By Jameson · Founder & Lead Developer · Published July 2026
GPTBot, ClaudeBot, PerplexityBot, ByteSpider, and 50+ others are hitting your WordPress site right now — most owners have no idea what they’re taking, or how to control it. Royal AI Firewall puts the live list, the one-click controls, and the Cloudflare integration guide directly in your WordPress admin. Every feature ships free. No upgrade prompt. Ever.
Blocking one AI bot on the web today means clicking through a moving-target dashboard, deciphering which plan tier still includes the setting you need, and hoping the panel name hasn’t been renamed since last month. It doesn’t have to be that hard.
Cloudflare does show AI bots by name in its dashboard — if you can find the panel this month. AI Audit, AI Labyrinth, Bot Fight Mode, Super Bot Fight Mode, Managed Rules, Custom Rules, WAF managed AI category — the features are constantly renamed, reshuffled between Free / Pro / Business / Enterprise, and hidden three menus deep in a UI designed for network engineers. Every time you sit down to block one specific bot you burn 20 minutes hunting through the console for whichever setting Cloudflare renamed this quarter, and half the time the granular per-agent rule you need has quietly moved to a paid tier. Blocking “GPTBot but not ChatGPT-User” is a project.
Every AI bot hitting your site, listed by name inside wp-admin. One dropdown per bot: allow, block, log-only. Blocking consequence explained right next to the toggle so you know what you’re giving up before you flip it. GPTBot and ChatGPT-User are separate rows, so you can block training without blocking retrieval — without writing a WAF rule, without hunting through Cloudflare menus. 55 AI bots across 6 categories at launch. Catalog refreshes automatically on every plugin update.
Every panel below is on the same dashboard screen inside wp-admin. Activate the plugin, walk the wizard, refresh — bot hits start populating and the controls are live.
Per-bot hit counts, bandwidth used, and the last time each bot touched your site. Hero metric for the last 24 hours plus a sortable per-row drill-down with top URLs, recent activity, and what blocking the bot would cost you.
Each row has a dropdown: Use default policy / Always allow / Log only / Block. A master “Block all AI bots” button sits on top of the dashboard for one-click lockdown. Blocked bots receive a 403 at parse_request priority 1, before WordPress runs any heavy work.
Googlebot, Bingbot, Applebot, DuckDuckBot are protected from accidental blocking by default. The dropdown is disabled for them. To override, you flip a Settings toggle that warns “blocking Googlebot removes your site from Google Search.”
The wizard detects Cloudflare and tells you exactly which CF settings to turn off so this plugin can take over the AI-bot layer — AI Audit, AI Labyrinth, custom WAF rules — and which to leave on (DDoS protection, managed WAF, SSL, Bot Fight Mode).
If a WordPress MCP server plugin is installed, the dashboard shows a live widget of recent tool / ability invocations — which tool was called, by which client, whether it succeeded. First-party bridge for Royal MCP 1.4.33+ captures the full tool name and status.
55 AI bots recognized at launch — training crawlers, retrieval bots, AI search engines, agent browsers (Operator, Atlas, Claude Computer Use), dataset scrapers, all categorized with their owner and blocking consequences. Refreshes on every plugin update.
Not a suite. Not a monitoring platform bolted onto a WAF. A dedicated tool for the AI-bot layer at the WordPress application level, designed so a site owner can walk in cold and make an informed call about every agent hitting their content.
Install from wp.org, walk the 4-step wizard, wait 2–6 hours for the first bot hits to populate the dashboard. That’s the whole thing.
Search “Royal AI Firewall” in your WordPress Plugins screen. Click Install, then Activate. The plugin redirects you to the 4-step setup wizard automatically.
Welcome → environment detection (Cloudflare + security plugins) → Cloudflare dial-down guide (skipped if no CF) → default policy (we recommend Log Only for the first 24h). Skippable from any step.
Open the AI Firewall menu in wp-admin. Bot hits appear as soon as AI agents visit your site — usually 2–6 hours on a public, indexed site. Or fire a test: curl -A "GPTBot/1.2" https://your-site.com/
Each bot row has a dropdown. Pick your policy: allow, block, log-only. Or hit the master “Block all AI bots” panic button (search engines stay protected). Adjust as you go.
If any of these ever show up in a release, treat it as a bug and open a ticket. We built this to sit on every WordPress site — not to bait one.
No greyed-out settings, no locked panels, no “upgrade to unlock this dropdown”. The dashboard you see on install is the whole dashboard.
There isn’t one. Every panel is live from install — no locked settings, no email capture, no “unlock this feature” overlays. You may see the occasional cross-plugin promo for Royal Plugins, but nothing in Royal AI Firewall itself sits behind a paywall.
No page-view pixels, no session recording, no marketing analytics call-outs from wp-admin. What you do inside the plugin stays inside the plugin.
We never receive your invocation logs, visitor IPs, blocked-bot stats, or hit URLs. All of that lives in your own database. Uninstall wipes it if you ask.
Royal AI Firewall is designed to coexist with Cloudflare cleanly. Keep CF’s DDoS protection, managed WAF, SSL/TLS, and Bot Fight Mode on — they don’t conflict with the WordPress-layer controls. Turn off the AI-specific CF features (AI Audit, AI Labyrinth, custom AI-blocking WAF rules) so the per-bot policies in this plugin can actually see and decide on traffic.
The first-run wizard’s Cloudflare screen lists exactly which toggles to flip, with deep-link instructions and clarifying notes. Cloudflare is auto-detected on every admin page load via the cf-ray header.
What operators ask when they first look at Royal AI Firewall — and the answers we give them.
Install and activate, walk the 4-step wizard (welcome → environment detection → Cloudflare guide if you’re on it → default policy), open the dashboard. Bot hits start populating within a few hours on any indexed site. You look at the per-bot list, pick which agents to block, use the master “Block all” button if you want a quick lockdown. Total hands-on time is 60–90 seconds after install.
Every recognized bot gets its own row and its own dropdown with four options: Use default policy, Always allow, Log only, Block. That means GPTBot can be blocked while ChatGPT-User stays allowed, or you can log Perplexity-User while blocking PerplexityBot. The traditional-search-engine group (Googlebot, Bingbot, Applebot, DuckDuckBot and variants — 7 bots total) is locked to Allow by default; override requires an explicit Settings toggle with a warning.
Click any bot row to expand: the bot’s owner, the intended purpose (training crawler, retrieval, AI search index, agent browser, dataset scraper, or traditional search), the top 10 URLs the bot hit, the last 10 requests (timestamp / method / URL / response), and a plain-English explanation of what blocking this bot would cost you — ChatGPT-search delisting for GPTBot, AI-search referral loss for PerplexityBot, etc.
Not by default. On a fresh install the plugin makes no outbound HTTP calls. The bot catalog ships bundled in the zip and refreshes on plugin update. If you tick the optional “Keep catalog updated between releases” toggle, the plugin makes one HTTP GET per day for a fresher catalog — the request body is empty, no site data of any kind is sent.
Yes, layered cleanly. Keep Cloudflare’s DDoS protection, general WAF, SSL, and Bot Fight Mode on. Keep your other security plugin’s firewall / login hardening / malware scanning on. Royal AI Firewall operates at the WordPress application layer, one level in from those edge layers. On activation it auto-detects the popular security plugins and Cloudflare, then shows compatibility notes so you can see how the layers stack.
If you have a WordPress MCP server plugin installed (Royal MCP, or anything implementing the WordPress Abilities API), a widget on the Royal AI Firewall dashboard shows recent tool / ability invocations — which tool was called, by which client, whether it succeeded. It’s the traffic view for what AI agents are actually doing through your MCP server, sitting right next to the traffic view for what AI agents are reading from your site.
The classifier runs in-process against a small pre-compiled UA pattern list and is designed to stay in the sub-millisecond range on the hot path. Logging is buffered and flushed on the WordPress shutdown hook after the response is sent to the visitor, so any database writes never sit on the request’s critical path.
Preserved by default — a reinstall picks up where you left off. Flip the “Delete all logs, tables, and options when the plugin is uninstalled” toggle in Settings → Data before removing the plugin if you want a fully clean slate.
Self-serve docs for setup, configuration, and troubleshooting.
One install, one 4-step wizard, one dashboard. Bot hits populate within hours on any indexed site — and the controls sit right next to the data.