Hi Olaf,

Very interesting. Bots have been a real pain for years. On Piwigo.com, where we host thousands of Piwigo installations, I would say bots are making between 80 to 95% of the incoming HTTP requests. That's crazy. For many of them, I have no idea what they're doing here. Just scanning all the web pages they can with no goal :-/

I haven't analyzed your code yet but I have several questions/remarks/recommandations:

1) why don't you host your code on Github? It would be so much easier for us to follow the commits, have an issue tracker, let piwigo.org generate the zip archive...

2) do not use a "data" directory within the plugin directory. Use $conf['data_location'].'bot_protection' instead. It's mandatory for Piwigo installations using the multisite features (like piwigo.com). See examples of use in [extension by mistic100] Batch Downloader or [extension by plg] Prepaid Credits

Olaf, I'm interested in this plugin, but I'll wait for the final version. I spend too much time managing the robots that overload the servers of my shared hosting. On my little site, I had up to 70,000 visitors/day at the end of 2024, I managed to normalize the flow to 200 or 300, although in February I still had peaks of 20,000 or 30,000. The 70,000 peak was due to the Apache version being upgraded to 2.4 and htaccess no longer stopping anything. So I asked ChatGPT to convert my .htaccess to the new syntax. There are many online converters, but I kept it simple and it worked.
I have 3 types of online sites: one for genealogy, one for classified articles and the Piwigo. Each of them has a little something extra to combat invading robots: the texts site has an htaccess editor from the admin, with no need to access ftp. The genealogy site has a bot trap that detects rapid visits and bans the IPs concerned directly in the htaccess. In principle, I use practically the same htaccess on all my sites, because I copy the content from one to another.
Thanks for your devlopment, I look forward to it.

Hello

Bot Protection 1.0.0 – Available now!
Bot Protection helps you control and limit unwanted bots while allowing useful crawlers like Googlebot or Bingbot. Keep your server responsive and protect your content from aggressive indexing.

Features
- Block access from known bad bots (e.g. SemrushBot, AhrefsBot, MJ12bot)
- Allow and set limits for good bots (e.g. Googlebot, Bingbot)
- Custom whitelist and blocklist management
- Referrer & cookie check to detect real visitors
- Daily visitor statistics with chart
- Detailed log and statistics for blocked bots
- IP blocking support
- Fully integrated admin interface with tabbed layout

Compatibility
- Tested with Piwigo 15.5.0
- Compatible with PHP 8.3.21
- Works on shared hosting
- No external libraries required

Installation
- Upload the plugin to your /plugins/ directory
- Activate it in the Piwigo admin panel
- Go to [Plugins » Bot Protection] to configure settings

I look forward to your feedback!

Best regards from Berlin

Olaf

Bot Protection 1.0.0 – Now Available!

Last edited by Schneider-Fotografie (2025-06-04 20:37:43)

Fatal error: Uncaught mysqli_sql_exception: Data too long for column 'IP' at row 1 in /var/www/legtux.org/users/blackland/www/include/dblayer/functions_mysqli.inc.php:132 Stack trace: #0 /var/www/legtux.org/users/blackland/www/include/dblayer/functions_mysqli.inc.php(132): mysqli->query() #1 /var/www/legtux.org/users/blackland/www/plugins/AntiAspi/main.inc.php(127): pwg_query() #2 /var/www/legtux.org/users/blackland/www/include/functions_plugins.inc.php(264): antiaspi() #3 /var/www/legtux.org/users/blackland/www/include/section_init.inc.php(705): trigger_notify() #4 /var/www/legtux.org/users/blackland/www/index.php(12): include('...') #5 {main} thrown in /var/www/legtux.org/users/blackland/www/include/dblayer/functions_mysqli.inc.php on line 132

Plugin AntiAspi:

Hello Katryne

What does this mean?
The plugin AntiAspi is trying to store an IP address in the database, but the column defined for it is too short to hold the value.

Likely Cause:
Many plugins or database setups define the IP column as VARCHAR(15), which is only enough to store IPv4 addresses (like 192.168.0.1). However, if a visitor uses an IPv6 address (like 2001:0db8:85a3:0000:0000:8a2e:0370:7334), that address won't fit, and MySQL throws a “Data too long” error.

How to Fix:
Identify the table where the plugin logs the IP address (for example, something like piwigo_antiaspi_log).

Update the IP column in that table using this SQL command:

ALTER TABLE piwigo_antiaspi_log MODIFY COLUMN IP VARCHAR(45);

Hi Piwigo team,

I just noticed that my plugins smileys_votes, bot_protection, and like_dislike have disappeared from the extensions directory, and my account no longer shows any entries.

I didn’t receive any message or explanation, so this came as quite a surprise. Could you please let me know why the plugins were removed? Was there a problem or a report from someone?

I’d really like to understand what happened and – if needed – I’m happy to make adjustments or fix any issues.

Thanks in advance for your reply!

Best regards,
Olaf

Direct access via bookmark links was blocked by the checkbox on the plugin's 1st configuration tab: Block access without referer or cookies (or something like that, I can't get the configuration page back into English).
If I uncheck it, will the plugin continue to block robots?

Hi PLG,

Thanks for your reply – it’s good to know that the issue was caused by a hacker and not something I did wrong. Of course, it’s not a good situation, and it's quite serious that extensions could be deleted like that. I hope you've been able to secure things on your side since then.

Too bad my ZIP couldn’t be recovered, but no problem – I’ll re-upload the 1.0.0 revision as you suggested.

Do you have any more details about the incident?
For example:

- When did it happen?
- How did the attacker get access?
- Were only ZIPs deleted or were other files affected too?
- And what steps have been taken to prevent something like this in the future?

Depending on how the attack was carried out, I might also consider making some adjustments to my plugin to make sure there are no security issues on my side either.

Best regards,
Olaf