Description

Banhammer: Protect your site against enemy hordes!

Banhammer gives you full control over who and what may access your site. Visit the Armory to monitor traffic and review suspicious visitors. If you find some user or bot that is causing problems, you can ban them with a click. Or, if you just want to keep an eye on someone, you can flag them with a warning. Any banned users will be denied access to your site, until you restore access via the Tower. Check out the video and screenshots to get a better idea of how it works.

Important: Not yet compatible with WP Multisite!

Core Features

Ban or Warn any WP user or IP address
Restore access to any banned targets
Monitor site traffic in the Armory
Monitor logged users in the Admin Area
Monitor all visitors on the front-end
Manage banned targets in the Tower
Complete Ajax-powered navigation
Useful tools like jump, sort, search
Complete documentation via Help tab
Automatically clear logged data
Sound effects for Ban, Warn, et al
NEW: manually block any IP address

Options Galore

Optionally ignore logged-in users
Optionally protect Login Page and Admin Area
Customize the banned response and status code
Display banned message or redirect the request
Choose the interval to clear logged data
One-click restore plugin default options
All collected data may be deleted easily

More Features

Easy to use
Clean code
Fast and secure
Built with WP API
Lightweight and flexible
Regularly updated and “future proof”
Works great with any WordPress theme
Comprehensive search of all logged data
Works great with other WordPress plugins
Works with or without Gutenberg Block Editor
Focused on usability, performance, and security

Banhammer is perfect for site owners, admins, and developers who want to keep an eye on traffic and block any unwanted visitors. It is a simple, flexible, and powerful security solution. Perfect for the best WordPress sites.

For complete documentation, visit the Help tab on any Banhammer screen.

+ Banhammer Pro now available »

Privacy

User Data: Banhammer collects user data to “do its thing”. The collected data is temporary and automatically deleted every day, or at whatever time interval is specified in the plugin settings. The only time that any data is “remembered” is when you ban something. For each person/thing that you ban, the plugin stores either the IP address OR the username (never both). At any time, all saved data may be deleted permanently via the plugin settings and Armory Tools.

Cookies: Banhammer does not set any cookies for regular visitors, but does set a few simple cookies for admin-level users. These simple cookies enable dope effects and interactivity in the Armory and Tower UI. But no cookies are set or used for any other visitor/user or purpose.

Services: Banhammer uses a free lookup service for GeoIP information. This happens only for admin-level users when they are viewing data in the Armory or Tower. No other third-party services are used by this plugin.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

BBQ Pro – Super fast WordPress firewall
Blackhole Pro – Automatically block bad bots
Banhammer Pro – Monitor traffic and ban the bad guys
GA Google Analytics Pro – Connect WordPress to Google Analytics
USP Pro – Unlimited front-end forms

Links, tweets and likes also appreciated. Thanks! 🙂

Thank You

Thank You to Jennifer Starr for her insight and help with testing and usability.

Screenshots

Banhammer Settings (showing default options)
Banhammer Armory (showing basic view)
Banhammer Armory (showing advanced view)
Banhammer Armory (showing more tools)
Banhammer Tower
Default banned message (can customize via settings)
Help tabs! (available on all Banhammer screens)

Installation

Important: PHP Requirement

Before installing, make sure your server has either cURL or file_get_contents() enabled. Banhammer requires at least one of these functions to do its thing.

Install Banhammer

Upload the plugin and activate
Configure the plugin settings as desired
Visit the Armory to monitor traffic and ban/warn any unwanted visitors
Visit the Tower to manage any banned/warned targets

More info on installing WP plugins

Caching Plugins

Banhammer works with any type of caching plugin where “page caching” is not enabled.

There are many types of cache plugins. They provide all sorts of different caching mechanisms and features. All caching features work great with Banhammer except for “page caching”. With page caching, the required WP init hook may not be fired, which means that plugins like Banhammer are not able to log and ban requests dynamically. Fortunately, some of the most popular caching plugins provide settings that enable full compatibility with Banhammer. For a complete list, check out this article. Note: that article was written for Blackhole Pro, but the compatibility list and general info apply also to Banhammer.

Use Banhammer

Banhammer enables you to monitor traffic and ban any user or bot. To view your site’s traffic, visit the Armory. There you can ban or warn (flag) anything you wish. Once you have banned something, it will be locked in the Tower, where you can manage all banned users and bots.

Banhammer is designed to be as intuitive as possible, and provides complete documentation via the Help tab on any Banhammer screen. There are three plugin screens:

Settings – configure options
Armory – monitor site traffic
Tower – manage banned visitors

So after configuring options, visit the Armory to monitor site traffic. If you see a visitor that should be banned, click the hammer button to ban them immediately. Or, if you just want to keep an eye on someone, click the horn button to issue a warning. After banning or warning your target, you can visit the Tower to manage as desired. There you can ban, warn, restore, or delete any target with a click.

For complete documentation, visit the Help tab of any Banhammer screen. If anything is unclear or if you find a bug, you can drop a line via my contact form.

+ Check out Banhammer Pro »

With great power..

Please be careful not to ban any important IP addresses. Before banning some target, verify the IP and host name. Verifying the IP address is important because you do not want to accidentally ban major search engines and services. A good way to verify any IP address is to do a reverse lookup. The result should match the host name. For an example of how to verify a bot, check out this article at Perishable Press.

Pro Tip: In the Armory, you can click on the IP Address or Host Name to do a quick whois lookup.

Important! Don’t ban yourself!

Please be careful not to ban yourself when using Banhammer. The Basic Settings are powerful; use them wisely. Here are some things that can help mitigate any accidents:

Be mindful when monitoring traffic; always know your own IP address and WP username.
Disable the setting “Login Page”, so you always have access to the Login Page.
Enable the setting “Ignore Users”, so you always can access the Tower, and your own visits will not be logged in the Armory.

Whoops! How do I get back in?

It’s almost inevitable. Worst-case scenario say you accidentally ban yourself. As site admin, it is easy to restore access. Follow these steps:

Download the Banhammer Unlock plugin
Upload the Unlock plugin to your server at: /wp-content/mu-plugins/
If the mu-plugins directory does not exist, go ahead and create it
After uploading the plugin, Banhammer will be disabled, so you can log in and restore access via the Tower
Once you have restored access, delete the Banhammer Unlock plugin from the server
After deleting the Unlock plugin, Banhammer once again will be enabled

Alternately, if you banned yourself by IP address, you can bypass the ban by using a trustworthy proxy service to log in to your site.

Testing

How do you know if the plugin is working? Like if you want to customize the banned response? Well, there are several ways to go about it.

Method One (easiest): Configure the following Banhammer settings:

Enable Plugin – enable
Ignore Users – disable
Login Page – disable
Admin Area – disable

After saving the changes, you will be able to ban your own visits to the front-end (non-admin) pages on your site, without actually banning yourself from the Admin Area or Login Page. Just remember to restore access via the Tower when you are finished testing.

Method Two (moderate): Create a new WordPress user and log in using a second browser. Then as you surf around the site, you can monitor and ban the user via the first browser.

Method Three (advanced): Open two browser tabs. Tab 1 is the Armory. Tab 2 is a good proxy service. With Banhammer enabled, visit your site’s homepage via proxy. Then jump over to the Armory and ban the proxy IP address. Then retry the proxy visit to the homepage; it should be denied access. Remember to restore access or delete the banned IP via the Tower when finished testing.

Manually Add IP Address

If you want to ban some IP that has not yet visited your site, you can do so by entering the following URL in your browser’s address bar:

https://example.com/wp-admin/?banhammer-key=[KEY]&banhammer-ip=[IP]

Replace the following:

Replace [KEY] with your “Target Key”
Replace [IP] with the IP you want to block
Replace example.com with your own domain

Note: You can find your Target Key in Banhammer Advanced settings.

For more info about adding targets, visit the Help tab on the Settings page.

Important! Never share your Target Key, always keep it secret.

Auto-Clear Data

To prevent collected data from filling up the database, Banhammer automatically clears all Armory data at regular intervals. By default, the interval is 24 hours. So every 24 hours, the Armory data will be flushed, and fresh data will be collected. Of course, any banned targets will remain banned and available in the Tower. To change the auto-clear interval, check out the “Reset Armory” setting. Visit the Armory Help tab for more details.

Performance Tip!

The first time a logged entry is displayed in the Armory, additional data are fetched behind the scenes. So as you navigate pages, you may notice that pages containing new entries take a bit more time to load. Subsequent views should be nice and speedy via Ajax. So with that in mind, it is optimal for performance to keep the number of items per page to a minimum. Try to keep it anywhere under 10 or so and you should be good. To change the number of entries displayed per page, click “Tools” and go to “Display [x] rows”.

Basic View vs. Advanced View

Under the Tools menu you can toggle between “Basic view” and “Advanced view”. Basic view gives you a streamlined summary. Advanced view gives you complete data for each entry. Note that you can toggle each entry individually between Basic and Advanced. So for example, you can monitor traffic in Basic view, and then toggle open (double-click) any entry that may need banning. The default is Advanced view.

Sound Effects!

Banhammer sound effects can be enabled by clicking “Tools” and then “Enable sound fx”. When enabled, the sounds will be played whenever an action button is clicked. This includes the Ban, Warn, Restore, and Delete buttons. The Armory provides Ban and Warn buttons. The Tower provides all four. Note that enabling sound fx in the Armory applies to the Tower as well.

Note that the sound effects are a work in progress. Finding quality open source audio is challenging. If you are able to contribute better effects, please let me know. And of course, the sound effects can be disabled entirely by clicking “Disable sound fx”.

License for Sound Effects

Audio used in plugin

Audio used in promos

Uninstalling

This plugin cleans up after itself. All plugin options and collected data will be removed from your database when the plugin is uninstalled via the Plugins screen.

Like the plugin?

If you like Banhammer, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

FAQ

How is this different than the other “Ban Hammer” plugin?

The plugin Ban Hammer by Mika Epstein (Ipstenu) is the original “ban-hammer” plugin. It is a great plugin that prevents unwanted users from registering with your site. My plugin Banhammer monitors traffic and enables you to ban any unwanted WP users or IP addresses. They are similar in effect, but focus on different aspects of site access. Btw, huge Thank You to Mika for being so awesome with sharing the “ban hammer” space 🙂

Will this plugin slow down my site?

No, Banhammer is developed with a focus on performance, so your site will be as fast as possible. For example, Banhammer does all of its “heavy lifting” of data only when the admin is viewing the Armory, so normal site traffic remains as fast as possible. This is why the first pass thru the Armory data can take a second or two longer than subsequent passes; Banhammer is looking up Geo/IP information, hostname information, and also performing other important tasks only when the admin is viewing the Armory.

I can’t change the Row Limit setting?

To change the Row Limit, enter a number and then press the Enter key on your keyboard. For more information about Row Limits, click the Help tab on the plugin settings page.

What are Protect Login Page and Admin Area options?

In the Banhammer settings, there are two options:

Login Page – Protect WP Login Page
Admin Area – Protect WP Admin Area

When enabled these options tell Banhammer to include the Login Page and Admin Area, respectively. It means that Banhammer will monitor requests made to the Login Page and Admin Area, and block anything that you’ve told it to block. Otherwise only the frontend pages are protected. Conversely, when these options are disabled, Banhammer will ignore the Login Page and/or Admin Area.

Further explanation: with WordPress, there is the frontend (like homepage, posts and pages, etc.). Then there also are all the admin-related pages, commonly referred to as the Admin Area. This is what is covered by the “Admin Area” option. Likewise with the Login Page, located at /wp-login.php, that is what the “Login Page” option refers to.

Got a question?

Send any questions or feedback via my contact form

Reviews

garybuffalo July 29, 2021

I bought the multi-site pro version because I wanted to keep spammers from registering on my websites. But it simply wasn't usable by me because of its configuration. To the programmer's credit, he issued a prompt refund.

nevrsmer July 10, 2020

I've purchased several of Jeff's plugins and have left the same review as the one below for the other plugins. What I have to say about each plugin and Jeff is the same. In moving away from an all-encompassing WP security plugin, I did quite a bit of research into the available options regarding site security and came across BBQ Pro and the other premium and freemium plugins by Jeff Star. Aside from it being an excellent plugin that does exactly what is sets out to do, and well, Jeff Star is star (pun not intended) in his field and provides first-rate customer service. To clear up some issues I was having with his security plugins - they were related to my lack of understanding, not to the plugins themselves - Jeff called me and clarified all my doubts (this was an international call!). Moreover, the security-related articles on his site, as well as on other, have helped further secure our site and gain a greater understanding of WP security as a whole and on the "atomic" level. Thank you Jeff for the great plugins, articles, and support! Cheers!

ddewett January 23, 2020

This is one of my go-to security extensions. All of the developer's products (BBQ and Blackhole) that I have used are 1) easy to set-up, 2) very powerful, 3) perform as advertised, and 4) have an ounce of humor. I can see how a novice user could be overwhelmed with his products at first. This particular plug-in gives you all the information on any site visitor. I can easily identify unscrupulous users and bots. If you find any of the reported info overwhelming, please spend some time to understand it, your admin life will become much easier. I use the Pro version of all the above plug-ins.

AlfredG October 6, 2020

Some IS providers do some checking also and the IP adress of the provider fills the list. It should be possible to suspress the recording of some IP adresses. I can't see what's really happening, too much data.

shirtguy72 March 3, 2019

Perfecto!

flamerz December 13, 2018

Jeff is really helpful and the support of his plugins is excellent. He always replied my emails quite fast and took a lot of time to elaborate detailed answers. Now I use the pro version of this plugin but I wanted to leave an honest rating for the free version too. I discused with him about the flush trigger, asked about the login/admin protection areas and cleared some issues on the target key. Its a YES for me.

Read all 11 reviews

Contributors & Developers

“Banhammer” is open source software. The following people have contributed to this plugin.

Jeff Starr

Translate “Banhammer” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

If you like Banhammer, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

2.7 (2021/07/17)

Fixes bug with banhammer-process requests in Armory
Improves functionality of banhammer_get_response()
Tests on WordPress 5.8

2.6 (2021/02/10)

Changes GeoIP lookup service
Improves performance of IP functionality (Thanks @danielrufde)
Tests on WordPress 5.7

2.5 (2020/11/15)

Appends version number query string to scripts and styles
Updates plugin script to account for changes in jQuery UI
Fixes bug w/ removable_query_args (Thanks John Blackbourn and @holisticmissions)
Tests on PHP 7.4 and 8.0
Tests on WordPress 5.6

2.4 (2020/08/09)

Tweaks the plugin settings page
Refines readme/documentation
Tests on WordPress 5.5

2.3 (2020/03/19)

Fixes bug: PHP Warning: count() must be an array
Adds French translation (thanks to Hervé Bouzin)
Tests on WordPress 5.4

2.2 (2019/11/08)

Updates styles for plugin settings page
Tests on WordPress 5.3

2.1 (2019/09/02)

Changes default number of rows
Increases maximum row display to 10
Improves UX for max-row setting
Improves error logging functionality
Updates some Help tab infos
Updates some links to https
Generates new default translation template
Tests on WordPress 5.3 (alpha)

2.0 (2019/05/01)

Bumps minimum PHP version to 5.6.20
Updates default translation template
Tests on WordPress 5.2

1.9 (2019/04/08)

Limits Armory rows to 5 (see Notes in Armory Help tab for details)
Works on improving GeoIP lookup timeouts and issues
Fixes bug with updating plugins using CLI
Generates new default translation template

1.8 (2019/04/02)

Fixes bug with GeoIP lookups timing out (503/504 errors)
Removes a conflicting CSS rule in the plugin settings
Tests on WordPress 5.1 and 5.2 (alpha)

1.7 (2019/03/11)

Replaces ipapi.co with ip-api.com for GeoIP lookups
Improves function action_links()
Refines plugin settings screen UI
Generates new default translation template
Tests on WordPress 5.1 and 5.2 (alpha)

1.6 (2019/02/20)

Just a version bump for compat with WP 5.1
Full update coming soon 🙂

1.5.1 (2018/11/18)

Fixes bug with banhammer-process_ query args
Replaces geoip.tools lookup service with ipapi.co
Tests on WordPress 5.0 (beta)

1.5 (2018/11/16)

Adds homepage link to Plugins screen
Updates default translation template
Tests on WordPress 5.0 (beta)

1.4 (2018/08/20)

Replaces freegeoip.net with geoip.tools for Geo Lookups
Adds rel="noopener noreferrer" to all blank-target links
Updates banhammer_add_target to check !is_int on $tower_key
Updates WPSimpleNonce to support older versions of PHP
Updates contextual Help tab with better infos
Updates GDPR blurb and donate link
Regenerates default translation template
Further tests on WP versions 4.9 and 5.0 (alpha)

1.3 (2018/05/08)

Adds feature to manually add targets (see Installation notes)
Renames Banhammer class and variable to BanhammerWP
Strengthens security protocols in Banhammer core
Improves support for caching plugins
Adds sound effects for delete all and bulk delete in Armory
Adds function to check for pro version of Banhammer
Adds pro link to plugin on WP Plugins page
Updates information provided in the Help tabs
Replaces ip-api.com with whatismyipaddress.com
Changes some else if to elseif in PHP code
Changes default number of Armory rows to 3
Changes “Previous” to “Prev” on nav button
Generates new translation template
Tweaks some styles in various places
Tweaks some text in various places
Updates plugin image files
Tests on WordPress 5.0 (alpha)

1.2 (2018/01/19)

Adds filter hook banhammer_armory_mask
Tweaks some CSS in the Armory
Tests on WP 5.0 (alpha)

1.1 (2018/01/18)

Preps plugin for WP Plugin Directory
Changes banhammer_options to banhammer_settings
Removes unused file, fontawesome-webfont.otf
Updates some Help tab information
Tests on WP 5.0 (alpha)

1.0 (2018/01/11)

Initial release

WordPress.org

Banhammer