PureGuard — Bot Protection & Performance

Description

PureGuard is a simple, safe bot-protection plugin for WordPress. You pick one of six security modes — the plugin configures everything else for you. No confusing combinations, no accidental blocking.

Every visitor is sorted into one of three groups:

  • Humans — proven real visitors (always allowed).
  • Suspicious — not clearly a bot, but not clearly human either.
  • Bots — confirmed bots.

The six modes

  • Off (Disabled) — Completely inactive: never blocks, never calls the API, records nothing. Use when your traffic is already filtered upstream.
  • Monitor (Watch only) — Checks and records every visitor to your Live dashboard so you can SEE your traffic and bot activity — but never blocks or challenges anyone. The safe first step before turning on blocking.
  • Medium (recommended) — Confirmed bots are blocked. Humans and Suspicious visitors both pass freely. No challenge page.
  • High — Confirmed bots are blocked and Suspicious visitors must pass a quick JavaScript browser check.
  • Strict (Humans only) — Only proven humans get in. Bots AND suspicious visitors are blocked.
  • Lockdown — Emergency mode: everyone sees the block page. Logged-in users and search engines are always excepted, so you never lock yourself out.

Censorship-friendly VPN filter

If your real audience browses through VPNs or proxies to escape censorship, turn on the censorship-friendly filter: a visitor flagged ONLY for VPN / proxy / hosting-network signals is never hard-blocked. In High mode they get the quick browser check instead (humans pass it, bots cannot). Visitors with real bot evidence are still blocked.

Branded challenge and block pages

Add your own logo, brand name, accent color, and dark or light theme. Customize the block-page heading and message, show blocked visitors their IP and an incident ID, and let real people report a mistake with one click (“I am human”). Preview both pages from the settings with one click before anything goes live.

PureGuard Live dashboard

A full statistics page with two views:

  • Security — hourly traffic chart, visitor mix, top blocked IPs, top countries, top block reasons, visitor reports, and a live feed of the latest decisions.
  • Performance — API latency (average and p95), cache efficiency, checks per hour, and the bot page-loads your server never had to render.

Data comes from a local, self-pruning event log in your own database (last 30 days). Nothing extra is sent anywhere.

Multilingual challenge page

The challenge page auto-detects the visitor’s browser language. English, Thai, Bahasa Indonesia, Vietnamese, and Burmese (Myanmar) are built in, and every line is editable from the settings page.

Engagement intelligence (off by default)

Optional and opt-in: when you turn it on, the plugin measures anonymous time-on-page and scroll signals so PureGuard can score traffic quality per site. Off by default — no tracking script is added unless you enable it. No personal data is collected.

Screenshots

FAQ

Will this block my real visitors?

In Off mode, never. In Medium mode, only confirmed bots. In High mode, uncertain visitors may briefly see a JavaScript challenge. In Strict mode, suspicious visitors are blocked too — use it only when you want humans-only traffic. Lockdown blocks everyone except logged-in users and search engines.

My readers use VPNs. Will they be blocked?

Turn on the censorship-friendly filter (Security Mode tab). Visitors flagged only for VPN/proxy usage are never hard-blocked — at most they see a quick automatic browser check that real people pass in seconds.

Do I need a PureGuard account?

Yes. Add your PureGuard API key under Settings PureGuard. Get one at https://pureguard.io.

Does it slow down my site?

Verdicts are cached per visitor (default 1 hour), so the API is called at most once per visitor per cache window. Logged-in users and search engines are skipped. The Performance view of the Live dashboard shows you the exact latency and cache-hit numbers.

Where is the traffic data stored?

In a small table in your own WordPress database, pruned automatically to the last 30 days. You can turn the local log off in Settings General.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“PureGuard — Bot Protection & Performance” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

6.0.9

  • NEW: “Test key” button on the settings page — instantly confirm your API key works and see your plan and monthly usage.
  • HOUSEKEEPING: Deleting the plugin now fully cleans up after itself (removes its database table and settings). Deactivating still keeps your data.

6.0.8

  • RELIABILITY: If the PureGuard service is ever unreachable, the plugin now detects it and instantly stops calling the API (no per-visitor delay) while allowing every visitor through — your site stays fast and open, never blocked. Protection resumes automatically when the service is back.
  • NEW: A clear status banner on the plugin pages tells you when protection is paused (service unreachable, or plan quota used up), so you always know the current state.

6.0.7

  • FIX: “Allow VPN” and the censorship filter now tell the engine to skip VPN detection natively, so VPN readers are reliably allowed (previously some VPNs detected as proxies were still blocked). Real datacenter / TOR / public proxies stay blocked. Verified end-to-end with a real VPN visitor.

6.0.6

  • IMPROVED: Plain-English labels in the Live dashboard (e.g. “Verified human”, “Bot user-agent”, “Proxy network”) instead of raw engine codes.
  • IMPROVED: The Campaign tab now appears only if your account actually runs traffic connectors — pure-security sites see a clean, single-scope dashboard.

6.0.5

  • PRIVACY: Engagement tracking is now OFF by default (opt-in). New installs are pure bot protection with no tracking script added; turn on Engagement in Settings General if you want time-on-page/scroll intelligence.
  • IMPROVED: The account/campaign view now shows only your traffic connectors — your site’s own security checks no longer appear mixed in as a “source.”

6.0.4

  • NEW: Monitor mode — watch and record every visitor to your Live dashboard without ever blocking or challenging anyone. The safe first step: see your traffic for a few days, then turn on blocking once you trust it. (Off now means fully disabled — no blocking and no logging.)

6.0.3

  • SECURITY: Site protection now uses a dedicated security endpoint, fully separated from the media-buying side — your WordPress site can never be affected by ad-traffic zone reputation.
  • IMPROVED: Clearer mode descriptions — Medium (fast server-side check) vs High (adds a browser check a bot cannot fake).

6.0.2

  • NEW: Per-source breakdown in the account view — see every traffic source / connector with its own checked / accepted / blocked / accept-rate, so campaigns running side by side no longer blend into one number.
  • NEW: Source drill-down — pick a source (or click “view”) to scope the whole account dashboard to that one campaign.

6.0.1

  • NEW: PureGuard Live now has two scopes — “This site” (visitors this plugin checked at your WordPress site) and “My PureGuard account” (every visitor across all your sites and traffic connectors). The account scope shows the same numbers as your pureguard.io/live dashboard, so the two never disagree.
  • IMPROVED: Clear labels explain which checkpoint each number comes from.

6.0.0

  • NEW: Two more security modes — Strict (Humans only) and Lockdown (block everyone, admins and search engines excepted).
  • NEW: Censorship-friendly VPN filter — visitors flagged only for VPN/proxy/hosting signals are challenged instead of hard-blocked, for audiences that browse via VPN to escape censorship.
  • NEW: PureGuard Live — a full statistics dashboard with Security and Performance views: hourly charts, visitor mix, top blocked IPs/countries/reasons, live feed, API latency and cache efficiency. Powered by a local, self-pruning 30-day event log.
  • NEW: Branded gate pages — custom logo (Media Library picker), brand name, accent color, dark/light theme on both the challenge and block pages, with one-click admin previews.
  • NEW: Customizable block page — heading, message, visitor IP + incident ID + time display, and an “I am human” report button; reports appear on the Live dashboard.
  • NEW: Custom success message and optional redirect after a passed browser check.
  • CHANGED: Each site now reports to PureGuard intelligence under its own domain as the traffic source (previously a shared “WORDPRESS” source), so your site gets its own reputation.
  • FIX: Internal version constant and readme stable tag aligned.

5.0.7

  • IMPROVED: Off mode now returns before any API call — zero added latency when monitoring is all you want.

5.0.4

  • NEW: “Allow AI training crawlers” toggle (off by default). Search engines and social crawlers are always allowed.
  • CHANGED: “Allow VPN” now applies to VPNs only — open / datacenter / TOR proxies stay blocked.
  • IMPROVED: Plain-language labels (Humans / Suspicious / Bots) throughout.

5.0.3

  • IMPROVED: The plugin forwards the visitor’s browser headers (Sec-Fetch, client-hints, language) to the detection API for accurate trust scoring.

5.0.2

  • NEW: “Allow VPN / proxy visitors” toggle.

5.0.1

  • NEW: Burmese (Myanmar) challenge language. Default trust threshold aligned to 5.5.

5.0.0

  • NEW: One security mode selector (Off / Medium / High) replacing the v4 multi-dropdown setup, per-site zone identity, multilingual challenge page, stats tab, fail-open API behavior.

4.0.1

  • Compliance: challenge CSS/JS moved into enqueued assets per WordPress.org review.

4.0.0

  • BREAKING: prefixes renamed to pgperf_. JS challenge with SHA-256 proof-of-work and browser integrity checks.

3.0.0

  • Three-tier traffic classification.

2.0.0

  • WAF security layer via the PureGuard detection engine.

1.0.0

  • Initial release.