Add-on Bad Behavior bot protection


Well-known member
One of the most important addons I have on my vbulletin big board is Bad Behavior. Its important because it does the following:
  1. Blocks spam bots
  2. Blocks downloaders and scrapers, which saves a ton of money
  3. Blocks vulnerability scanners, which saves headaches. :)
  4. Blocks users with malicious addons and virus infections
  5. It does all of this in the background (checks browser fingerprint and useragent) and does not bother legitimate users.
The great thing is that it uses Project Honeypot and you are also able to blacklist or whitelist any bot.

I would love to have this software integrated as an addon for xenforo.

Daniel Hood

Well-known member
There are a few spam protection solutions available. A couple of which use Honeypot, is there a reason why any of them won't work for you?


Well-known member
No. That's a totally different approach. This completely blocks all blacklisted users from using your site. Not just from registration. It also uses different detection methods than the other Honeypot tools.
I have been using this for years. It blocks about 1.6 million malicious attempts per month on my site. This saves a massive amount of bandwidth(a 40% decrease!), decreases attacks and as it complements other spam measures it also decreases spam.


Well-known member

By default Bad Behavior can provide protection to any PHP script out of the box, but it cannot provide logging. If you are willing to live without Bad Behavior’s detailed logs, simply install the Bad Behavior folder somewhere on your server, and then call require_once("/path/to/Bad-Behavior/bad-behavior-generic.php"); from your PHP script. I recommend placing this function call in a common piece of PHP code which is loaded from all parts of your PHP-based software, so that it can provide protection to all parts of your software.

Have you tried to include it yourself?

Tracy Perry

Well-known member
Its slightly more complex than that. It needs to be coded as an addon, to allow inclusion of the BB files.
There needs to be a log with a few simple tools to find any issues.
Here is the vb product:
Another good one (although it does not directly integrate with xenForo - but you can find view the logs it creates through a panel or via ssh) is ZB Block. I used it for a while and integration into xenForo's index.php was VERY easy.


Well-known member
I was asked to do this, but sorry, it's not something I would recommend including, so I wont add it to TAC.

A recent update of FBHP stops bots that attempt to register, using a 0 query method (once a bot is known as attempting to register, they are sent a low byte usage, 0 query forbidden 401 message,
see here :

Bots that have been detected as bots (attempting to register and fill hidden fields, no js, very quick), will then see the 401 site wide, the IP will be cached for X Hours (defined by you the admin)

It's fairly impossible to trigger this, unless you are a bot, so no humans will see this with FBHP (unless they happen to be sharing the same network IP address as a botter, in which case, use a low cache value). There is also the option to turn this off (for forums that are likely to be accessed by users on the same network as automated spammers... it happens!)

However, I have seen BadBehaviour pick up too many false positives (I myself have been detected on one forum, and I was not on a shared network!).

Since I avoid false positives like the plague, I wont include BadBehaviour in TAC (it's also fairly redundant with the FBHP implementation)
Last edited:


Well-known member
Thanks for your explanation, but you seem to have a misconception about my request: it does not primarily relate to registrations. The solutions in your addon are great for blocking bots from registration. But it does not block bots from using a website or from submitting spam on already registered accounts. The purpose of bad behavior is much broader.

I am requesting this addon because it has worked wonders for my vb big board in many ways, without many complaints. What Bad Behavior does is:
  • block scrapers from stealing content and bandwidth. This saves me a lot of costs each month.
  • block various automated hack & simple ddos attempts.
  • block spam bots from submitting automated spam through registered accounts.
  • block blacklisted spiders from indexing and scraping.
  • ban users by browser fingerprint.
  • block automated registrations
  • submit blacklisted users to project honeypot
It does not primarily detect on IP basis, but a combination of user agent, browser fingerprint, IP, protocol, registered, headers, type of request.

The webmaster can opt to block certain types of behavior, which means that if I want to block the use of alexa toolbar on my site, then I can block this. If you have that toolbar installed, then you will be blocked.
So the fact that you got blocked from using a website can easily be a matter of the webmasters preference conflicting with your browser addons.

DragonByte Tech

Well-known member
Unfortunately I don't want to add all those features just to get Bad Behavior. Also, have had bad experience in past with DragonByte.
Would you be willing to send us a Private Message with details regarding your bad experiences? I'd hate for anyone to have a bad experience and I'd like a chance to rectify this for you :)


Brent W

Well-known member
Would you be willing to send us a Private Message with details regarding your bad experiences? I'd hate for anyone to have a bad experience and I'd like a chance to rectify this for you :)

I'll reach out to you later today. Either way, unfortunately, the add-on has too much extras we don't need and would rather just have someone target the Bad Behavior add on on its own.