WordPress Plugins
Free Tools
Pricing Blog Case Studies Switch to Royal Plugin Graveyard Support My Account Cart
Free on WordPress.org

See every AI agent on your site. Decide who gets in.

By Jameson · Founder & Lead Developer · Published July 2026

GPTBot, ClaudeBot, PerplexityBot, ByteSpider, and 50+ others are hitting your WordPress site right now — most owners have no idea what they’re taking, or how to control it. Royal AI Firewall puts the live list, the one-click controls, and the Cloudflare integration guide directly in your WordPress admin. Every feature ships free. No upgrade prompt. Ever.

Install from WordPress.org Read the docs
55
AI bots recognized
6
Bot categories tracked
0
Outbound calls by default
4
Policy states per bot

Managing AI bots shouldn’t take a Cloudflare cert.

Blocking one AI bot on the web today means clicking through a moving-target dashboard, deciphering which plan tier still includes the setting you need, and hoping the panel name hasn’t been renamed since last month. It doesn’t have to be that hard.

Cloudflare moves the goalposts every quarter

Cloudflare does show AI bots by name in its dashboard — if you can find the panel this month. AI Audit, AI Labyrinth, Bot Fight Mode, Super Bot Fight Mode, Managed Rules, Custom Rules, WAF managed AI category — the features are constantly renamed, reshuffled between Free / Pro / Business / Enterprise, and hidden three menus deep in a UI designed for network engineers. Every time you sit down to block one specific bot you burn 20 minutes hunting through the console for whichever setting Cloudflare renamed this quarter, and half the time the granular per-agent rule you need has quietly moved to a paid tier. Blocking “GPTBot but not ChatGPT-User” is a project.

One page. Every AI bot. Every switch in one place.

Every AI bot hitting your site, listed by name inside wp-admin. One dropdown per bot: allow, block, log-only. Blocking consequence explained right next to the toggle so you know what you’re giving up before you flip it. GPTBot and ChatGPT-User are separate rows, so you can block training without blocking retrieval — without writing a WAF rule, without hunting through Cloudflare menus. 55 AI bots across 6 categories at launch. Catalog refreshes automatically on every plugin update.

Six features. One admin page. Zero configuration to start seeing data.

Every panel below is on the same dashboard screen inside wp-admin. Activate the plugin, walk the wizard, refresh — bot hits start populating and the controls are live.

Live AI bot dashboard

Per-bot hit counts, bandwidth used, and the last time each bot touched your site. Hero metric for the last 24 hours plus a sortable per-row drill-down with top URLs, recent activity, and what blocking the bot would cost you.

One-click per-bot policy + panic button

Each row has a dropdown: Use default policy / Always allow / Log only / Block. A master “Block all AI bots” button sits on top of the dashboard for one-click lockdown. Blocked bots receive a 403 at parse_request priority 1, before WordPress runs any heavy work.

Search engine guard

Googlebot, Bingbot, Applebot, DuckDuckBot are protected from accidental blocking by default. The dropdown is disabled for them. To override, you flip a Settings toggle that warns “blocking Googlebot removes your site from Google Search.”

Cloudflare integration guide

The wizard detects Cloudflare and tells you exactly which CF settings to turn off so this plugin can take over the AI-bot layer — AI Audit, AI Labyrinth, custom WAF rules — and which to leave on (DDoS protection, managed WAF, SSL, Bot Fight Mode).

MCP & Abilities API activity

If a WordPress MCP server plugin is installed, the dashboard shows a live widget of recent tool / ability invocations — which tool was called, by which client, whether it succeeded. First-party bridge for Royal MCP 1.4.33+ captures the full tool name and status.

Bundled bot catalog

55 AI bots recognized at launch — training crawlers, retrieval bots, AI search engines, agent browsers (Operator, Atlas, Claude Computer Use), dataset scrapers, all categorized with their owner and blocking consequences. Refreshes on every plugin update.

What makes it different

Built to solve one thing — AI bot visibility & control — and get it right.

Not a suite. Not a monitoring platform bolted onto a WAF. A dedicated tool for the AI-bot layer at the WordPress application level, designed so a site owner can walk in cold and make an informed call about every agent hitting their content.

4
Policy states per bot
Use default policy, always allow, log only, or block. Set independently for each agent, so GPTBot and ChatGPT-User can have opposite policies without writing a WAF rule.
6
Bot categories, organized
Training crawlers, retrieval bots, AI search engines, agent browsers, dataset scrapers, and traditional search engines. Blocking consequence sits next to every toggle, so you know what you’re giving up before flipping the switch.
7
Guarded from accidental blocking
Googlebot, Bingbot, Applebot, DuckDuckBot, and the Googlebot-Image / Video / News variants ship with a search-engine guard. The block dropdown is locked for these; override requires an explicit Settings toggle with a warning.
1
Wp-admin page, no context switching
The dashboard, the per-bot controls, the Cloudflare setup guide, the compatibility notes, the MCP / Abilities API activity widget — all on one screen inside WordPress. Nothing lives in a separate cloud console.
The task
In Royal AI Firewall
Elsewhere
See which AI bots hit your site today
✓ wp-admin dashboard
Cloudflare console
Block only training bots, keep retrieval bots
✓ Two dropdowns, done
Write custom WAF rules
Know what blocking a bot actually costs you
✓ Explained next to toggle
Google the bot yourself
Not accidentally delist from Google
✓ Guard is default on
Read the docs carefully
Update the bot catalog
✓ Auto on plugin update
Vendor pricing tier
See what your MCP server is doing
✓ Activity widget
Server-side logs only

From zero to AI-bot visibility in 60 seconds.

Install from wp.org, walk the 4-step wizard, wait 2–6 hours for the first bot hits to populate the dashboard. That’s the whole thing.

1

Install & activate

Search “Royal AI Firewall” in your WordPress Plugins screen. Click Install, then Activate. The plugin redirects you to the 4-step setup wizard automatically.

2

Walk the wizard

Welcome → environment detection (Cloudflare + security plugins) → Cloudflare dial-down guide (skipped if no CF) → default policy (we recommend Log Only for the first 24h). Skippable from any step.

3

See bots in your dashboard

Open the AI Firewall menu in wp-admin. Bot hits appear as soon as AI agents visit your site — usually 2–6 hours on a public, indexed site. Or fire a test: curl -A "GPTBot/1.2" https://your-site.com/

4

Decide who gets in

Each bot row has a dropdown. Pick your policy: allow, block, log-only. Or hit the master “Block all AI bots” panic button (search engines stay protected). Adjust as you go.

The Royal AI Firewall promise

Four things you will never see in this plugin.

If any of these ever show up in a release, treat it as a bug and open a ticket. We built this to sit on every WordPress site — not to bait one.

Feature gates

No greyed-out settings, no locked panels, no “upgrade to unlock this dropdown”. The dashboard you see on install is the whole dashboard.

A Pro version to upgrade to

There isn’t one. Every panel is live from install — no locked settings, no email capture, no “unlock this feature” overlays. You may see the occasional cross-plugin promo for Royal Plugins, but nothing in Royal AI Firewall itself sits behind a paywall.

Tracking & analytics

No page-view pixels, no session recording, no marketing analytics call-outs from wp-admin. What you do inside the plugin stays inside the plugin.

Personal data on our servers

We never receive your invocation logs, visitor IPs, blocked-bot stats, or hit URLs. All of that lives in your own database. Uninstall wipes it if you ask.

Already behind Cloudflare?

Royal AI Firewall is designed to coexist with Cloudflare cleanly. Keep CF’s DDoS protection, managed WAF, SSL/TLS, and Bot Fight Mode on — they don’t conflict with the WordPress-layer controls. Turn off the AI-specific CF features (AI Audit, AI Labyrinth, custom AI-blocking WAF rules) so the per-bot policies in this plugin can actually see and decide on traffic.

The first-run wizard’s Cloudflare screen lists exactly which toggles to flip, with deep-link instructions and clarifying notes. Cloudflare is auto-detected on every admin page load via the cf-ray header.

Read the full Cloudflare setup guide

Turn OFF in Cloudflare

  • AI Audit → set to “Allow”
  • AI Labyrinth → OFF
  • Custom WAF rules blocking AI bots → DELETE
  • Security Level → Medium or Low

Leave ON — doesn’t conflict

  • DDoS protection
  • Managed WAF rules
  • SSL/TLS
  • Bot Fight Mode (basic tier)
  • Browser Integrity Check
  • Caching

The actual questions.

What operators ask when they first look at Royal AI Firewall — and the answers we give them.

What’s the workflow — I install this, then what?

Install and activate, walk the 4-step wizard (welcome → environment detection → Cloudflare guide if you’re on it → default policy), open the dashboard. Bot hits start populating within a few hours on any indexed site. You look at the per-bot list, pick which agents to block, use the master “Block all” button if you want a quick lockdown. Total hands-on time is 60–90 seconds after install.

How granular is the per-bot control really?

Every recognized bot gets its own row and its own dropdown with four options: Use default policy, Always allow, Log only, Block. That means GPTBot can be blocked while ChatGPT-User stays allowed, or you can log Perplexity-User while blocking PerplexityBot. The traditional-search-engine group (Googlebot, Bingbot, Applebot, DuckDuckBot and variants — 7 bots total) is locked to Allow by default; override requires an explicit Settings toggle with a warning.

What’s in the per-bot drill-down?

Click any bot row to expand: the bot’s owner, the intended purpose (training crawler, retrieval, AI search index, agent browser, dataset scraper, or traditional search), the top 10 URLs the bot hit, the last 10 requests (timestamp / method / URL / response), and a plain-English explanation of what blocking this bot would cost you — ChatGPT-search delisting for GPTBot, AI-search referral loss for PerplexityBot, etc.

Does it call home?

Not by default. On a fresh install the plugin makes no outbound HTTP calls. The bot catalog ships bundled in the zip and refreshes on plugin update. If you tick the optional “Keep catalog updated between releases” toggle, the plugin makes one HTTP GET per day for a fresher catalog — the request body is empty, no site data of any kind is sent.

Does it work with my existing security plugin or with Cloudflare?

Yes, layered cleanly. Keep Cloudflare’s DDoS protection, general WAF, SSL, and Bot Fight Mode on. Keep your other security plugin’s firewall / login hardening / malware scanning on. Royal AI Firewall operates at the WordPress application layer, one level in from those edge layers. On activation it auto-detects the popular security plugins and Cloudflare, then shows compatibility notes so you can see how the layers stack.

What’s the MCP / Abilities API widget?

If you have a WordPress MCP server plugin installed (Royal MCP, or anything implementing the WordPress Abilities API), a widget on the Royal AI Firewall dashboard shows recent tool / ability invocations — which tool was called, by which client, whether it succeeded. It’s the traffic view for what AI agents are actually doing through your MCP server, sitting right next to the traffic view for what AI agents are reading from your site.

Does it slow the site down?

The classifier runs in-process against a small pre-compiled UA pattern list and is designed to stay in the sub-millisecond range on the hot path. Logging is buffered and flushed on the WordPress shutdown hook after the response is sent to the visitor, so any database writes never sit on the request’s critical path.

What happens to my data if I uninstall?

Preserved by default — a reinstall picks up where you left off. Flip the “Delete all logs, tables, and options when the plugin is uninstalled” toggle in Settings → Data before removing the plugin if you want a fully clean slate.

Get up to speed.

Self-serve docs for setup, configuration, and troubleshooting.

Getting started

Integrations

Troubleshooting

Ready to see who’s reading your site?

One install, one 4-step wizard, one dashboard. Bot hits populate within hours on any indexed site — and the controls sit right next to the data.