default. No telemetry, no license check, no license activation, no traffic beacon, no analytics call is ever made — regardless of toggle state. Your data stays on your server.
Log retention defaults to 7 days and is filterable via raif_log_retention_days for developers who need a different value. The classifier runs in-process against a pre-compiled pattern list with a hard budget of under 5 milliseconds per request. Logging is buffered and flushed on the WordPress shutdown hook (after the response is sent) so the response latency a visitor sees is not affected by database writes.
Install It in Three Steps
- In your WordPress dashboard, go to Plugins → Add New and search for Royal AI Firewall. Click Install Now, then Activate.
- Walk the 4-step setup wizard. It runs automatically on first activation and is skippable from any step. If you’re behind Cloudflare, step 3 is the single best reference for what CF settings interact with this plugin.
- Open the AI Firewall menu in your WordPress admin and wait 2–6 hours for the first AI bot hits to populate the dashboard. Or trigger a manual test with curl:
curl -A "GPTBot/1.2" https://your-site.com/— you’ll see that hit in the dashboard within seconds.
Why It’s Free (and Staying That Way)
Every feature ships in the free wp.org release. There is no Pro version. No paid tier is planned. Updates go through the standard WordPress plugin updater alongside every other free plugin you have installed.
Why? Because a firewall that quietly nudges you to upgrade to see “which bots are hitting you” is not really doing the job. The whole point of the plugin is visibility — and visibility that’s gated behind a subscription is the same problem the plugin exists to solve, just with a different gatekeeper.
What’s Next
The v1.0 catalog covers 55 AI bots. The categories most in flux are agent browsers (OperatorAgent, ChatGPT-Atlas, Claude-Computer-Use) — a newer class where AI systems drive an actual browser through your site rather than crawling markup. If you’re seeing traffic from something we don’t recognize yet, please open a thread on our wp.org support forum — that’s the fastest way to get a bot added to the classifier.
Cloudflare is changing its AI-bot defaults on September 15, 2026 — unidentified AI crawlers will be blocked by default at the CF edge unless the site owner opts out. We wrote about what that means here: Cloudflare’s September 15 AI-bot defaults. The wizard’s Cloudflare step will be updated as those changes land so your setup remains correct.
Full documentation lives at royalplugins.com/support/royal-ai-firewall/.