We have detected that you are using AdBlock.

Please disable it for this site to continue.

  • All Passwords for this resource will be in "Updates" tab below.

    We only publish files for testing purpose. Consider buying licenses to support original developers.

XF Bot Guard

XF Bot Guard 1.0.6

Downloads left: Unlimited Go to download
Overview History Discussion
Compatible XF 2.x versions
  1. 2.1
  2. 2.2
  3. 2.3
Visible branding
No
xf-bot-guard.webp


Stop abusive bots before they scrape, hammer, or overload your XenForo forum.

XF Bot Guard helps protect XenForo forums from abusive bots, scrapers, fake browser traffic, AI crawlers, registration abuse, and bot-driven server load.

It validates real browsers before protected public pages are served, scores suspicious behaviour, challenges risky visitors with XenForo CAPTCHA, allows verified search crawlers, and gives admins clear logs, reason codes, dashboard reporting, health checks, and controls.

It works without Cloudflare, installs as a normal XenForo add-on, and ships with conservative defaults so you can test safely before widening protection.

Early users report dramatic reductions in bot-driven traffic, restored site stability, fewer server/database issues, and responsive support during real bot storms.


Why XF Bot Guard exists

A lot of modern bot traffic does not behave like old forum spam.

It may not register.
It may not post.
It may not trigger normal anti-spam tools.

Instead, it quietly hammers thread pages, crawls content, inflates guest activity, overloads SQL, ignores robots.txt, pretends to be a browser, or arrives as fake crawler traffic.

XF Bot Guard is designed to catch that type of traffic earlier, before it is allowed to freely browse protected forum content.

What it helps protect against

  • Aggressive scrapers crawling forum content
  • Fake browser traffic that does not behave like a real visitor
  • AI crawler and automated bot traffic
  • Bot-driven server, PHP, and database load
  • Fake or inflated guest/member online activity
  • Suspicious registration and login-adjacent abuse
  • Bots pretending to be search engines
  • Repeated suspicious requests from hosting networks, proxies, and automated environments

Real-world feedback

★★★★★
“Insane traffic being caused by AI bots and scrapers.”
— @Chromaniac · 5-star review


★★★★★
“It tamed the out of control bots that were causing my SQL server to crash.”
— @Rhody · 5-star review


★★★★★
“Since installing this addon, I've had zero issues and my site is stable again.”
— @Neal · 5-star review


How it works, in plain English

XF Bot Guard sits in front of protected public forum pages.

When a visitor arrives, Bot Guard looks at the request, browser behaviour, session continuity, crawler verification, request rate, and other local signals.

Normal visitors are silently validated and allowed through.

Suspicious visitors may see a short browser validation page or XenForo CAPTCHA challenge.

Very suspicious traffic can be denied or optionally pushed towards Cloudflare Edge Enforcement if you enable that feature.

Designed to be safe to trial

Bot protection is powerful, so the defaults matter.

XF Bot Guard is designed to start conservatively:

  • Disabled by default after install
  • Guest-only by default
  • GET requests only by default
  • AJAX excluded by default
  • Login, logout, registration, lost password, CAPTCHA, admin, install, API, webhook, and common static asset paths excluded by default
  • Hard deny disabled by default
  • Cloudflare Edge Enforcement disabled and dry-run by default
  • Verified search crawlers allowed before normal scoring

That means you can install it, check the health page, confirm CAPTCHA/browser validation is working, and monitor the logs before increasing protection.

If needed, protection can be turned off from the XF Bot Guard options, and the documentation includes emergency recovery steps if ACP access is unavailable.

What real users see

Most legitimate users should not need to do anything.

A new or suspicious guest may briefly see a validation page:

validating-browser.webp
Fresh or suspicious guests can be briefly validated before
protected public content is served.

If the visitor still looks suspicious, they may be asked to complete your XenForo CAPTCHA.

This is intentional. The goal is to keep obvious automation away from your forum while letting real browsers continue normally.

Search engines and SEO

XF Bot Guard is not designed to blindly block crawler user agents.

Verified crawlers are allowed before normal challenge scoring. Fake crawler user agents are not trusted just because they call themselves Googlebot, Bingbot, or another known bot.

This is important because many abusive bots pretend to be legitimate crawlers.

Works with or without Cloudflare

XF Bot Guard does not require Cloudflare.

It runs locally inside XenForo and can protect your forum on normal hosting, VPS hosting, reverse proxy setups, or Cloudflare-backed sites.

If you do use Cloudflare, optional Cloudflare Edge Enforcement can help move repeat offenders closer to the edge, but it is not required.


What XF Bot Guard is not

XF Bot Guard is not a replacement for good hosting, server-level security, backups, XenForo updates, or DDoS protection.

It is designed to reduce abusive automated traffic at the XenForo application layer.

For serious volumetric attacks, you may still need server firewall rules, CDN protection, Cloudflare, or hosting-provider mitigation.


Admin dashboard, logs, and visibility

XF Bot Guard gives admins visibility into what is happening instead of leaving you guessing.

dashboard_overview.webp
The dashboard gives a quick operational view of protected activity, challenge outcomes,
crawler activity, and traffic pressure.

You can review traffic decisions, scores, reason codes, challenge outcomes, browser validation activity, crawler verification, and other bot-protection events.

full_logging.webp
The event log lets you drill into decisions, risk scores, routes, request paths,
visitor/session hashes, and reason codes.

This makes it easier to answer practical questions like:

  • Was this visitor challenged?
  • Why was this request considered suspicious?
  • Did the visitor pass browser validation?
  • Did they complete CAPTCHA?
  • Was the traffic a verified crawler or a fake crawler?
  • Is a route being hit unusually hard?

Health checks

The health page helps confirm important pieces are working, including browser assets, collector endpoints, crawler data, CAPTCHA readiness, Cloudflare-related checks, and other protection components.

health_status_page.webp
Health checks help confirm assets, CAPTCHA readiness, crawler data, cache behaviour,
cleanup, retention, and Cloudflare-related configuration.

Optional Cloudflare Edge Enforcement

Cloudflare Edge Enforcement is optional.

It is disabled by default and runs in dry-run mode by default. When configured, it can help move repeat abusive IP blocking closer to Cloudflare instead of handling every bad request inside XenForo.

cloudflare_edge_enforcement.webp
Optional Cloudflare Edge Enforcement can dry-run and then sync repeat
abusive IP candidates to Cloudflare when you enable it.

If you do not use Cloudflare, you can ignore this feature completely.


Privacy and data collection

XF Bot Guard uses local browser validation, local scoring, and local logging inside your XenForo installation.

Normal Bot Guard reputation data is designed around hashed identifiers rather than storing plain raw identifiers by default. It may store details such as decision logs, reason codes, request paths, route/controller context, scores, user IDs where applicable, browser validation status, session continuity, and crawler verification outcomes.

Browser fingerprinting is used for local bot detection. Fingerprint data is not sent to an external fingerprinting service.

Optional features, such as raw IP logging or Cloudflare Edge Enforcement, may store additional IP-related data if you enable them.

For the full privacy breakdown, see the documentation:

XF Bot Guard documentation PDF

Compatibility

  • Requires XenForo 2.1.0+
  • Requires PHP 7.2.0+
  • Does not require Cloudflare
  • Can be used on normal hosting, VPS, reverse proxy, and Cloudflare-backed sites
  • If using Cloudflare, nginx, LiteSpeed, Apache reverse proxy, or another CDN/proxy, make sure XenForo receives the correct real visitor IP

Before you install

Please do not install any traffic-gating add-on blindly on a live forum.

Before enabling protection, you should:

  • Take a backup.
  • Confirm XenForo CAPTCHA is configured and working.
  • Confirm your style allows normal XenForo template modifications.
  • Confirm JavaScript files under /js/ can load correctly.
  • Confirm XenForo sees the real visitor IP if you use Cloudflare or another reverse proxy.
  • Review your site for custom API, webhook, payment callback, SSO, or app endpoints that may need excluding.
  • Read the documentation PDF.

Full documentation

For installation, safe rollout, privacy details, Cloudflare setup, troubleshooting, and emergency recovery instructions, please read the full documentation:

Download the full XF Bot Guard documentation PDF


Support

XF Bot Guard is free to download and use.

If you need help, please use the discussion thread and include as much useful detail as possible:

  • XenForo version
  • PHP version
  • Hosting/proxy/CDN setup
  • Whether Cloudflare is used
  • Relevant Bot Guard log entries
  • The route/path affected
  • Whether the user passed browser validation or CAPTCHA
  • Any recent setting changes

Reviews are appreciated if the add-on helps protect your forum.
Author
kashif
Downloads
0
Views
4
First release
Last update

Ratings

0.00 star(s) 0 ratings
Join the discussion More information

More resources from kashif

Share this resource

Top