JTZL's Bot Maze

No. Trap links are hidden from humans using CSS and include rel="nofollow". Trap pages send X-Robots-Tag: noindex, nofollow headers. The plugin also adds Disallow rules to robots.txt for the trap path.

The plugin adds a Disallow rule for the trap base path so well-behaved crawlers (Googlebot, Bingbot, and similar) stay out of the trap maze instead of wasting crawl budget on it. It does this through the robots.txt that WordPress generates — the "virtual" robots.txt — using the standard robots_txt filter. It does not write a file to your server. What this means in practice:

• No physical robots.txt file: the rule is added automatically, alongside whatever WordPress and other plugins (e.g. your SEO plugin's sitemap line) already output.
• A static robots.txt file exists at your site root: your web server serves that file directly and WordPress never runs, so neither this plugin nor any other can modify it. The rule will not appear until you add it to that file.
• An SEO plugin manages robots.txt: the rule is added at a late priority so it survives plugins that replace the generated file (such as Rank Math's editor). Yoast appends without removing other rules, so it is unaffected. If the rule still doesn't appear, add it through that plugin's robots.txt editor.

Yes. Trap link injection happens during content rendering, so cached pages will include the trap links. The trap pages themselves are served dynamically and should be excluded from page caching (they use custom query vars that most caching plugins ignore by default).

Known search engine crawlers are verified via reverse DNS lookup. Verified crawlers are exempted from bot scoring even if they follow trap links.

Trap pages are generated from a built-in content template engine that produces realistic-looking text. The content varies based on a seed value to ensure each page looks different.

• Block (403) — Returns a 403 Forbidden response. Lowest server cost.
• Light tarpit — Serves a decoy trap page with more trap links. No delay.
• Full tarpit — Same as light tarpit but adds a 1-second delay, holding the PHP worker longer.

Check the Bot Maze analytics dashboard in the WordPress admin. It shows total trap visits, unique bot IPs, score distribution, and top offenders.

Cloudflare mode trusts the CF-Connecting-IP header only when the request comes from Cloudflare's published edge IP ranges. Because those edge IPs are shared by every Cloudflare customer, this proves a request came from some Cloudflare edge, not specifically from your zone. In plain terms: your server must not be reachable directly by its own IP address — only through Cloudflare. Putting your site behind Cloudflare's proxy (the orange cloud) hides your server's IP but does not block direct connections to it; if someone discovers the IP, they can still reach the server and bypass Cloudflare. A quick check: if your site still loads when you request it by its raw server IP, the origin is exposed. To lock the origin down, use any one of: Cloudflare Tunnel (your server has no public inbound port at all), Authenticated Origin Pulls (the origin requires Cloudflare's client certificate), or a firewall that allows inbound web traffic only from Cloudflare's IP ranges. If your origin stays reachable directly, visitor IP attribution can be influenced by requests outside your zone, and bots can bypass Cloudflare's own protections by hitting the origin directly.