CellarWeb Privacy and Security Options


Secure your WP site with common security settings that you can selectively enable. Includes several security and anti-hacking features, plus some customization of your login screen. Disables certain functions/processes that are potential security issues. Can block some comment spam (although our Block Comment Spam plugin https://wordpress.org/plugins/block-comment-spam-bots/ is more effective). Can ncrease memory allocations. Shows your current htaccess file contents with suggestions for improvements, so you can monitor any changes.

– Optionally adds directives to the WordPress virtual robots.txt file to block site scanning by AI bots. This blocks the use of your site content by those AI agents, such as ChatGPT, OpenAI, Bard, and others. It does not affect search engine scanning or any SEO, nor does it affect the user experience of your site.
– Now shows any hidden plugins (which might be malicious), plus lists all plugins with versions and status (active, inactive).

We use this on all of our managed WordPress sites, as a convenient way to secure the sites without using a bunch of different plugins.

This plugin can be downloaded for free without any paid subscription from the official WordPress repository.

BEGIN – Added by ChatBot Blocker by CellarWeb plugin (Version 1.03)

      #  Blocks ChatGPT bot scanning
            User-agent: GPTBot
            Disallow: /
      #  Blocks Bard bot scanning
            User-agent: Bard
            Disallow: /
      #  Blocks Bing bot scanning
            User-agent: bingbot-chat/2.0
            Disallow: /
      #  Blocks Common Crawl bot scanning
            User-agent: CCBot
            Disallow: /
      #  Blocks omgili bot scanning
            User-agent: Omgili
            Disallow: /
      #  Blocks omgilibot bot scanning
            User-agent: Omgili Bot
            Disallow: /
      #  Blocks Diffbot bot scanning
            User-agent: Diffbot
            Disallow: /
      #  Blocks MJ12bot bot scanning
            User-agent: MJ12bot
            Disallow: /
      #  Blocks anthropic-ai bot scanning
            User-agent: anthropic-ai
            Disallow: /
      #  Blocks ClaudeBot bot scanning
            User-agent: ClaudeBot
            Disallow: /
      #  Blocks FacebookBot bot scanning
            User-agent: FacebookBot
            Disallow: /
      #  Blocks Google-Extended bot scanning
            User-agent: Google-Extended
            Disallow: /
      #  Blocks SentiBot bot scanning
            User-agent: SentiBot
            Disallow: /
      #  Blocks sentibot bot scanning
            User-agent: sentibot
            Disallow: /<h3>END    - Added by ChatBot Blocker by CellarWeb plugin (Version 1.03)</h3>

See additional chatbot agents added in the changelog below.

htaccess Security Settings

  • Shows the current htaccess file for review. (Hackers like to change it, so it’s good to take a peek at it now and again.)
  • Some suggestions for additional htaccess commands are shown.
  • No changes are made to the htaccess file.

Wow! That’s a lot of settings!

Yep. But they are ones that we commonly use in all of our managed WP sites, so putting them into one plugin was easier than doing it manually on every site.

What if I want an additional setting?

Just add a message in the plugin’s support area. We’ll consider it.

Do you have other security-related plugins?

Yep! One of our favorites will block all comment spam – and another that blocks bots from contact forms. It’s very effective. We put it on one site that was getting a lot of comment spam, and now there is none. Not one. And we don’t get any contact form spam on sites that use the technique.

It’s called “Block Comment Spam Bots”, and can be found in the WP plugin repository. And there’s a link to it (and other plugins we’ve done) on this plugin’s Settings/Information page. The Contact Form bot-blocker is called “FormSpammerTrap”, and is available at https://www.FormSpammerTrap.com .

Check out all our plugins at https://cellarweb.com/wordpress-plugins/ .


  • Main heading screen.
  • General Settings screen.
  • AI Scanner Blocking screen (Virtual robots.txt file).
  • Security Settings – General screen.
  • Security Settings – Login Related screen.
  • htAccess File Information screen.
  • htAccess Suggestions screen.


  1. Upload the plugin files to the /wp-content/plugins/cellarweb-private-functions directory.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress
  3. Use the Settings->CellarWeb Private Functions screen to configure the plugin (if any)


What is this?

Some general purpose functions for WordPress sites, including some security-related features to block hacking attempts.

Like what?

There’s lots of options that can be selected, grouped into five sections:

General Settings

  • changes the ‘Howdy’ to ‘Welcome’. Because we think that ‘Howdy’ is for an Old West site.
  • Adds the ‘referer’ to a CF7 form field. Great to figure out where your comments came from.
  • Adds a copyright to the footer. (Right now it’s ours, but future versions will allow you to enter your own footer text.)
  • Remove the WP logo from the Admin bar.
  • Sets up a [current_year] shortcode you can use anywhere.
  • Allows use of shortcodes in widgets.
  • Adds a favicon to generated page ‘head’ section. You supply the favicon file.
  • Adds social sharing buttons centered at the bottom or all posts/pages.

PHP Settings

  • Shows the PHP version in use on your site. Links to information about PHP and settings in wp-config.php are shown. No changes to those values are made, since they are host and operating system specific.

Blocking AI Scanners

  • Adds directives to the WordPress Virtual robots.txt file to block AI scanners from accessing your site. Does not affect search engine indexing or your SEO. (Since version 4.00.)

General Security Settings

  • Disable XMLRPC as a possible hack attack vector.
  • Removes the WP version from the generated page.
  • Disables code editor in all theme/plugins admin screens.
  • Forces disable of all error reporting by plugins or themes.
  • Checks for a user called ‘admin’ (a common hack attack vector).
  • Disables ability to query by author ID (a common hack attack vector).

Login-Related Security Settings

  • Blocks repeated logins with a limit of 4 failed logins. No logins allowed after those 4 fails is delayed for 5 minutes. This reduces the chance of login brute force attacks.
  • Changes failed login message to more generic error (instead of ‘bad user’ or ‘bad password’.
  • Use a custom login page that you provide.
  • Disable the ‘Remember Me’ checkbox on the login page.
  • Redirect to home page after login/logout.
  • Put login/logout links on menu bars.

ChatBot (AI) Scanners Blocking

  • If enabled, adjusts the virtual robots.txt file generated by WordPress to include blocking various AI scanners from using your site content. The default list of AI Scanners is:

Default settings are:

    User-agent: *
    Disallow: /wp-admin/
    Allow: /wp-admin/admin-ajax.php

    Sitemap: https://cellarweb.com/development/wp-sitemap.xml


There are no reviews for this plugin.

Contributors & Developers

“CellarWeb Privacy and Security Options” is open source software. The following people have contributed to this plugin.



4.16 (8 Mar 2024)

Removed ability to add commands to the robots.txt file (if setting enabled). This ensures that the current agent list is used when the plugin is updated. Future versions of this plugin may add ability to add to the virtual robots.txt file.

Revised some explanatory text for the robots.txt area .

Added plugin version info in the robots.txt display area. This will help verify that the plugin version directives are being used in the virtual robots.txt file.

Added some CSS to the settings.css file for display of the virtual robots.txt area directive display.
= Added additional chatbot agents:

        "Twitterbot"    => "Twitterbot",
        "AhrefsBot"     => "AhrefsBot",
        "CCBot"         => "CCBot",
        "AwarioRssBot"  => "AwarioRssBot",
        "AwarioSmartBot"=> "AwarioSmartBot",
        "Claude-Web"    => "Claude-Web",
        "FacebookBot"   => "FacebookBot",
        "magpie-crawler"    => "magpie-crawler",
        "peer39_crawler"    => "peer39_crawler",
        "PerplexityBot"     => "PerplexityBot",
        "CrystalSemanticsBot"   => "CrystalSemanticsBot",


4.15 (2 Mar 2024)

added additional chatbot agents (see default list above)

added additional information about clearing and updating directives in robots.txt

added information about chatbot blocking to this readme file

removed some commented and unneeded code

removed unneeded files from distribution zip. Files are not deleted in existing/updates installs of this plugin – but those files are no longer used.

Note: to get the new Chatbot agents enabled, clear the chatbox command box and Save Changes. Test the new robots.txt file with the link shown in that area.

4.14 (30 Nov 2023)

- slight efficiency of method used to block all xmlrpc methods

4.13 (22 Nov 2023)

- fixed version number display
- double-check to ensure all assets are properly included in the distribution files

4.12 (22 Nov 2023)

- fixed warning about getting the current page
- fixed distribution files for missing folders (incorrect in version 4.11)
- WP 6.4.1 compatibility

4.11 (1 Nov 2023)

  • Minor changes to plugin header area for links to plugin

4.10 (31 Oct 2023)

  • Added a section to show a list of any hidden plugins, including their possible settings page. Use this information with caution to investigate any hidden plugins.
  • Added a section to show a list of any plugins that need updating.
  • Changed file operations to use $wp_filesystem for better compatibility with various server operating systems.
  • Added additional information to the admin user list (if shown) of “Display Name – Login – Nice Name – Email” .
  • Changed information for the admin user list section. Now displays all users with Administrator roles, plus a warning if there is an Administrator called ‘admin’.
  • Minor changes to how the virtual robots.txt file is generated.
  • Updated header image shown on Settings screen.
  • Changed the plugin name to ‘Privacy and Security from CellarWeb.com’ for clarity with our other plugins.
  • Changed logo and thumbnail images for the plugin to match the updated name.
  • Minor change in how the Year value is computed and displayed; now using gmdate() rather than date().
  • Fixed some minor spelling errors on the Settings screen.
  • Removed UpgradeLog section in the readme.txt file (it duplicated this Changelog section).
  • Tested with WordPress 6.4

4.03 (22 Aug 2023)

  • Added user agents for ‘omgili’ .

4.02 (15 Aug 2023)

  • Corrected user agent value for ChatGPT.
  • Added an additional ‘Save Changes’ button to the Settings screen just after the ‘ChatBot AI Scanner Blocking’ option area for convenience.
  • The virtual robots.txt file generated contained a reference to the standalone version of the Chatbox blocker (a plugin currently awaiting review). The reference was changed to the correct plugin name.
  • Minor change to the text on the settings screen relating to the list of administrator level/role users.

4.01 (14 Aug 2023)

  • Optimized and enhanced the generated virtual robots.txt file process. The added directives did not appear in some situations. This has been corrected.
  • Added information on the settings page detailing how to check your generated virtual robots.txt file by adding “?robots=1′ to any site page request (usually the site’s home page, although any site URL will work).
  • Added additional information to the text describing the new AI site scanning blocking setting.
  • Renamed some functions to better indicate their purpose.
  • Remvoed some debugging code comments.

4.00 (12 Aug 2023)

  • Added the option to add the functionality of our “Chatbot Blocker by CellarWeb” plugin (not released yet due to plugin approval backlog by WordPress). The option blocks access by AI bot scanners via the WordPress virtual robots.txt file. The current virtual robots.txt file is shown on this plugins’ Settings screen. Does not affect search engine scanning or SEO, and there is no impact on site response time for visitors.
  • Removed options to change max file upload size. The setting was not consistently applied due to differences in various hosting platform. These settings are best changed via the wp-config.php file; a link to that documenation is included in the PHP Settings section.
  • Added information about the PHP version on your site, with links to latest information. This is found in the PHP Settings section.
  • Some code efficiencies and text changes on the Settings screen.

3.30 (27 Dec 2022)

  • Removed options to change max post time and execution time. These settings are server side, and cannot be changed on any page load – they are already set in place before the page loads.
  • Changed the upload file size setting to use a WP filter, which is more effective than an ini-set attempt (that didn’t always work).

3.20 (26 Dec 2022)

  • Fixed upload file size setting.
  • Some text changes to the memory settings area.
  • Tested with WP 6.1x.

3.12 (23 May 2022)

  • Added htaccess suggestion for forcing all requests to SSL.
  • Minor rearragement and positioning of admin users list area.
  • Minor rearrangement of the htaccess section, including some additional text.
  • Additional informative text of the various available settings.

3.11 (21 May 2022)

  • Fixed a curly quote. (I hate those curly quotes that get into the code!)
  • Removed the word ‘options’ from the plugin name, ettings page link, title, and images.
  • Tested with WP 6.0 and PHP 8.1.4 .
  • Increease minimum PHP version required to 7.3. (You should really update if you aren’t there…)

3.10 (20 May 2022)

  • First public release.
  • Plugin options now contained in a constant so only one read access from the options table.
  • Admin-level users shown on settings screen for information.
  • Shows current WordPress and PHP versions on the Settings screen.
  • Changed images to remote ‘options’ from the image
  • Removed some debugging code.
  • Optimized locations of add-filters used to implement various options.
  • Testing of ‘fresh’ install to ensure all functions work without errors.
  • Better alignment of the checkbox with it’s associated text.

3.01 (9 Apr 2022)

  • Fixed a font setting that was overriding the paragraph font size in the site.

3.00 (8 Apr 2022)

  • Added Settings link to the plugin on the Plugins page.
  • Removed plugin’s ability to change the htaccess file. The current htaccess file is shown for information purposes.
  • Added suggestions for the htaccess file, and advice on how to work with your hosting company to make changes.
  • Added a new option to limit login attempts at 4 failed. Any more will cause a timeout delay of 5 minutes befor another login can be attempted. This eliminates login brute force attacks.
  • Changed the process that adds the site logo shown at the top of the optional login screen (if enabled). If there is no site logo defined in the theme, the default logo is used.
  • Changed the rendering of settings to use one function, not individual ‘renders’ for each add_setting field. This allows for easier formatting of the settings and text area. The old individual rendering functions were removed.
  • Added a ‘Save Options” button at the top of the form for convenience.
  • CSS for the optional login screen only added if optional login enabled.
  • Enhanced the showing of the login/logout links on the site menu bar. There must be a menu bar enabled via the theme options for the login/logout links to be shown.
  • If alternate login screen enabled, any ‘verify admin email’ notices are suppressed.
  • Fixed the CSS to set the entire login box background to white, so the various parts of the login area don’t showw up as white stripes on a non-white background.
  • Initial preparation for possible future enhancements to the alternate login screen.
  • Removed option for adding sharing buttons to each post/page because of the constantly changing available sharing options. (And other plugins do it better.)
  • Removed the numbers in front of each settings.
  • Changed the login form code to only change the header image of the login form. Other settings, like the background for the login page, are done by the theme.
  • The login form background is set to white.
  • Changed logos and supporting images (part of re-branding on all plugins).
  • Changes to Settings screen to show new logos and sidebar information.
  • Changed title shown in the Settings list.
  • Removed inline CSS from added footer if enabled, so it will use inherited colors/etc.
  • Put all filters/actions in one area for convenience of the coding team.
  • Version number is a defined constant for convenience in display, and displayed under the heading image.
  • Some minor CSS changes to the Settings screen for slightly larger text and compatible background colors.
  • Text corrections, additional info on the settings, and other changes on the Settings screen.
  • Some code efficiencies; removing obsolete or unneeded code.

These prior versions were not publicly released

2.08 (2 Mar 2020)

  • changed when the htaccess is updates; now happens after theme_setup so that the switch_to_locale function is not called before it was available. This also fixes the problem of the ‘updated htaccess’ admin message appearing at the wrong time (as in on other screens).

2.07 (13 Feb 2020)

  • another instance of the switch_to_locale function check was removed

2.06 (12 Feb 2020)

  • corrected incorrect version of main file (didn’t have the 2.05 fix)

2.05 (28 Jan 2020)

  • removed call to switch_to_locale; causing errors on later PHP versions.


  • internal version, not released

2.03 (10 Jan 2020)

  • Further tweaks to htaccess changing module
  • Updated readme and program versions to match

= 2.02 (8 Jan 2020)=
* Fixed invalid htaccess ‘option’ parameter.
* Attempted fix of ‘htaccess changed’ admin message appearing too late.

= 2.01 (3 Jan 2020)=
* Fixed minor typo in Information page about the CF7 shortcodes.
* Added to the FAQ a list of the features of this plugin.

= 2.00 (2 Jan 2020)=
* Initial release of public version.
* Removed code for privately hosted auto-updates.
* Added option to protect against directly accessing the wp-comments-post.php via .htaccess directives.
* Shows the current contents of the htaccess file for your review.
* Ensured all array element names are quoted strings, rather than unquoted. Reduces PHP Warning errors about undefined constants; ensures compatibility with future PHP versions.
* Removed debugging code and unneeded comments.
* Changed variables, css styles, and function prefix to “CWPS” to match plugin name.
* Removed FontAwesome CSS loading; replacement icons are included in the plugin.
* Properly enqueued the CSS file per WP standards.
* Some minor CSS fixes.
* added uninstall process to remove plugin’s options from wp-options table
* Added additional information to the settings/information screen.
* minor code documentation corrections (spelling, mostly)

All versions below were privately released. Public version / initial release is Version 2.00


  • Changed all array element names (the part in the brackets) to be strings, rather than ‘assumed’ strings. The use of ‘assumed’ strings was causing a PHP Warning about undefined constants. PHP ignores that, although that may cause a fatal error in PHP 8x (whenever that gets released). And the PHP Warnings were cluttering up the error.log file.


  • fixed the settings screen relating to the CF7 referer field; the correct field to put in the contact form is ‘[hidden referer-page default:get]’ .


  • Versions 1.4 – 1.52 were testing versions, not released
  • Some minor typos fixed
  • Added versioning to the settings.css file to ensure proper loading


  • Minor code changes; tweaking how CSS loaded.


  • Minor change to html inserted as footer (now a paragraph tag, instead of a div); allows it to be centered more often.


  • Initial private release. Not available via WP plugin area yet.
  • Prior versions were for internal testing only.
  • Additional features are planned.