Frequently Asked Questions

Find answers to common questions about our bot protection services and cybersecurity solutions.

1. General Information

Boteraser is a robust bot protection service designed to shield your website or server from unwanted bots, spam, and other automated threats. It employs a variety of filtering techniques to distinguish between legitimate users and harmful bots, designed to help improve website security and support stable performance.

Boteraser offers two flexible protection solutions to meet different needs and technical requirements:

1. Script-Based Protection (Server-Side)

Available in two tiers — Standard and PRO:

  • BE Client (Standard):
    • Analyzes web server log files via cron job (every 5 minutes)
    • IP blocking at server level
    • Identifies bot names and patterns
    • Minimal resource usage, works with any web application
  • BE Client PRO:
    • Runs as a systemd daemon, continuously monitoring live network traffic
    • Protects ALL services (SSH, FTP, MySQL, email, DNS, etc.), not just HTTP/HTTPS
    • Uses JA4 TLS fingerprinting to detect bots by behavioral signature — independent of IP address
    • Blocks entire botnets even when they rotate through thousands of IPs
    • Network-level blocking with ipset + iptables (IPv4 & IPv6)
    • Requires root access
  • Best For:
    • System administrators with server access
    • VPS and dedicated server environments
    • Custom applications and websites
    • Users who prefer server-level protection
2. WordPress Plugin Protection
  • Installation Method: Easy-to-install WordPress plugin
  • Operation: Integrates seamlessly with WordPress admin dashboard
  • Best For:
    • WordPress website owners
    • Users without server access
    • Shared hosting environments
    • Non-technical users who prefer GUI management
  • Features:
    • One-click installation and setup
    • WordPress dashboard integration
    • Statistics and reports
    • Advanced configuration options
    • Automatic updates
    • Multisite network support
Which Option Should You Choose?
  • Choose Script-Based Protection if:
    • You have server/VPS access
    • You manage multiple websites on the same server
    • You prefer console-based management
    • You’re using non-WordPress platforms
  • Choose WordPress Plugin if:
    • You’re using WordPress
    • You prefer dashboard-based management
    • You’re on shared hosting
    • You want visual reports and statistics

Note: All protection methods use the same Boteraser threat intelligence. BE Client PRO adds an additional layer of detection through JA4 TLS fingerprinting, making it the strongest option for servers that need to stop sophisticated, IP-rotating botnets. The right choice depends on your technical requirements and hosting environment.

Shield is a protection profile — a named set of filter rules and IP lists that defines how Boteraser should handle traffic. Think of it as a security policy you configure once and then apply to one or more domains.

The relationship between Boteraser components works like this:

  1. Account — your Boteraser user account.
  2. Subscription — a paid plan (Standard or PRO) that unlocks protection features.
  3. Shield — a protection profile with your chosen filter settings and IP lists.
  4. API Key — ties a specific domain to a Subscription and a Shield. One API key per domain.
  5. BE Client — the software installed on your server that uses the API key to communicate with Boteraser and enforce the Shield rules.

In short: your Shield defines what to block, and the API key + BE Client determine where those rules are applied.

Boteraser is designed to work with a wide range of environments:

  • Web servers: Apache, Nginx, OpenLiteSpeed, LiteSpeed
  • Platforms: Any PHP-based application, WordPress (via dedicated plugin), Node.js, Python, and others — since the BE Client operates at the server/network level, not the application level
  • Operating systems: Linux (Debian/Ubuntu, CentOS/RHEL and compatible distributions)
  • Hosting types: VPS, dedicated servers, cloud instances. Shared hosting is supported for the Standard BE Client and WordPress plugin, but PRO requires root access.

2. Why do you need Boteraser protection?

Your website is under constant attack from:

  • Automated Bot Attacks:
    • Over 40% of all web traffic consists of unwanted bots
    • 24/7 automated scanning for vulnerabilities
    • Brute force attacks on login pages
    • SQL injection attempts
    • Cross-site scripting (XSS) attacks
  • DDoS Attacks:
    • Overwhelming your server with traffic
    • Making your website inaccessible to legitimate users
    • Can cost thousands in lost revenue and recovery
  • Data Scraping:
    • Stealing your content and intellectual property
    • Competitive intelligence gathering
    • Price scraping for competitive advantage
  • Spam and Abuse:
    • Form spam flooding your contact forms
    • Fake account registrations
    • Comment spam on blogs and forums

The Reality: Without protection, your website receives hundreds of unwanted requests every day. Most website owners are unaware of these constant attacks until it’s too late.

Business Impact of Security Breaches:

  • Financial Losses:
    • Average cost of a data breach: $4.45 million
    • Website downtime costs: $5,600 per minute for e-commerce
    • Recovery and cleanup expenses
    • Legal fees and regulatory fines
    • Lost sales during downtime
  • Reputation Damage:
    • Loss of customer trust and confidence
    • Negative media coverage
    • Social media backlash
    • Long-term brand damage
    • Customer churn and reduced loyalty
  • Operational Disruption:
    • Website and service downtime
    • IT resources diverted to incident response
    • Business process interruption
    • Employee productivity loss
  • Legal and Compliance Issues:
    • GDPR fines up to €20 million
    • CCPA penalties and lawsuits
    • Industry-specific compliance violations
    • Customer litigation

Statistics: 60% of small businesses close within 6 months of a cyber attack. The average time to detect a breach is 287 days, giving attackers plenty of time to cause damage.

Limitations of Common Security Approaches:

  • Basic Firewalls:
    • Only block known bad IPs
    • Can’t distinguish between good and bad bots
    • Limited to simple rule-based filtering
    • Reactive rather than proactive
  • SSL Certificates Alone:
    • Only encrypt data in transit
    • Don’t prevent unwanted traffic
    • Provide no bot protection
    • Can’t stop application-layer attacks
  • Plugin-Based Security:
    • Consume server resources
    • Can slow down your website
    • Often have security vulnerabilities themselves
    • Require constant updates and maintenance
    • Limited effectiveness against sophisticated attacks
  • Manual Security Management:
    • Time-consuming and error-prone
    • Requires specialized knowledge
    • Can’t respond to threats in real-time
    • Often reactive rather than preventive

The Modern Threat Landscape: Cyber criminals use sophisticated AI-powered tools, distributed networks, and constantly evolving tactics. Traditional security measures that worked 5 years ago are inadequate against today’s advanced persistent threats.

  • Threat Intelligence Features:
    • Continuously updated list of blacklisted IPs from multiple high-quality sources
    • Aggregated threat data from external sources that utilize machine learning and behavioral analysis
    • Pattern recognition and reputation-based indicators from trusted intelligence feeds
    • Global coverage through collaboration with multiple threat intelligence networks
  • Multi-Layer Defense:
    • IP reputation filtering from external security intelligence sources
    • Geolocation-based blocking using up-to-date IP data
    • User-agent insights derived from advanced bot signature databases
    • Rate limiting and throttling
    • Access control reinforced through combined detection signals from multiple sources
  • Cloud-Based Architecture:
    • No server resource consumption
    • Instant global updates
    • Scalable to handle any traffic volume
    • high-availability architecture designed to support reliable uptime
  • Intelligent Bot Detection:
    • Distinguishes between good and bad bots based on behavioral analysis
    • Allows search engines while blocking scrapers
    • Protects against sophisticated bot networks
    • Designed to minimize false positives for legitimate traffic
  • Proactive Defense:
    • Helps reduce the likelihood of threats reaching your server
    • Uses preventive mechanisms alongside detection techniques
    • Automatically adapts to new threat patterns
    • No configuration required

Boteraser uses a burst detection algorithm that analyzes traffic in 1-minute windows over the last 5 minutes. Instead of averaging traffic over the entire period, it identifies the minute with the highest number of requests per IP address. This means that even if a bot sends a flood of requests in just one minute and then goes quiet, BotEraser will still detect and block it — something traditional rate-based systems often miss.

Every Online Business Benefits from Protection:

  • E-commerce Websites:
    • Protect customer data and payment information
    • Prevent inventory scraping and price monitoring
    • Maintain website performance during traffic spikes
    • Protect against card testing and fraud attempts
  • SaaS and Technology Companies:
    • Protect APIs from abuse and over-usage
    • Prevent unauthorized access to premium features
    • Maintain service availability for paying customers
    • Protect intellectual property and code
  • Content Publishers and Blogs:
    • Prevent content scraping and plagiarism
    • Protect ad revenue from click fraud
    • Maintain website speed and user experience
    • Prevent comment and form spam
  • Financial Services:
    • Meet strict security compliance requirements
    • Protect sensitive financial data
    • Prevent fraud and unauthorized access
    • Maintain customer trust and confidence
  • Healthcare Organizations:
    • Protect patient data (HIPAA compliance)
    • Prevent unauthorized access to medical records
    • Maintain service availability for critical systems
    • Protect against ransomware attacks
  • Small and Medium Businesses:
    • Affordable enterprise-level security
    • No need for dedicated IT security staff
    • Protect reputation and customer trust
    • Focus on business growth, not security management

Reality Check: If your website has any value to your business, it has value to attackers. Size doesn’t matter – small websites are often targeted because they’re perceived as having weaker security.

Cost-Benefit Analysis:

  • Prevention vs. Recovery Costs:
    • Boteraser protection: $20/month (Standard) or $40/month (PRO)
    • Average breach recovery cost: $4.45 million
    • Website downtime: $5,600/minute
    • ROI: 1000:1 or better
  • Operational Savings:
    • Reduced server load and hosting costs
    • Less bandwidth consumption
    • Fewer support tickets and issues
    • No need for expensive security staff
    • Automated threat management
  • Business Value Protection:
    • Maintained customer trust and loyalty
    • Uninterrupted revenue generation
    • Protected brand reputation
    • Compliance with regulations
    • Peace of mind for business owners
  • Performance Benefits:
    • Faster website loading times
    • Better SEO rankings
    • Improved user experience
    • Higher conversion rates
    • Better customer satisfaction

Case Study Example: A medium e-commerce site paying $20/month (Standard) or $40/month (PRO) for Boteraser protection avoided a potential DDoS attack that could have caused $50,000 in lost sales during a busy shopping weekend. The ROI was over 249,000% in just one incident.

Speed of Modern Cyber Attacks:

  • Automated Attacks:
    • Bots can scan your entire website in minutes
    • Vulnerability exploitation in seconds
    • Data exfiltration in hours
    • No human intervention required
  • DDoS Attack Timeline:
    • 0-5 minutes: Attack begins, website slows
    • 5-15 minutes: Website becomes inaccessible
    • 15+ minutes: Revenue loss begins accumulating
    • Hours/Days: Customer trust erodes
  • Data Breach Progression:
    • Initial access: Minutes to hours
    • Lateral movement: Hours to days
    • Data discovery: Days to weeks
    • Data exfiltration: Hours to days
    • Detection: Average 287 days (if ever)
  • Business Impact Timeline:
    • Immediate: Lost sales and customers
    • Short-term: Reputation damage, media coverage
    • Medium-term: Customer churn, legal issues
    • Long-term: Brand damage, compliance fines

Real-World Example: A popular e-commerce site experienced a 3-hour DDoS attack during Black Friday. The attack cost them $180,000 in lost sales, plus another $50,000 in emergency mitigation costs. This could have been prevented with a $20/month Boteraser subscription.

The Bottom Line: In the digital world, threats move at the speed of light. Manual response and traditional security measures are too slow. You need automated, protection that works 24/7.

Boteraser’s Competitive Advantages:

  • Simplicity and Ease of Use:
    • Single line of code implementation
    • No complex configuration required
    • Works immediately after installation
    • User-friendly dashboard and controls
  • Performance Optimization:
    • Zero impact on website loading speed
    • Reduces server load by blocking bad traffic
    • Global CDN integration
    • Improves SEO rankings through better performance
  • Affordable Pricing:
    • Starting at $20/month or $149/year for Standard plans, and $40/month or $349/year for PRO plans
    • No setup fees or hidden costs
    • Transparent, predictable pricing
    • Enterprise features at SMB prices
  • Advanced Technology:
    • Multi-source threat intelligence aggregation
    • Automated global threat intelligence
    • Behavioral analysis and pattern recognition-based threat intelligence
    • Continuously updated protection algorithms
  • Customer Support:
    • Responsive technical support team
    • Comprehensive documentation
    • Community forums and resources
    • Regular security updates and improvements

Why Choose Boteraser:

  • Extensefly tested: Proven in real-world environments for reliability and trust
  • Designed for fast activation and early-stage threat mitigation
  • ✅ Scalable Solution: Grows with your business needs
  • ✅ No Lock-in: Cancel anytime with no penalties
  • Designed to reduce operational and security risks

Don’t wait for an attack to happen. Every day without protection is a day your website is vulnerable. Start your Boteraser protection today and join family of businesses that sleep better knowing their websites are secure.

3. Script-Based Protection (Standard & PRO)

BE Client (Standard) provides web server log analysis and bot protection for HTTP/HTTPS traffic. The automated installation script is the recommended method.

Run the following command in your terminal to install Boteraser:

curl -fsSL https://github.com/sofset-dev/boteraser/raw/refs/heads/main/be-client-install-script/be-install.sh | sudo bash

The script handles everything automatically: installs dependencies, downloads and unpacks the client package, sets file permissions, and configures ownership. You must run the script as root.

Important Note about Scheduling:

After installation, you must set up a crontab to run the script every 5 minutes:

crontab -e

Add this line:

*/5 * * * * /path/to/your/webroot/boteraser/be-client >/dev/null 2>&1

Warning: Do not run the script more frequently than every 5 minutes. More frequent execution will result in your API access being banned for that website.

After completing these steps, your website will be protected by our shield service.

If you prefer manual installation of BE Client (Standard), follow these steps:

  1. Download be-client-latest.tar.gz to your preferred location (recommended: /opt):
    cd /opt
wget https://github.com/sofset-dev/boteraser/raw/refs/heads/main/be-client/be-client-latest.tar.gz
  2. Extract the archive and enter the directory:
    tar -xzvf be-client-latest.tar.gz
cd boteraser
  3. Edit the configuration file. Open be.conf with a text editor:
    nano be.conf

    or

    vi be.conf

    In be.conf, enter:

    Example:

    API_KEY="<YOUR API KEY>"
LOG_PATH="/path/to/your/access.log"
  4. Set up automatic execution every 5 minutes using cron. Open the crontab editor:
    crontab -e

    Then add this line at the end:

    */5 * * * * /your/desired/folder/boteraser/be-client >/dev/null 2>&1

    Save and exit.

✅ That’s it! The Boteraser client will now run every 5 minutes and help protect your website automatically.

Important API Key Usage Rules:

  • Each API key can only be used for ONE website
  • Using the same API key on multiple websites may result in an immediate ban, depending on usage and policy violations.
  • For each additional website, you need to generate a new API key and buy new subscription
  • Banned API keys cannot be reactivated

Warning: API key misuse will result in permanent ban without the possibility of restoration. Please ensure you generate unique API keys for each website you protect.

Note: No security solution, including Boteraser, can guarantee 100% protection, as threats are always evolving. However, Boteraser stands out for its superior quality by combining multiple high-quality threat intelligence sources. The system adapts quickly to new risks, minimizes false positives, and delivers a thoughtful, layered approach that puts your website’s security first.

BE Client PRO provides network-level protection for all services on your server. The automated installation script is the recommended method.

Run the following command in your terminal to install Boteraser PRO:

curl -fsSL https://github.com/sofset-dev/boteraser/raw/refs/heads/main/be-client-pro-install-script/be-install-pro.sh | sudo bash

The script handles everything automatically: checks and installs all required dependencies (iptables, ipset, curl, gawk), downloads and unpacks the latest package, sets permissions, creates the configuration file, and sets up a systemd service that starts on boot. You must run the script as root.

During installation, you will be prompted for:

  • Installation directory
  • Your API key (generated at user.boteraser.com/api.php)
  • Network interface to monitor (e.g., eth0, ens3, enp0s3, or “any” for all interfaces)

Important Notes:

  • BE Client PRO requires a PRO subscription and root privileges
  • Protects ALL services: HTTP/HTTPS, SSH, FTP, MySQL, mail servers, DNS, and more

If you prefer manual installation of BE Client PRO, follow these steps:

  1. Download be-client-pro-latest.tar.gz to your preferred location (recommended: /opt):
    cd /opt
wget https://github.com/sofset-dev/boteraser/raw/refs/heads/main/be-client-pro/be-client-pro-latest.tar.gz
  2. Extract the archive and enter the directory:
    tar -xzvf be-client-pro-latest.tar.gz
cd boteraser-pro
  3. Edit the configuration file. Open be-pro.conf with a text editor:
    nano be-pro.conf

    or

    vi be-pro.conf

    In be-pro.conf, enter:

    • Your API KEY – you can get it at: user.boteraser.com/api.php
    • Set INTERFACE="auto" to use the first detected interface, "any" for all interfaces except loopback, or specify one directly (e.g., eth0).

    Example:

    API_KEY_PRO="<YOUR API KEY>"
INTERFACE="auto"

    Save and exit.

  4. Create a systemd service file using a text editor such as nano or vi:
    vi /etc/systemd/system/be-client-pro.service

    Then add this in the file:

    [Unit]
Description=Boteraser PRO Client
After=network.target

[Service]
Type=simple
WorkingDirectory=/opt/boteraser-pro
ExecStart=/opt/boteraser-pro/be-client-pro
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

    Save and exit.

  5. Reload systemd, enable the service, and start it:
    systemctl daemon-reload
systemctl enable be-client-pro
systemctl start be-client-pro
  6. Check the service status and view logs:
    systemctl status be-client-pro
journalctl -u be-client-pro -f

✅ That’s it! The Boteraser PRO client will now run every 5 minutes and help protect your server automatically.

Notes:

  • BE Client PRO requires a PRO subscription
  • Runs as a daemon — continuously monitors network traffic
  • Analyzes last 10000 packets every 5 minutes
  • Blocked IPs auto-expire after 24 hours
  • Supports both IPv4 and IPv6 (dual-stack)
  • Uses ipset + iptables for high-performance O(1) blocking
  • For web-only monitoring with bot name detection, use standard BE Client; for JA4 TLS fingerprint-based detection that catches IP-rotating botnets, BE Client PRO is the superior choice

Like all Boteraser clients, BE Client PRO uses blacklisted IP filtering, country blocking, and manual whitelist/greylist controls. But on top of that, it adds a layer of detection found only in a select few premium and enterprise-grade security platforms: JA4 TLS fingerprinting.

JA4 is the successor to JA3, the long-standing industry standard for TLS fingerprinting. JA4 was introduced in 2023 specifically to overcome JA3’s growing limitations — including the fact that modern browsers now randomize TLS parameters, rendering JA3 fingerprints increasingly unreliable. JA4 was engineered from the ground up to be stable, accurate, and resistant to evasion. Most bot detection tools on the market have not implemented it.

Here’s why it matters: every HTTPS connection begins with a TLS handshake that exposes a unique behavioral signature of the connecting software — completely independent of its IP address. BE Client PRO captures and analyzes this signature in real time, at the network layer, before the request ever reaches your web server.

The result: bots that rotate through thousands of IP addresses are still caught — because no matter how many IPs they use, their underlying fingerprint doesn’t change. An entire bot network can be identified and blocked from a single behavioral signature.

Most competing solutions still rely on IP addresses, User-Agent strings, and request patterns — all of which are trivially spoofed. BE Client PRO operates at a fundamentally deeper level, bringing enterprise-grade detection capability to your server.

BE Client PRO runs as a systemd daemon that continuously monitors network traffic. Every 5 minutes it analyzes captured packets, sends the data to our server for analysis, and then automatically blocks blacklisted IPs. Blocks last for 24 hours and are automatically refreshed.

Yes, if ip6tables is installed, Boteraser PRO will automatically protect IPv6 traffic. Otherwise, IPv6 addresses are skipped and you will see a warning during script execution.

You can use the following commands:

  • ipset list boteraser-pro-v4 – shows blocked IPv4 addresses
  • ipset list boteraser-pro-v6 – shows blocked IPv6 addresses (if supported)
  • ipset flush boteraser-pro-v4 – clears all IPv4 blocks
  • ipset flush boteraser-pro-v6 – clears all IPv6 blocks

BE Client (Standard): Yes, but it’s crucial that your web server is configured to receive the actual visitor’s IP address, usually via headers like X-Forwarded-For or CF-Connecting-IP (for Cloudflare). If Boteraser only sees the IP of your CDN or load balancer, it cannot effectively block unwanted traffic. Ensure your server logs reflect the true client IP for accurate protection.

BE Client PRO: Operates at the network layer using JA4 TLS fingerprinting, so it is not dependent on web server log configuration or IP headers. However, note that if your traffic is fully proxied through a CDN (meaning the CDN terminates the TLS connection before it reaches your server), PRO will see the CDN’s TLS handshake rather than the original client’s. In that case, direct-to-origin traffic is where PRO provides the most value.

Common causes (applies to both Standard and PRO):
  • Script not running as root
  • Incorrect user/group permissions
  • Invalid installation path
  • Missing write permissions
  • Insufficient disk space

Solution: Run the installation script as root. Verify your server configuration and ensure proper permissions are set.

The script automatically detects the most common package managers (apt, yum, dnf, pacman) and attempts to install any missing dependencies automatically. If the automatic installation fails, it will display a list of missing dependencies and instructions to install them manually. After installing the required tools, simply rerun the installation script.

Common causes (applies to both Standard and PRO):
  • Script not running as root
  • Incorrect user/group permissions
  • Invalid installation path
  • Missing write permissions
  • Insufficient disk space

Solution: Run the installation script as root. Verify your server configuration and ensure proper permissions are set.

The script automatically detects the most common package managers (apt, yum, dnf, pacman) and attempts to install any missing dependencies automatically. If the automatic installation fails, it will display a list of missing dependencies and instructions to install them manually. After installing the required tools, simply rerun the installation script.

4. WordPress Plugin Installation & Setup

The Boteraser WordPress Plugin is a comprehensive security solution specifically designed to protect WordPress websites from automated threats, unwanted bots,, blacklisted IP’s and suspicious activities. It provides advanced protection through intelligent filtering, monitoring, and customizable security rules.

Key Features:

  • Bot blocking powered by continuously updated threat intelligence
  • Lightweight and optimized for performance
  • Comprehensive security analytics and reporting
  • Easy WordPress integration with native admin interface
  • Compatible with major caching and security plugins
  • Subscription-based protection with Monthly, and Annual plan

Installation Methods:

Method 1: WordPress Admin Dashboard
  1. Log into your WordPress admin dashboard
  2. Navigate to Plugins → Add New
  3. Search for “Boteraser”
  4. Click Install Now and then Activate
Method 2: Manual Upload
  1. Download the plugin from your Boteraser account
  2. Go to Plugins → Add New → Upload Plugin
  3. Choose the downloaded .zip file
  4. Click Install Now and Activate
Method 3: FTP Upload
  1. Extract the plugin files from the .zip archive
  2. Upload the “boteraser” folder to /wp-content/plugins/
  3. Activate the plugin through the WordPress admin panel

System Requirements:

  • WordPress 5.0 or higher
  • PHP 7.4 or higher
  • MySQL 5.6 or higher / MariaDB 10.1 or higher
  • Active Boteraser subscription and API key
Initial Configuration
  1. After activation, go to Settings → Boteraser in your WordPress admin
  2. Enter your API key from your Boteraser account
  3. Save settings and test the configuration
Advanced Configuration Options
  • Protection Mode:
    • Monitor: Log threats
    • Block Mode: Actively block detected threats
  • Filter Settings:
    • Ai Bot detection sensitivity
    • Country-based filtering
    • IP whitelist/blacklist management
    • User-agent filtering rules
  • WordPress-Specific Protection:
    • Website page protection
    • Comment spam prevention
    • Contact form protection
    • REST API endpoint protection
Integration with WordPress Features
  • WooCommerce: Protects checkout and account pages
  • Contact Forms: Compatible with Contact Form 7, Gravity Forms, WPForms
  • Membership Plugins: Protects registration and login forms
  • Caching Plugins: Works with WP Rocket, W3 Total Cache, WP Super Cache
Note: No security solution, including Boteraser, can guarantee 100% protection as threats are always changing. Boteraser uses advanced threat intelligence from high-quality sources and is designed to minimize false positives, focusing on blocking harmful bots while keeping your website accessible. Our system adapts quickly to new risks and provides thoughtful, layered protection that prioritizes legitimate user access, so you can maintain security without sacrificing usability.
WordPress Dashboard Reports

Access comprehensive security reports directly in your WordPress admin:

  • Dashboard Widget: Quick overview of recent threats and blocks
  • Security Log: Detailed activity log
  • Analytics Page: Charts showing threat
  • Monitoring: Live view of current protection status
Report Categories
  • IP Addresses: The IP address involved in the event
  • Expires: When the block or action expires
  • Time Remaining: How long until expiration
  • Actions: Available actions (eg., unblock)
Immediate Solutions
  1. Check Whitelist: Add the user’s IP to the whitelist
  2. Adjust Sensitivity: Lower the bot detection sensitivity
  3. Review Logs: Check why the user was blocked
Common False Positive Scenarios
  • VPN Users: Add VPN IP ranges to whitelist or reduce VPN blocking
  • Mobile Users: Adjust mobile user-agent detection rules
  • Corporate Networks: Whitelist corporate IP ranges
  • Search Engine Bots: Ensure legitimate crawlers are whitelisted
Emergency Bypass

If you’re locked out of your site:

  1. Access your site via FTP or hosting control panel
  2. Navigate to /wp-content/plugins/boteraser/includes/
  3. Open file named blocked-ips.php and remove your IP address
  4. This will disable blocking of your IP
Critical: WordPress Cron Scheduling

⚠️ IMPORTANT: The WordPress plugin relies on WordPress cron jobs to communicate with Boteraser servers. For optimal protection:

  • Frequency Requirement: WordPress cron must run every 5 minutes (12 times per hour)
  • Rate Limiting: If the plugin doesn’t communicate at this frequency, rate limiting will be invoked
  • Protection Impact: Irregular communication may cause protection delays or false positives
  • Server Configuration: Ensure your hosting provider supports proper WordPress cron execution

Solution: If WordPress cron is unreliable, consider setting up a server-level cron job to trigger wp-cron.php every 5 minutes, or switch to the script-based protection method.

Multisite Support Features
  • Centralized Management: Configure settings from the network admin
  • Per-site Customization: Allow individual sites to customize their settings
  • Unified Reporting: View security reports for the entire network
Configuration Options
  • Site-specific Rules: Different protection levels for different sites
  • API Key Usage: Use separate API key per site
Management Best Practices
  • Use network activation for consistent protection
  • Set up centralized monitoring
  • Configure different rules for high-traffic vs. low-traffic sites
  • Regular review of network-wide security reports
Performance Optimizations
  • Lightweight Code: Minimal resource consumption
  • Local Caching: Cache decisions to reduce API calls
  • Asynchronous Processing: Non-blocking threat analysis
  • Conditional Loading: Load only necessary components
Performance Metrics
  • Response Time Impact: Typically < 10ms additional latency
  • Memory Usage: < 2MB additional memory consumption
  • Database Queries: Minimal additional queries (typically 1-2 per request)
  • Cache Compatibility: Works seamlessly with page caching
High-Traffic Optimization
  • Edge Caching: Cache decisions at CDN level
  • Rate Limiting: Built-in protection against API overuse
  • Local Decision Making: Reduce dependency on external API calls
  • Batch Processing: Process multiple requests efficiently
Performance Monitoring
  • Built-in performance metrics in the admin dashboard
  • Integration with WordPress performance monitoring tools
  • Detailed timing logs for troubleshooting
  • Automated alerts for performance degradation
Common Issues and Solutions
Plugin Not Activating
  • Check PHP version compatibility (7.4+ required)
  • Verify WordPress version (5.0+ required)
  • Check for plugin conflicts (deactivate other security plugins temporarily)
  • Ensure proper file permissions (644 for files, 755 for directories)
API Connection Issues
  • Verify API key is correct and active
  • Check firewall settings (allow outbound connections to Boteraser servers)
  • Test DNS resolution of Boteraser domains
  • Check for proxy or CDN interference
Site Performance Issues
  • Reduce bot detection sensitivity
  • Enable local caching options
  • Check for plugin conflicts with caching plugins
  • Review and optimize database queries
False Positive Blocks
  • Review security logs for block reasons
  • Add legitimate IPs to whitelist
  • Adjust country filtering settings
  • Fine-tune user-agent detection rules
Diagnostic Tools
  • System Status Page: Check plugin health and configuration
  • Debug Mode: Enable detailed logging for troubleshooting
  • Connection Tester: Verify API connectivity
  • Conflict Detector: Identify problematic plugins or themes
Log File Locations
  • Plugin Logs: /wp-content/uploads/boteraser/logs/
  • WordPress Debug Log: /wp-content/debug.log
  • Server Error Logs: Check your hosting control panel
  • Admin Dashboard: View logs directly in WordPress admin
Getting Support
  • Use the built-in support ticket system in the plugin
  • Include system information and error logs
  • Provide steps to reproduce the issue
  • Check the plugin documentation and knowledge base first
Automatic Updates
  • WordPress Updates: Receive updates through WordPress admin
  • Security Patches: Critical updates applied automatically
  • Feature Updates: Optional updates with new functionality
  • Configuration Preservation: Settings maintained across updates
Manual Update Process
  1. Backup your website and database
  2. Download the latest version
  3. Deactivate the current plugin
  4. Upload the new version (overwrite existing files)
  5. Reactivate the plugin and verify settings
Update Best Practices
  • Test Environment: Test updates on staging site first
  • Maintenance Window: Schedule updates during low-traffic periods
  • Monitor Performance: Check site performance after updates
  • Review Logs: Check for any update-related issues
Maintenance Tasks
  • Regular Backups: Backup plugin settings and configuration
  • Log Rotation: Automatic cleanup of old security logs
  • Performance Monitoring: Regular performance checks
  • Security Reviews: Periodic review of protection effectiveness
Version Compatibility
  • WordPress Compatibility: Support for latest WordPress versions
  • PHP Compatibility: Regular testing with new PHP versions
  • Plugin Compatibility: Testing with popular WordPress plugins
  • Theme Compatibility: Works with any properly coded WordPress theme
Rollback Procedures

If you experience issues after an update:

  1. Restore from backup if necessary
  2. Contact support for rollback assistance
  3. Use the previous stable version temporarily
  4. Report issues to help improve future updates
Compatible Security Plugins
  • Wordfence: Can work alongside for complementary protection
  • Sucuri Security: Compatible with their malware scanning
  • iThemes Security: Works with their file monitoring
  • All In One WP Security: Compatible with their login protection
Potential Conflicts
  • Firewall Overlap: Disable redundant firewall features
  • Bot Detection: May need to coordinate detection rules
  • Rate Limiting: Avoid double rate limiting
  • IP Blocking: Ensure consistent whitelist/blacklist rules
Recommended Configurations
  • Primary Bot Protection: Use Boteraser as main bot detection
  • Malware Scanning: Keep separate malware scanners active
  • Login Security: Combine with 2-Step Authentication and login attempt limiting
  • File Monitoring: Use other plugins for file integrity checking
CDN and Hosting Integration
  • Cloudflare: Works seamlessly with Cloudflare protection
  • MaxCDN/StackPath: Compatible with edge security features
  • WP Engine: Integrates with their security stack
  • SiteGround: Works with their server-level security
Setup Guidelines
  1. Install Boteraser first to establish baseline protection
  2. Add complementary security plugins one at a time
  3. Test functionality after each addition
  4. Configure plugins to avoid conflicting rules
  5. Monitor performance and adjust as needed

Boteraser attempts to display the server’s uptime for monitoring purposes. However, if you don’t see it, your hosting environment may be restricting access to system-level information. This is common on shared hosting, where such data is hidden for security reasons. On VPS or dedicated servers, uptime is typically available and visible.

5. Using the Dashboard

At the top of the Dashboard page there is a domain dropdown selector. Click it to see all domains associated with your API keys and select the one you want to monitor. The dashboard will immediately refresh and display metrics, statistics, and IP list counts for the selected domain.

If you do not see any domains in the list, make sure you have at least one active API key assigned to a domain. You can create or manage API keys on the API page.

The Dashboard displays several metric cards for the currently selected domain:

  • JA4 Fingerprints — number of unique TLS fingerprints detected. Available on PRO plans only.
  • AI Bots — number of requests identified as AI-driven bots by the AI filter.
  • Blacklisted IPs — total number of IPs currently on the global blacklist for your Shield.
  • Managed Bots — number of known bot user agents being managed (allowed or blocked) by the Bot filter.
  • Countries — number of countries currently blocked by the Country filter on your Shield.
  • Whitelist — number of IPs manually added to your personal whitelist (always allowed through).
  • Greylist — number of IPs on your greylist (monitored; subject to additional checks).
  • Blacklist — number of IPs manually added to your personal blacklist (always blocked).

Each card may also display a trend indicator (arrow up/down) showing how the value has changed compared to the previous period.

The top navigation bar also shows two live server indicators:

  • Refresh Countdown — time remaining until the dashboard auto-refreshes with the latest data.
  • Server Load — current CPU/resource load on your server. Displays as Optimal, Elevated, or Critical.
  • Uptime — how long the server has been running continuously without a restart.

The World Map gives a geographic overview of where traffic to your domain is originating. Countries with highlighted regions represent locations from which requests have been detected or blocked. This view helps you quickly spot unusual traffic patterns — for example, a sudden spike of requests from a region you do not normally serve.

To block traffic from specific countries, go to your Shield settings, open the Filters tab, and enter the relevant ISO country codes in the Country Filter field.

Navigate to Shield → Shield List in the main navigation. Find the Shield you want to modify and click the Edit button. A modal window will open with four tabs:

  • Overview — a read-only summary of all current settings and IP list counts for this Shield.
  • General — Shield name, type, and creation date.
  • Filters — toggle individual filters on or off (JA4, AI, Bot, Country, IP block settings) and adjust thresholds.
  • IP Lists — manage your Whitelist, Greylist, and Blacklist entries.

Changes take effect immediately after saving.

Open the Statistics page from the user menu (top right). Use the domain dropdown at the top to select the domain you want to analyze. You can also use the date range picker to filter data for a specific time period.

The Statistics page shows a breakdown of total requests, blocked requests by filter type, detected bot categories, and a geographic map of request origins.

Note: statistics will only appear once the BE Client has been installed on your server and starts sending data. If the page appears empty, verify that your BE Client is running correctly.

On the Logs page you have two filtering options:

  • Date range — use the date pickers to set a start and end date. Only log entries within that period will be shown.
  • Category — use the category dropdown to filter by log type (e.g. SYSTEM, API). Select All to see every entry.

You can also adjust the number of entries displayed per page using the items-per-page selector. Apply your filters and click the search button to refresh the results.

API Key statuses:

  • Active — the key is working and your Shield is actively protecting the associated domain.
  • Suspended — the key has been deactivated, usually because the linked subscription has expired or been cancelled. Protection is paused until the subscription is renewed.

Subscription statuses:

  • Active — subscription is current and all features are available.
  • Expired — the subscription period has ended. Renew to restore protection.
  • Cancel Pending — cancellation has been requested but the subscription remains active until the current billing period ends.

Click on your name/avatar in the top right corner of any page to open the user menu, then select Invoices. The Invoices page lists all your billing documents. To download an invoice as a PDF, click Payment Details next to the invoice, then click View Invoice. When the invoice opens, click the download icon to save it as a PDF.

The bell icon in the top navigation bar shows the latest Boteraser platform updates from the past 7 days. When there are new updates, a red dot appears on the bell. Click the bell to expand the dropdown and see a list of recent updates with short descriptions and links to read more.

If the dot is not present, there are no new updates in the last 7 days.

Go to Shield → Shield List, find your Shield and click Edit. In the modal that opens, select the Overview tab. This tab gives you a consolidated read-only view of all active filters, their current states, and the number of entries in each IP list (Whitelist, Greylist, Blacklist) — useful for a quick audit without having to navigate through individual tabs.

6. Shield: How It Works

Our shield provides comprehensive protection through multiple advanced security layers:

  • Unwanted Bot Detection:
    • Advanced pattern recognition for bot identification
    • Behavioral analysis of traffic patterns
    • Rate limiting for aggressive crawlers
    • Protection against content scraping
  • IP Reputation System:
    • IP threat assessment
    • Multi-layer IP verification
    • Geolocation-based filtering
    • Known malicious network blocking
  • Advanced Security Features:
    • DDoS attack mitigation
    • Botnet protection
    • Automated threat response
    • Custom rule implementation
    • PRO Shield only: JA4 TLS fingerprinting — detects bots by their TLS behavioral signature, blocking entire botnets even when they rotate IP addresses

While other services may use similar protection methods, our system aggregates data from a significantly wider range of sources, providing more comprehensive coverage against emerging threats.

Creating a New Shield:

  1. Log into your Boteraser account dashboard
  2. Navigate to Shield → New Shield in the menu
  3. Enter your website domain (e.g., example.com)
  4. Select your protection type (Standard or PRO)
    Important: You must align your Shield Type with your intended Subscription Plan (e.g., Standard Shield requires Standard Plan, PRO Shield requires PRO Plan). You cannot mix types.
  5. Configure initial settings:
    • Geographic restrictions (if needed)
    • Bot filtering sensitivity
    • Custom IP whitelist/blacklist
    • Automatic filtering options (recommended to enable all):
      • AI Bots filtering with sensitivity levels
      • Bad Bot filtering
      • Blacklisted IP address filtering
  6. Click Create Shield & generate your API key after that
  7. Copy the API key and install the client on your server

After Creation:

  • Your Shield will appear in the Shield List
  • Protection begins as soon as the client script runs – blocking of unwanted traffic is enabled immediately
  • Monitor the dashboard for incoming threats and statistics

Accessing Your Shields:

  1. Go to Shield → Shield List in your dashboard
  2. View all your protected websites and their status
  3. Click on any Shield to view its configuration details

Shield View Options:

  • View Configuration: See all settings configured during Shield creation (protection type, geographic filters, bot sensitivity, etc.)
  • View Statistics: Monitor blocked threats, traffic patterns, and protection effectiveness
  • View Logs: Access detailed logs of all security events

Important: Once a Shield is created, its configuration cannot be modified. If you need different settings, you must delete the current Shield and create a new one with the desired configuration. After creating a new Shield, update the API key in your client program (e.g., Boteraser WP plugin, be-client or be-client-pro script) to use the new Shield for that site.

Shield Actions:

  • Delete Shield: If the current Shield configuration doesn’t meet your needs, you can delete it and create a new one with different settings

Note: Any changes (new Shield association via API key update) take effect within 5 minutes (on the next client sync cycle).

Yes, you can protect multiple websites! Each website requires its own subscription and API key.

How It Works:

  • One Shield as Template: A single Shield can be used as a configuration template for protecting multiple websites. Multiple API keys can reference the same Shield configuration.
  • Subscription is tied to API Key: Each API key requires its own active subscription (Monthly or Annual). The subscription is associated with the API key, not the Shield itself.
  • Unique API Keys: Each website gets its own API key that cannot be shared between websites
  • Centralized Management: All your Shields and API keys are managed from one account dashboard

Adding Protection for Additional Websites:

  1. Create a new API key for the additional website (or reuse an existing Shield configuration)
  2. Purchase a subscription for the new API key
  3. Install the client with the new API key on the corresponding server

Important Rules:

  • ⚠️ Never share API keys between websites – this will result in a ban
  • ⚠️ Each API key is locked to one domain for security purposes
  • ⚠️ Subdomains (blog.example.com, shop.example.com) may require separate API keys depending on your server configuration

Benefits of Using Different Shields for Different Sites:

  • Independent configuration for each website (different geo-restrictions, bot sensitivity, etc.)
  • Separate statistics and logs per site
  • Customized protection rules based on each site’s specific needs
  • No cross-contamination if one site is under heavy attack

Note: While you can use the same Shield for multiple sites (via different API keys), creating separate Shields allows for more tailored protection per website.

Each Shield has three IP lists that give you fine-grained control over which addresses are allowed, watched, or blocked:

  • Whitelist — IPs on this list are always allowed through, regardless of any other filter. Use it for trusted sources such as your own office IP, monitoring services, or known partners. Entries support CIDR notation (e.g. 192.168.1.0/24).
  • Greylist — IPs that are considered suspicious but not yet confirmed threats. Requests from greylisted IPs are tracked, and if their request rate exceeds the configured Greylist threshold, they get blocked automatically. This is useful for watching IPs without immediately banning them.
  • Blacklist — IPs on this list are permanently blocked. All requests from these addresses are rejected immediately. Use it for confirmed malicious sources.

Whitelist takes priority over all other lists and filters.

Go to Shield → Shield List, click Edit on the Shield you want to modify, then open the IP Lists tab. Each list (Whitelist, Greylist, Blacklist) has its own textarea where you can enter or remove IP addresses.

Rules for entering IPs:

  • Enter one IP address per line
  • Both IPv4 and IPv6 addresses are supported
  • CIDR notation is supported (e.g. 203.0.113.0/24)
  • To remove an IP, simply delete its line and save

Click Save to apply the changes. Updates take effect immediately.

The Rate Limit Threshold applies to the Rate-Limited Bots filter and defines the maximum number of requests a crawler or scraper is allowed to make before it gets blocked. It is set as a whole number (e.g. 50 requests).

  • Lower value (e.g. 10) — more aggressive. Bots get blocked sooner, after fewer requests. Higher risk of occasionally blocking legitimate users.
  • Higher value (e.g. 80) — more lenient. Bots can make more requests before being blocked. Fewer false positives, but some bots may slip through.

A good starting point is 20. Monitor your Statistics page after enabling the filter and adjust based on whether you see false positives or missed bots. The Rate-Limited Bots filter is available on Standard plans and above.

The Greylist threshold defines the maximum number of requests an IP on the Greylist is allowed to make before it is automatically blocked. It is set as a whole number (e.g. 20 requests). The default is 20.

  • Lower value — less tolerance; the IP gets blocked sooner after fewer requests.
  • Higher value — more tolerance; the IP can make more requests before being blocked.

Greylisted IPs are not blocked outright — they are monitored. Once their request count crosses the threshold, the system blocks them automatically. This is useful for IPs that are suspicious but not yet clearly malicious.

In the IP Traffic and Bot Traffic tabs on your dashboard, each row has a shield icon in the Lists column. Clicking it opens a dialog where you can add that IP address or bot directly to one of two lists:

  • Whitelist — the entry immediately bypasses all filters and is always allowed through.
  • Greylist — the entry is monitored. You set a request threshold (number of requests); once the IP exceeds that number, it is blocked automatically. The default threshold is 20 requests.

Once an entry is on the Whitelist, the icon turns green. This is a faster alternative to editing lists manually via Shield → Edit → IP Lists.

Note: Bots listed as “N/A” (unnamed/unidentified bots) cannot be added to either list.

The JA4 Filter uses JA4 TLS fingerprinting — a technique that identifies clients by the unique characteristics of their TLS handshake (the cryptographic “hello” sent when establishing a secure connection). Every TLS client library (browser, bot, scraper, scanner) has a distinctive fingerprint that is very difficult to spoof.

This means Boteraser can identify and block entire botnets based on their fingerprint, even when they rotate through thousands of different IP addresses — something traditional IP-based blocking cannot do.

The JA4 Filter is available on PRO plans only because it requires the BE Client PRO daemon, which operates at the network packet level (Layer 3/4) and needs root access to the server. Standard plans protect at the application layer (HTTP/HTTPS) and do not have access to raw TLS handshake data.

7. Updates & Maintenance

Our update system works on multiple levels:

  • Protection Updates:
    • Blacklisted IP list frequently refreshed with up-to-date entries
    • Bot signatures updated using data from multiple trusted security sources
    • Threat intelligence feeds continuously aggregated and analyzed
  • System Maintenance:
    • Core system updates monthly or as needed
    • Security patches applied immediately when available
    • Infrastructure optimization weekly
  • Data Sources:
    • Global IP reputation databases
    • Known malicious bot networks
    • Collaborative security intelligence networks

Note: While updates are automatic, your client script (be-client or be-client-pro) must run every 5 minutes to receive the latest protection rules.

The bell icon in the top navigation bar is your primary notification point. When there are new platform updates published in the last 7 days, a red dot appears on the bell. Click the bell to expand the dropdown and see a short description of each update along with a link to read the full details.

If the red dot is not visible, there are no new updates within the last 7 days. You can also visit the Changelog page at any time for a complete history of all releases and improvements.

8. Pricing & Subscriptions

New users can enjoy a 7-day free trial with no credit card required — simply sign up and start testing all features immediately. After the trial, we offer four flexible payment plans to meet different security needs:

Standard Plans (Web Protection):

  • Standard Monthly: $20/month – Helps protect websites and web applications
  • Standard Annual: $149/year – Save $91/year (38%) compared to monthly

PRO Plans (Multi-Service Protection):

  • PRO Monthly: $40/month – Network-level protection for multiple server services
  • PRO Annual: $349/year – Save $131/year (27%) compared to monthly

Key Differences:

  • Standard: Analyzes web server logs, protects HTTP/HTTPS traffic only
  • Standard: Server load & uptime stats are available when using the standalone script; when using the WordPress plugin, availability depends on the hosting environment
  • PRO: PRO: Analyzes live network traffic, provides protection for multiple services (SSH, FTP, MySQL, email, DNS, etc.)
  • PRO: Includes server load & uptime stats, faster support (6-12h PRO vs 24-48h STANDARD)

All plans include IP reputation checking, country filtering, IP whitelist/greylist/blacklist, analytics dashboard, and detailed reports. All plans block bots — Standard identifies them by name and pattern, while PRO blocks them indirectly via IP reputation and JA4 TLS fingerprinting.

Standard Plans (Monthly $20/mo & Annual $149/yr):

  • Protection Type: Website/Application only (HTTP/HTTPS)
  • Analysis Method: Web server log analysis
  • Web Application Traffic Filtering: ✅
  • Advanced Server-Wide Protection: ❌ limited to web filtering
  • IP Reputation Checking: ✅
  • Bot Mitigation & Detection: ✅
  • Country Filtering: ✅
  • IP Whitelist: ✅
  • IP Greylist: ✅
  • IP Blacklist: ✅
  • AI Bots Detection: ✅
  • JA4 TLS Fingerprint Detection: ❌
  • Analytics Dashboard: ✅
  • Detailed Attack Reports: ✅
  • Server Load & Uptime Stats: ⚠️ Depends on hosting provider
  • Support Response: 48h (Monthly) / 24h (Annual)

PRO Plans (Monthly $40/mo & Annual $349/yr):

  • Protection Type: Network-level – covering multiple services (SSH, FTP, MySQL, email, DNS, etc.)
  • Analysis Method: Live network traffic
  • Network-level Blocking: ✅ ipset + iptables
  • Web Application Traffic Filtering: ✅
  • Advanced Server-Wide Protection: ✅ covers SSH, FTP, MySQL, email, DNS, etc.
  • IP Reputation Checking: ✅
  • Bot Mitigation & Detection: ✅ indirect* — bots are blocked via IP reputation and JA4 TLS fingerprinting, rather than by bot name or pattern
  • Country Filtering: ✅
  • IP Whitelist: ✅
  • IP Greylist: ✅
  • IP Blacklist: ✅
  • AI Bots Detection: ❌
  • JA4 TLS Fingerprint Detection: ✅
  • Analytics Dashboard: ✅
  • Detailed Attack Reports: ✅
  • Server Load & Uptime Stats: ✅
  • IPv4 & IPv6 Support: ✅
  • Priority Support: ✅
  • Support Response: 12h (Monthly) / 6h (Annual)

Key Difference: Standard focuses on web traffic only, while PRO extends protection to server-level network traffic across multiple services and protocols.

We accept the following payment methods:

  • Paddle.com: Our primary payment processor for all transactions
  • Payment methods: Through Paddle’s secure gateway, we accept:
    • Visa
    • MasterCard
    • American Express
    • Paypal
    • Google Pay
    • Apple Pay

Note: Other payment methods may be available through Paddle.com, but the above options are recommended for the best experience. Supported payment types can change over time depending on Paddle’s platform and our configuration. You don’t need a Paddle account to pay with any of the above methods. All transactions are processed through Paddle’s secure payment gateway.

To change your plan:

  1. Go to Pricing in your account menu
  2. View the available plans in the comparison table
  3. Click “Choose plan” under your desired option
  4. Follow the payment process to complete the upgrade

Note: If you upgrade from the Monthly to the Annual plan, the system automatically calculates the remaining value of your current subscription and deducts it from the annual price. You simply select the Annual plan in your dashboard and follow the upgrade steps—no manual cancellation or external payment actions are needed. All payments and subscriptions are securely managed via Paddle.com.

Yes. You can cancel your subscription at any time from the Subscriptions page. After requesting cancellation, the subscription moves to a Cancel Pending status — meaning it remains fully active and continues to protect your website until the end of the current billing period. You will not be charged again after that date.

Once the billing period ends, the subscription expires, the associated API key is suspended, and protection on your server stops. You can reactivate at any time by renewing the subscription.

When a subscription expires:

  • The subscription status changes to Expired.
  • All API keys linked to that subscription are automatically suspended.
  • The BE Client on your server will no longer be able to authenticate with Boteraser, and protection stops.
  • Your Shield configuration and IP lists are preserved — no data is lost.

To restore protection, renew the subscription from the Subscriptions page. Once renewed, the API key is reactivated and the BE Client resumes normal operation on the next sync cycle.

9. Subscription Status Issues

This message means that your trial access to Boteraser services has ended. To continue using the service, you will need to subscribe to one of our paid plans. Please visit the Billing page to choose a suitable plan and complete your subscription.

These messages indicate an issue with your account’s subscription status:

  • API key is suspended!: This usually means there’s an issue with your payment or your subscription has been temporarily halted. Please check your subscription status on the Subscriptions page and ensure your payment details are up to date on the Billing page.
  • API key is cancelled!: This means your subscription has been cancelled. If you wish to continue using Boteraser, you will need to start a new subscription from the Billing page.

If you believe this is an error, please contact our support team.

10. API Key & Access Issues

This error message, which may appear in the output of be-client or be-client-pro, in server logs, or when using the WordPress plugin, indicates that the API key provided in your configuration file (be.conf or be-pro.conf) or plugin settings is incorrect or not recognized by the Boteraser server. To resolve this:

  1. Verify that the API_KEY in your be.conf or be-pro.conf file (if you are using the script) or in the plugin settings (if using WordPress) exactly matches the API key shown on your API page.
  2. Ensure there are no extra spaces or characters in the API key within the configuration file, or in the WordPress plugin settings if you are using the plugin.
  3. If you recently regenerated your API key, make sure you’ve updated it in your configuration file (be.conf or be-pro.conf) or in the WordPress plugin settings (for WordPress sites).

API bans usually occur due to:

  • Running be-client (Standard) more frequently than every 5 minutes — verify your crontab with crontab -l
  • Incorrect crontab configuration (Standard only)
  • be-client-pro service restarting too frequently due to a misconfiguration — check with systemctl status be-client-pro and journalctl -u be-client-pro -f
  • Using the same API key on multiple websites/domains

For BE Client (Standard): Verify your crontab settings using crontab -l and ensure the script runs only every 5 minutes.

For BE Client PRO: Check the service status with systemctl status be-client-pro and review logs with journalctl -u be-client-pro -f to identify any restart loops or configuration errors.

An API key can only be created if your Subscription and Shield belong to the same group—meaning a PRO Subscription must be matched with a PRO Shield, and a Standard Subscription with a Standard Shield.

Yes. A single Shield can be referenced by multiple API keys. This is useful when you want to apply the same protection rules to several domains without having to configure each Shield separately.

Keep in mind that each API key is still tied to its own subscription and its own domain. Sharing a Shield between API keys means all those domains share the same filter settings and IP lists — a change to the Shield affects all of them simultaneously.

If you need different protection rules per domain, create a separate Shield for each.

When you reassign a different Shield to an API key, the new Shield’s rules take effect on the next sync cycle of the BE Client on your server. The BE Client fetches updated configuration from Boteraser periodically (every 5 minutes for Standard, continuously for PRO), so there may be a short delay before the change is applied.

The API key itself remains active throughout the change — there is no interruption in service during a Shield reassignment.

11. Troubleshooting & Support

Check these common issues:

  • Invalid API KEY in your configuration file (be.conf or be-pro.conf)
  • Wrong LOG_PATH configuration

Solution: Verify all settings in your configuration file (be.conf or be-pro.conf) match your server configuration.

While our system is designed to be accurate, false positives can occasionally occur. If a legitimate user is blocked, you can:

  • Add their IP address to the Whitelist for the relevant Shield.
  • If the issue persists or is widespread, contact our support for assistance.

You can view detailed logs of blocked IPs and other security events within your Boteraser user panel by navigating to the Logs page. This page provides insights into the threats your website is facing and how Boteraser is mitigating them.

The Statistics page only shows data once the BE Client has been installed on your server and has started sending traffic data to Boteraser. If the page appears empty, check the following:

  • Is the BE Client installed and running on your server?
  • Is the API key in your be.conf (or be-pro.conf) correct and active?
  • For Standard: has the cron job been set up and run at least once?
  • For PRO: is the be-client-pro systemd service running (systemctl status be-client-pro)?

Once the BE Client is running correctly, statistics will begin appearing within minutes of the first sync.

Critical server load usually indicates your server is under heavy stress — this is often caused by a bot attack, a traffic spike, or a misconfigured filter. Recommended steps:

  1. Go to Statistics and check for an unusual spike in blocked or total requests.
  2. Open Logs and look for patterns — repeated IPs, specific countries, or bot types generating the most requests.
  3. In your Shield’s Filters tab, consider lowering the AI Threshold, enabling the Country Filter for suspicious regions, or adding offending IPs to your Blacklist.
  4. If the load persists, contact support via the Contact Us page with your Shield details and log observations.

12. Data Security & Privacy

Your data security is our top priority. We implement multiple layers of protection:

  • End-to-end encryption for all data transmission
  • Regular security audits and penetration testing
  • 24/7 infrastructure monitoring
  • Regular backup procedures

We collect and store:

  • Account information
  • Shield configuration settings
  • Traffic analytics and threat detection logs
  • Payment information (processed securely via PayPal)

We never store or process sensitive user data from your protected websites.

We maintain strict compliance with global privacy standards:

  • GDPR compliance for EU data protection
  • CCPA compliance for California residents
  • Regular privacy impact assessments
  • Data minimization principles
  • Transparent data processing practices

Our privacy policy details how we handle your data, available rights, and contact information for our Data Protection Officer.

13. Legal Information

Key Terms and Liability Disclaimers:

  • Service Disclaimer:
    • The service is provided “as is” without any warranties, express or implied
    • We do not guarantee 100% protection against all threats
    • Service availability may vary and occasional downtime may occur
  • Limitation of Liability:
    • We are not liable for any direct, indirect, incidental, or consequential damages
    • No responsibility for data loss, business interruption, or financial losses
    • Not liable for any security breaches or unauthorized access
  • User Responsibilities:
    • Users remain responsible for their website’s overall security
    • Regular backups and security measures must be maintained
    • Compliance with local laws and regulations remains user’s responsibility
  • Legal Jurisdiction:
    • Any disputes will be resolved under the laws of your jurisdiction
    • We do not accept responsibility for legal issues arising from service use
    • Users must ensure their use complies with local regulations

Important: By using our service, you acknowledge and accept these terms. We explicitly disclaim all warranties and liabilities. Users assume all risks associated with using our service.

We are committed to protecting your privacy and personal information. Our Privacy Policy explains how we collect, use, disclose, and safeguard your information.

Information We Collect:

  • Personal Information: Name, email address, billing information
  • Website Data: Domain names, IP addresses, traffic patterns
  • Technical Data: Browser type, operating system, device information
  • Usage Data: How you interact with our services

Your Rights:

  • Access your personal information
  • Request data correction or deletion
  • Opt-out of marketing communications
  • Export your data

For privacy-related questions, contact us at: [email protected]

For full details, see our Privacy Policy page.

Our Cookie Policy explains how Boteraser uses cookies and similar tracking technologies on our website and user dashboard.

What we use cookies for:

  • Essential cookies — required for authentication, session management, and core dashboard functionality. These cannot be disabled.
  • Preference cookies — remember your settings such as theme (light/dark) and language.
  • Analytics cookies — help us understand how visitors use the site so we can improve it.

Managing cookies: You can control or delete cookies through your browser settings at any time. Disabling essential cookies may prevent you from signing in or using parts of the dashboard.

For full details, see our Cookie Policy page.

All payments can be refunded within 14 days of purchase. No exceptions.

All purchases and subscriptions for Boteraser are processed securely through Paddle.com, which acts as the Merchant of Record. Paddle handles billing, invoicing, taxes, and refund processing on our behalf.

How to Request a Refund:

Please include your order number, email used during purchase, and reason for the refund request.

For full details, see our Refund Policy page.

You can find our Terms of ServicePrivacy PolicyCookie Policy, and Refund Policy linked in the footer of our website and within your user panel.

14. Account & Profile Management

Password Change Process:

  1. Log into your Boteraser account
  2. Navigate to your Profile Settings
  3. Enter your new password (must meet security requirements)
  4. Click “Save Changes”

Password Requirements:

  • Minimum 8 characters in length
  • Must contain at least one uppercase letter
  • Must contain at least one lowercase letter
  • Must contain at least one number
  • Must contain at least one special character
  • Cannot be the same as your previous 5 passwords

Note: You will need to use your new password the next time you log in.

Updating Your Profile:

  1. Access your account dashboard
  2. Go to “Profile Settings” or “Account Information”
  3. Edit the fields you want to update:
    • Name
    • Company
    • VAT Number
    • Country
    • Address
  4. Click “Save Changes” to update your profile

Note: Your email address is read-only and cannot be changed.

Setting Up 2-Step Authentication:

  1. Navigate to Security Settings in your account
  2. Find the “2-Step Authentication” section
  3. Click “Enable 2-Step Authentication”
  4. Test the 2-Step Authentication setup by logging out and back in

Note: We strongly recommend enabling 2-Step Authentication for enhanced account security.

Accessing Activity Logs:

To view your account activity, simply go to the “Logs” page in your Boteraser dashboard. There, you’ll find a detailed table showing all key actions related to your account.

Log Entry Format:

Each log entry includes the following columns

  • Date – The exact date and time the event occurred
  • User – Your username and display name
  • Category – Type of activity:
  1.  AUTH – Login and authentication events
  2.  SECURITY – Security-related actions and warnings   
  3.  BILLING – Subscription and payment activity
  4. SYSTEM – System messages and internal events
  • Action – A description of what happened
  • IP Address – The IP address from which the event originated

Tips for Reviewing Logs:

  •  Look for unusual IPs or unexpected login locations
  • Monitor login activity, including failed login attempts
  • Track billing and system changes for full transparency
  • Use filters (by date or category) to narrow results

If you spot anything suspicious, we recommend:

  1. Changing your password immediately
  2. Enabling Two-Factor Authentication (2FA)
  3. Logging out from all other sessions
  4. Contact our support team for assistance

Accessing Activity Logs:

  1. Click on your profile avatar in the top right corner
  2. Select “Logs” from the dropdown menu
  3. Or navigate directly to the Logs page

Available Information:

The logs table provides a detailed history of your account activity, including:

  • Date: Exact timestamp of the event
  • User: The user account that performed the action
  • Category: Type of event (Billing, Security, System, Auth)
  • Action: Description of the specific activity
  • IP Address: The IP address from where the action originated

Filtering Options:

  • Filter by Category (Billing, Security, System, Auth)
  • Filter by Date Range (Start Date and End Date)
  • Adjust the number of records displayed per page

What to Look For:

  • Suspicious Locations: Logins from unexpected geographic locations
  • Unknown Devices: Access from devices you don’t recognize
  • Failed Attempts: Multiple failed login attempts may indicate attack attempts
  • Unusual Times: Account access at times when you weren’t using it

If You Notice Suspicious Activity:

  • Change your password immediately
  • Enable 2SA if not already active
  • Log out all other sessions
  • Contact our support team

All times shown in the dashboard interface regarding our servers are set to display information in UTC (Coordinated Universal Time). This setting cannot be changed.

Payment method updates are handled through the Paddle billing portal. To update your payment details:

  1. Open the user menu (click your name/avatar in the top right corner).
  2. Go to Invoices.
  3. Click the Manage button next to any invoice.
  4. You will be redirected to the Paddle portal where you can update your credit card or other payment details.

Boteraser does not store any payment information — all billing is managed securely by Paddle.com.

Yes. You can have multiple active subscriptions under a single account. Each subscription is tied to its own API key and domain, so you can protect several websites simultaneously from one Boteraser account.

For example, if you manage three websites, you would have three subscriptions (one per domain), each linked to its own API key. All subscriptions and their statuses are visible on the Subscriptions page.