PHPackages                             abigah/bot-cop - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. abigah/bot-cop

ActiveLibrary[Security](/categories/security)

abigah/bot-cop
==============

0.8(4mo ago)1273↓91.1%2[9 issues](https://github.com/abigah/bot-cop/issues)[1 PRs](https://github.com/abigah/bot-cop/pulls)MITPHP

Since Aug 17Pushed 4mo agoCompare

[ Source](https://github.com/abigah/bot-cop)[ Packagist](https://packagist.org/packages/abigah/bot-cop)[ RSS](/packages/abigah-bot-cop/feed)WikiDiscussions main Synced today

READMEChangelog (9)Dependencies (2)Versions (12)Used By (0)

Bot Cop - Statamic Addon
========================

[](#bot-cop---statamic-addon)

**Tired of those bots cluttering your server logs, looking for Wordpress vulnerabilies? There's a reason you are using Statamic, you don't need to provide valuable server resources to these bots.**

**Sure, you can setup fail2ban everywhere and accidentally lock yourself out of your server. Or... you can use Bot Cop to watch 404 traffic and integrate with Cloudflare or Laravel Forge to prevent the bot from getting to your server in the first place.**

Features
--------

[](#features)

This addon integrates with:

- Cloudflare IP List (then you can setup rules on how to handle it)
- Laravel Forge (UFW)

Now with Laravel's built-in rate-limiting to catch the poorly configured spiders.

How to Install
--------------

[](#how-to-install)

You can install this addon via Composer:

```
composer require abigah/bot-cop
```

How to Use
----------

[](#how-to-use)

The following Environment Variables are mandatory for the addon to operate. Add this to your project.

If you aren't using Cloudflare or Forge, remove that option. You can just use Logging but that wouldn't be very helpful.

```
BOT_COP_ENABLED_SERVICES=logging,cloudflare,forge
```

### Add your Cloudflare information. (Requires Cloudflare Proxying turned on in DNS)

[](#add-your-cloudflare-information-requires-cloudflare-proxying-turned-on-in-dns)

1. Create an Account API Token. On your Cloudflare dashboard, go to Manage Account &gt; Account API Tokens and Create Token. Give it two privileges, Account.Account Filter Lists.Read and Account.Account Filter Lists.Edit

```
BOT_COP_CLOUDFLARE_API_TOKEN=
```

2. On your Cloudflare dashboard, go to Manage Account &gt; Configurations &gt; Lists Create a new list
3. You then need to create the Rule to tell Cloudflare what to do with the IPs on the list. Head to your project's domain and go to Security &gt; Security Rules and Create a Rule. Call it whatever you want. Choose IP Source Address - is in list - botcop. Select the action you want to take (Managed Challenge is fine), then save it.
4. Add your API token, Account ID and List Id to the following .env variables. They are the UUIDs found in the URL when looking at the list. **

```
BOT_COP_CLOUDFLARE_ACCOUNT_ID=waasofu9qgfqtc0h97gl5o2amt1tn0ts
BOT_COP_CLOUDFLARE_LIST_ID=bxwtz2gmte7115m3vamy8yq7ly2m4i1i
```

### Add your Laravel Forge information.

[](#add-your-laravel-forge-information)

If you aren't using Cloudflare or Proxying, you can use Laravel Forge's API to work with UFW.

Note: If you use Cloudflare Proxy or another firewall that acts as a proxy and changes the IP address, UFW will not see the real IP. So Bot Cop will add it to the firewall but it won't actually deny the right IP. I personally run the Cloudflare and Forge options. I just feel more powerful banning the IP from both.

1. Head to  and create a token. Copy and paste it into the following .env variable. IT IS VERY LONG. LEAVE IT ON ONE LINE.

```
BOT_COP_FORGE_API_TOKEN=THISSTRINGGOESONANDONANDONANDONONANDONANDONANDONONANDONANDONANDONONANDONANDONANDONONANDONANDONANDONONANDONANDONANDONONANDONANDONANDONONANDONANDONANDON
```

2. Choose the server your project is on and grab the server ID. Add it to this .env variable. If you have multiple servers hosting the site, you'll want to add the server ID to each individual .env file.

```
BOT_COP_FORGE_SERVER_ID=0000000
```

### Ensure the scheduler is setup (the Statamic one)

[](#ensure-the-scheduler-is-setup-the-statamic-one)

As long as the scheduler is setup, IPs will be unbanned after an hour (customizable). If you don't set it up, you'll have to remove the IPs manually. We default to running the removal command every 30 minutes to prevent issues with rate-limiting.

### Optional Configuration

[](#optional-configuration)

```
BOT_COP_RATE_LIMIT_TOGGLE=true or false (defaults to true)
BOT_COP_RATE_LIMIT_HITS_PER_MINUTE=60 (defaults to 20)
BOT_COP_RATE_LIMIT_EXTENDED_ALLOWED_PATHS='heartbeat,alive,assets' (if you're using glide, you'll want to include your public image folder)
BOT_COP_EXTENDED_ALLOWED_IPS='xxx.xxx.xxx.xxx' (Running a server monitor on a multisite? You'll want to allow the IP)
BOT_COP_EXTENDED_BLOCKED_PATHS='botcop,banme' (a comma-delimited string of paths to block)
```

Some things to watch for...
---------------------------

[](#some-things-to-watch-for)

### Rate-limiting

[](#rate-limiting)

If you are using Glide, the request isn't always clearly an image. You'll want to make sure your asset container's public directory is not rate-limited. To prevent the server from doing all the work when a bot is misconfigured, the rate-limiter engages (if true, default behavior) before the 404 check. We are also now checking the allowed IP and allowed path lists ahead of the 404 check to ensure the rate-limiting isn't triggered on an allowed IP or livewire updates.

### Cloudflare only allows 1 custom list on the free plan.

[](#cloudflare-only-allows-1-custom-list-on-the-free-plan)

It can handle 10000 IPs so you should be okay as long as you are treating the bans as temporary. This addon doesn't use WAF due to requiring the Enterprise Plan, but if you want us to, reach out. If you have multiple domains you want to protect, you can. Read on...

### Multiple Projects

[](#multiple-projects)

There are a number of options in the config file that you can override. If you use this addon in multiple projects, you can setup the Cloudflare and Forge Rule Names so each project will add and remove the IPs with that name filter. However, It won't allow you to add the same IP address if it is already in the list, so you may end up removing it even though the bot may be trying to hit the second. The first 404 on the other site will add it back though. it could have some interesting race conditions in the logs but it shouldn't cause a problem.

```
BOT_COP_CLOUDFLARE_RULE_NAME=YouCanMakeThisSiteSpecific
BOT_COP_FORGE_RULE_NAME=YouCanMakeThisSiteSpecific
```

### Statamic Multisite / Other sites on the same server

[](#statamic-multisite--other-sites-on-the-same-server)

Once an IP is added to the list, it is unable to see any other sites using the same IP list (Cloudflare) or on the same server (Laravel Forge). This addon is live on a multisite with over 30 URLs and works great.

### Temporary Bans vs Permanent

[](#temporary-bans-vs-permanent)

Most jailing of bots and spiders is done temporarily. If you want to use the same IP list or firewall to ban an IP permanently, give it a different name or comment than the config file and it won't automatically remove it.

### Can I add to the allowed list?

[](#can-i-add-to-the-allowed-list)

Of course, you can publish the config or give us a PR. I'm also working on a Control Panel dashboard to make it something that can be done there to prevent having to deploy. Note that when you publish the config, you won't get our updates to it so you may want to hold off until we solidify all the variables.

### Can I add to the blocked list?

[](#can-i-add-to-the-blocked-list)

For sure, you can publish the config or give us a PR. I'm also working on a Control Panel dashboard to make it something that can be done there to prevent having to deploy. Note that when you publish the config, you won't get our updates to it so you may want to hold off until we solidify all the variables.

### I'm using a different firewall or proxy, will you support it?

[](#im-using-a-different-firewall-or-proxy-will-you-support-it)

Maybe. You can do a PR or if you want to work with us to do it, let me know and I'll see what I can do.

### I found a bug / security issue

[](#i-found-a-bug--security-issue)

For security related issues, email . For other issues, put them into the issues board in Github. Don't put your tokens or anything in there please.

###  Health Score

30

↓

LowBetter than 62% of packages

Maintenance55

Moderate activity, may be stable

Popularity18

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity33

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~18 days

Recently: every ~44 days

Total

11

Last Release

136d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/a8a075a2fda6dd762e86ac663feaaf4d8c5b844fe2f3ab4e5e114e6b9d3ba294?d=identicon)[sheldonkotyk](/maintainers/sheldonkotyk)

---

Top Contributors

[![sheldonkotyk](https://avatars.githubusercontent.com/u/622598?v=4)](https://github.com/sheldonkotyk "sheldonkotyk (44 commits)")

### Embed Badge

![Health badge](/badges/abigah-bot-cop/health.svg)

```
[![Health](https://phpackages.com/badges/abigah-bot-cop/health.svg)](https://phpackages.com/packages/abigah-bot-cop)
```

###  Alternatives

[statamic-rad-pack/runway

Eloquently manage your database models in Statamic.

135224.7k7](/packages/statamic-rad-pack-runway)[statamic/seo-pro

68516.6k](/packages/statamic-seo-pro)[statamic/statamic

Statamic

829179.5k](/packages/statamic-statamic)[statamic/eloquent-driver

Allows you to store Statamic data in a database.

126741.1k17](/packages/statamic-eloquent-driver)[duncanmcclean/statamic-cargo

Comprehensive e-commerce addon for Statamic. Build bespoke e-commerce sites without the complexity.

3416.7k](/packages/duncanmcclean-statamic-cargo)[rias/statamic-redirect

29335.6k](/packages/rias-statamic-redirect)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
