XF Bot Guard 1.3.0

• Sets the X-Robots-Tag: noindex, nofollow, noarchive header on bot-guard/ routes, making a stronger effort to ensure well-behaved bots ignore Bot Guard routes instead of attempting to crawl AJAX endpoints and challenge pages.
  
  
• Introduces a new option, Preserve inactive XenForo CAPTCHA keys. When enabled, which is off by default, this adjusts the standard XenForo CAPTCHA options area so inactive CAPTCHA configurations are preserved instead of being removed. This allows multiple CAPTCHA configurations to be entered and retained, so one can be used for XenForo generally while another can be selected specifically for Bot Guard. Without this option, XenForo only retains the active CAPTCHA configuration and silently deletes the others.
  
  
• Data pruning now handles much larger data clean-up volumes on a far more frequent cycle. This should better support very large sites and datasets. If your forum is currently behind on data pruning, it should now become more proactive in keeping table sizes within the configured retention periods. Initial pruning may still take some time, as it still does not execute everything at once to avoid unnecessary server load, but it will now be far more aggressive about keeping retained data under control.
  
  
• Fixes a bug where nginx rewrite configurations could cause Bot Guard to miscalculate its collector nonce paths. This caused a nonce mismatch for every visitor, resulting in Bot Guard challenging every single visitor. nginx rewrite configurations are now specifically accounted for, and Bot Guard should now operate cleanly on those installation configurations.

Important upgrade notice for Cloudflare / trusted proxy customers: Before upgrading, please review the upgrade notes and ensure the existing Origin lockdown acknowledged for trusted proxy signals option is correctly set where applicable.

Release type: Minor feature release

This release adds a new Quick settings workflow to make XF Bot Guard easier to configure safely, especially for first rollout, normal production use, active bot attacks, and SEO-sensitive sites. The new workflow previews what will change before applying settings, highlights blockers and warnings, and preserves sensitive or site-specific configuration that should not be overwritten by a preset.

The release also includes bundled documentation, improved Admin Control Panel navigation, better event log filtering, safer trusted proxy signal handling, dashboard/UI polish, and Cloudflare Edge Enforcement reliability improvements.

Added

Added a new Quick settings page in the XF Bot Guard Admin Control Panel section.
Added guided configuration profiles for cautious first rollout, balanced production use, active bot storm protection, and SEO-sensitive overlay protection.
Added a settings preview before applying recommended profiles, making it easier to see exactly what will change.
Added checks for blockers, warnings, and preserved settings before recommended settings are applied.
Added bundled local documentation covering installation, upgrading, setup, protected areas, exclusions, crawler handling, cache/CDN behaviour, dashboard use, event logs, Cloudflare Edge Enforcement, privacy, retention, troubleshooting, and testing.
Added improved reason-code lookup support for event log filtering and reporting.

Improved

Improved the Admin Control Panel navigation by organising Bot Guard pages into clearer sections for Quick settings, Dashboard, Advanced tools, and Cloudflare Edge Enforcement.
Improved recommended-settings safety by preserving sensitive and site-specific options such as Cloudflare Edge settings, raw IP storage, custom exclusions, protected routes, content types, user groups, IP exclusions, and custom trusted crawler domains.
Improved setup readiness checks around cache behaviour, CAPTCHA availability, Bot Guard assets, template modifications, crawler data, and required Bot Guard data stores.
Improved raw event log filtering with clearer selectable filters for decisions, event types, and reason codes.
Improved event log investigation tools with better support for reason-code filtering and guarded route/path searches.
Improved dashboard presentation and admin styling, including better dark-mode-friendly chart behaviour and more consistent XenForo theme integration.
Improved table and admin page usability with better scrolling, layout, and action-link handling.
Improved Cloudflare Edge Enforcement sync handling, including clearer handling of in-progress operations, rate limits, deleted candidates, suppressed candidates, pending states, and retry states.
Improved Cloudflare Edge sync logs so progress and failure states are easier to understand.
Improved trusted proxy safeguards for Cloudflare and other trusted proxy setups.

Changed

Changed the Bot Guard add-on links to focus on built-in documentation and support, rather than listing multiple direct admin URLs.
Changed the options layout to make related settings easier to find and understand.

Upgrade notes

Cloudflare and trusted proxy customers should review the important upgrade notice above before upgrading.
Minimum XenForo and PHP requirements are unchanged.
Default option values are unchanged.
Existing retained event data may be backfilled for improved reason-code filt

Minor update to the Members Online feature.

• Visitors currently being challenged or validated by XF Bot Guard are now kept out of XenForo’s robot classification, keeping the online list and Bot Guard counts better aligned.
• Trusted or explicitly allowed bot traffic are now marked as robots in XenForo’s online activity where appropriate.

This update was added because XenForo’s robot detection is primarily based on User-Agent values, which can be easily spoofed. XF Bot Guard has stronger signals available, so this update helps align XenForo’s online activity classification with XF Bot Guard’s trust and challenge decisions.

This is a minor maintenance release that refines how XF Bot Guard reports visitor activity within XenForo.

• Prevented the background browser verification collector from appearing as a visitor’s current page in XenForo’s online activity displays.
• Improved activity reporting so genuine visitors are less likely to appear as though they are viewing an internal verification endpoint while browsing normally.
• No challenge behaviour, verification logic, or visitor tracking decisions have been changed in this release.