DGT Girl

XF-Addon XF Bot Guard 1.2.6

No permission to download
Compatible Versions
2.1, 2.2, 2.3
Additional Requirements
PHP 7.2+. XenForo CAPTCHA enabled.
Visible Branding
No
1.webp


How it works, in plain English

XF Bot Guard sits in front of protected public forum pages.

When a visitor arrives, Bot Guard looks at the request, browser behaviour, session continuity, crawler verification, request rate, and other local signals.

Normal visitors are silently validated and allowed through.

Suspicious visitors may see a short browser validation page or XenForo CAPTCHA challenge.

Very suspicious traffic can be denied or optionally pushed towards Cloudflare Edge Enforcement if you enable that feature.

Designed to be safe to trial

Bot protection is powerful, so the defaults matter.

XF Bot Guard is designed to start conservatively:

  • Disabled by default after install
  • Guest-only by default
  • GET requests only by default
  • AJAX excluded by default
  • Login, logout, registration, lost password, CAPTCHA, admin, install, API, webhook, and common static asset paths excluded by default
  • Hard deny disabled by default
  • Cloudflare Edge Enforcement disabled and dry-run by default
  • Verified search crawlers allowed before normal scoring

That means you can install it, check the health page, confirm CAPTCHA/browser validation is working, and monitor the logs before increasing protection.

If needed, protection can be turned off from the XF Bot Guard options, and the documentation includes emergency recovery steps if ACP access is unavailable.

What real users see

Most legitimate users should not need to do anything.

A new or suspicious guest may briefly see a validation page:

2.webp


Fresh or suspicious guests can be briefly validated before
protected public content is served.

If the visitor still looks suspicious, they may be asked to complete your XenForo CAPTCHA.

This is intentional. The goal is to keep obvious automation away from your forum while letting real browsers continue normally.

Search engines and SEO

XF Bot Guard is not designed to blindly block crawler user agents.

Verified crawlers are allowed before normal challenge scoring. Fake crawler user agents are not trusted just because they call themselves Googlebot, Bingbot, or another known bot.

This is important because many abusive bots pretend to be legitimate crawlers.

Works with or without Cloudflare

XF Bot Guard does not require Cloudflare.

It runs locally inside XenForo and can protect your forum on normal hosting, VPS hosting, reverse proxy setups, or Cloudflare-backed sites.

If you do use Cloudflare, optional Cloudflare Edge Enforcement can help move repeat offenders closer to the edge, but it is not required.


What XF Bot Guard is not

XF Bot Guard is not a replacement for good hosting, server-level security, backups, XenForo updates, or DDoS protection.

It is designed to reduce abusive automated traffic at the XenForo application layer.

For serious volumetric attacks, you may still need server firewall rules, CDN protection, Cloudflare, or hosting-provider mitigation.


Admin dashboard, logs, and visibility

XF Bot Guard gives admins visibility into what is happening instead of leaving you guessing.

3.webp


The dashboard gives a quick operational view of protected activity, challenge outcomes,
crawler activity, and traffic pressure.

You can review traffic decisions, scores, reason codes, challenge outcomes, browser validation activity, crawler verification, and other bot-protection events.

4.webp


The event log lets you drill into decisions, risk scores, routes, request paths,
visitor/session hashes, and reason codes.

This makes it easier to answer practical questions like:

  • Was this visitor challenged?
  • Why was this request considered suspicious?
  • Did the visitor pass browser validation?
  • Did they complete CAPTCHA?
  • Was the traffic a verified crawler or a fake crawler?
  • Is a route being hit unusually hard?

Health checks

The health page helps confirm important pieces are working, including browser assets, collector endpoints, crawler data, CAPTCHA readiness, Cloudflare-related checks, and other protection components.

5.webp


Health checks help confirm assets, CAPTCHA readiness, crawler data, cache behaviour,
cleanup, retention, and Cloudflare-related configuration.

Optional Cloudflare Edge Enforcement

Cloudflare Edge Enforcement is optional.

It is disabled by default and runs in dry-run mode by default. When configured, it can help move repeat abusive IP blocking closer to Cloudflare instead of handling every bad request inside XenForo.

6.webp


Optional Cloudflare Edge Enforcement can dry-run and then sync repeat
abusive IP candidates to Cloudflare when you enable it.

If you do not use Cloudflare, you can ignore this feature completely.


Privacy and data collection

XF Bot Guard uses local browser validation, local scoring, and local logging inside your XenForo installation.

Normal Bot Guard reputation data is designed around hashed identifiers rather than storing plain raw identifiers by default. It may store details such as decision logs, reason codes, request paths, route/controller context, scores, user IDs where applicable, browser validation status, session continuity, and crawler verification outcomes.

Browser fingerprinting is used for local bot detection. Fingerprint data is not sent to an external fingerprinting service.

Optional features, such as raw IP logging or Cloudflare Edge Enforcement, may store additional IP-related data if you enable them.

For the full privacy breakdown, see the documentation:

XF Bot Guard documentation

Compatibility

  • Requires XenForo 2.1.0+
  • Requires PHP 7.2.0+
  • Does not require Cloudflare
  • Can be used on normal hosting, VPS, reverse proxy, and Cloudflare-backed sites
  • If using Cloudflare, nginx, LiteSpeed, Apache reverse proxy, or another CDN/proxy, make sure XenForo receives the correct real visitor IP

Before you install

Please do not install any traffic-gating add-on blindly on a live forum.

Before enabling protection, you should:

  • Take a backup.
  • Confirm XenForo CAPTCHA is configured and working.
  • Confirm your style allows normal XenForo template modifications.
  • Confirm JavaScript files under /js/ can load correctly.
  • Confirm XenForo sees the real visitor IP if you use Cloudflare or another reverse proxy.
  • Review your site for custom API, webhook, payment callback, SSO, or app endpoints that may need excluding.
  • Read the documentation.

Full documentation

For installation, safe rollout, privacy details, Cloudflare setup, troubleshooting, and emergency recovery instructions, please read the full documentation:

XF Bot Guard documentation


Support

XF Bot Guard is free to download and use.

If you need help, please use the discussion thread and include as much useful detail as possible:

  • XenForo version
  • PHP version
  • Hosting/proxy/CDN setup
  • Whether Cloudflare is used
  • Relevant Bot Guard log entries
  • The route/path affected
  • Whether the user passed browser validation or CAPTCHA
  • Any recent setting changes

Reviews are appreciated if the add-on helps protect your forum.
Author
DGT Girl
Version
1.2.6
File Size
4.1 MB
Extension
zip
Views
12
Updated

Ratings

0.00 star(s) 0 ratings

About Us

Our group is called DGT (DENiED GRiNDERZ TEAM) founded in 2004. DGT is a web-based group, which means we are working apart any scene network.

Back
Top