Official WordPress Plugin

PureGuard Performance

Bot protection for WordPress in five simple modes. Every visitor is sorted into Humans, Suspicious, or Bots by the PureGuard 18-layer engine — then your mode decides: monitor, block bots, challenge the uncertain, allow humans only, or lock the whole site down. Branded challenge & block pages, a censorship-friendly VPN filter, and a live Security/Performance dashboard built in.

Download Free Plugin Get it on WordPress.org
v6.0.0 WordPress 5.6+ PHP 7.4+ GPL v2

What It Does

PureGuard Performance sits between your traffic source and your landing page. It runs two independent detection phases before any visitor interacts with your content.

Phase 1: Server-Side WAF

18+ detection layers execute before WordPress loads. IP reputation (FireHOL + CrowdSec), bot UA signatures, datacenter ASN detection, Chrome version analysis, Sec-Fetch header validation, burst rate limiting, and more. Bots are blocked in under 5ms — they never see your page.

Phase 2: Browser Verification

10 client-side integrity checks run in the real browser: Canvas fingerprint, WebGL renderer, AudioContext hash, math precision, hardware concurrency, timezone consistency, touch API presence, devtools detection, headless browser flags, and runtime injection checks.

JS Challenge Page

Filtered-tier visitors are served a lightweight verification page with SHA-256 proof-of-work + 10 browser integrity checks. Real browsers solve it in 1-3 seconds. Bots and headless browsers fail. Passed visitors get an HMAC-signed cookie valid for 1 hour.

Five Security Modes

Off (monitor only), Medium (block confirmed bots), High (block bots + challenge suspicious), Strict (humans only), and Lockdown (emergency block-everyone — admins and search engines always excepted). One radio button, no unsafe combinations.

Censorship-Friendly VPN Filter

Audience behind censorship browsing via VPN? One toggle and visitors flagged only for VPN / proxy / hosting-network signals are never hard-blocked — they get the quick browser check instead. Humans pass in seconds; bots cannot. Real bot evidence still blocks.

Branded Gate Pages

Your logo, brand name, accent color, and dark/light theme on both the challenge and block pages. Blocked visitors see their IP, an incident ID, and an "I am human" report button — reports land on your dashboard. One-click previews before anything goes live.

Engagement Tracking

Real-time engagement beacons fire at 10s, 30s, and 60s intervals. Scroll depth percentage, click events, and time-on-page are tracked and reported to your PureGuard dashboard. Prove your traffic quality with hard data.

Zero Performance Impact

The server-side WAF runs before WordPress boots — blocked bots consume zero PHP resources. The client-side script loads with defer attribute, never blocking page render. Your Core Web Vitals stay clean.

Dashboard Integration

All data flows to your PureGuard dashboard in real time. See tier breakdowns in Zone Quality, watch engagement metrics in Live Traffic, and track per-zone performance. WordPress admin shows a summary widget.

How It Works

Traffic passes through two independent detection phases before reaching your content.

1

Traffic Arrives

Visitor clicks your ad and lands on your WordPress site via PureGuard click URL

2

Server-Side Guard

18+ detection layers run before WordPress loads. Bots blocked in <5ms. Zero page resources consumed.

3

Browser Verification

10 integrity checks confirm the visitor is a real browser, not a headless bot or emulator.

4

Mode Decides

Visitor is classified as Human, Suspicious, or Bot — your security mode decides who passes, who is challenged, and who sees the block page.

Humans, Suspicious, Bots — and Five Modes

Every visitor gets one of three classifications; the security mode you pick decides what happens to each.

Humans

Trust score at or above your human line (default 5.5). Real device, real browser, clean network, consistent headers. Always allowed in every mode except Lockdown.

Suspicious

Not clearly human, not clearly bot. Passes in Medium, must solve the quick browser check (SHA-256 proof-of-work + 10 integrity checks, 1–3 seconds for real people) in High, and is blocked in Strict.

Bots

Confirmed by hard evidence: bot user-agents, IP blocklists, headless signatures, burst patterns, impossible browser fingerprints. Blocked in every enforcing mode — shown your branded block page or sent to a dump URL you choose.

Installation

Get up and running in under 2 minutes. No coding required.

Step 1 — Download

Click the download button above to get the ZIP file. No account required to download.

Step 2 — Install

In WordPress, go to Plugins → Add New → Upload Plugin. Select the ZIP file and click Install Now.

Step 3 — Activate

Activate the plugin, then navigate to Settings → PureGuard in your WordPress admin panel.

Step 4 — Connect

Enter your PureGuard workspace key (available in your account settings) and save. Protection starts immediately.

Safe by design: search engines and social crawlers are always allowed, logged-in users are skipped, verdicts are cached per visitor, and the plugin fails open — if the detection API is ever unreachable, visitors are allowed through, never blocked. Each site reports under its own domain, so one site's reputation never affects another's.

Technical Specifications

Built for performance-critical media buying environments.

<5ms
Server-side decision time
18+
Detection layers
10
Browser integrity checks
3
Engagement beacon intervals
Real-time
Dashboard sync
0ms
Render blocking

Server-Side Detection Layers

These checks run before WordPress loads. Bots never consume your server resources.

FireHOL IP Blocklist — Real-time community threat intelligence
CrowdSec Blocklist — Crowd-sourced IP reputation data
Bot UA Detection — Selenium, Puppeteer, PhantomJS, WebDriver signatures
Ad Fraud UA Patterns — Criteo, DoubleVerify, Pixalate, Snobi crawlers
Chrome Version Analysis — Fake Chrome detection via UA Reduction rules
Sec-Fetch Validation — Browser-enforced unforgeable navigation headers
Datacenter ASN Check — AWS, GCP, Azure, OVH, Hetzner, 50+ providers
Header Consistency — Accept-Encoding, Connection, Sec-CH-UA correlation
HTTP Version Check — Chrome 80+ must use HTTP/2, not HTTP/1.0
Burst Rate Limiting — Same IP exceeding threshold in time window
MaxMind GeoIP2 — Country verification and hosting ASN detection
Referer Validation — Empty referer detection from RTB sources
TLS Fingerprint — TLS version from Cloudflare header analysis
Header Order Hash — CRC32 of HTTP header ordering patterns
Accept-Language — Language vs country consistency check
Device Model Analysis — Chrome UA Reduction aware device verification
Zone Reputation — Per-zone trust scoring from historical data
Trust Scoring Engine — Combined 0-10 score from all signal layers

Frequently Asked Questions

Do I need a PureGuard account?

Yes. The plugin connects to your PureGuard workspace via an API key. Create a free account to get your workspace key. The Starter plan includes 100,000 checks per month at no cost.

Will it slow down my site?

No. The server-side WAF blocks bots before WordPress loads, so blocked traffic consumes zero PHP resources. The client-side script uses defer loading — it never blocks page render. Your Core Web Vitals are unaffected.

Does it affect organic traffic or SEO?

No. The plugin only activates on pages loaded with PureGuard tracking parameters (pg_z and pg_src). Organic visitors from Google, social media, or direct links are completely unaffected. Search engine crawlers are never blocked.

My readers use VPNs to escape censorship. Will they be blocked?

No — turn on the censorship-friendly filter. Visitors flagged only for VPN / proxy / hosting-network signals are never hard-blocked; at most they see a quick automatic browser check that real people pass in seconds. Built for audiences in censored countries.

Can I see what the plugin is doing?

Yes — the PureGuard Live dashboard inside wp-admin shows a Security view (hourly charts, visitor mix, top blocked IPs, countries, reasons, live feed) and a Performance view (API latency, cache efficiency, blocked page-loads saved), powered by a local 30-day event log in your own database.

Which traffic sources does it work with?

Any traffic source that can send visitors through a PureGuard click URL. This includes PopAds, RollerAds, HilltopAds, PropellerAds, ExoClick, ClickAdilla (including RTB), and any source that supports redirect tracking.

Can I use it on multiple WordPress sites?

Yes. Install the plugin on as many sites as you need. Each site connects to the same PureGuard workspace key. All traffic data is aggregated in your dashboard.

Start Protecting Your WordPress Traffic

Download the plugin, install in 2 minutes, and see your first traffic quality report within the hour.

Download Plugin Create Free Account