End-to-end development skill for the PayPerCrawl (CrawlGuard WP) plugin system — a WordPress plugin + Cloudflare Workers backend that detects, manages, and monetizes AI bot traffic. Use when working on any component of the PayPerCrawl ecosystem including: (1) WordPress plugin PHP development (bot detection, JS challenges, rate limiting, content scraping, WooCommerce sync), (2) Cloudflare Workers backend (API endpoints, Stripe integration, database queries), (3) Admin panel UI (dashboard, settings, analytics charts), (4) Database schema changes (Neon PostgreSQL or WordPress tables), (5) Payment/monetization logic (Stripe Connect, pricing, payouts), (6) Live Sync and content ingestion features, (7) Frontend assets (React analytics, admin JS/CSS), or (8) API specification and documentation updates.
Three-component system:
| Component | Stack | Location |
|---|---|---|
| WordPress Plugin | PHP 8+, WP 6.x | crawlguard-wp-main/ |
| Edge Backend | Cloudflare Workers, JS | crawlguard-wp-main/backend/ |
| Cloud Database | Neon PostgreSQL | crawlguard-wp-main/database/ |
crawlguard-wp-main/
├── crawlguard-wp.php # Main plugin entry (activation, hooks, init)
├── config.php # Environment-driven constants
├── includes/
│ ├── class-admin.php # WP admin pages + AJAX (1283 lines)
│ ├── class-bot-detector.php # Bot detection engine (570 lines)
│ ├── class-api-client.php # Backend API client (347 lines)
│ ├── class-analytics.php # Analytics queries (284 lines)
│ ├── class-js-challenge.php # JS proof-of-work (377 lines)
│ ├── class-live-sync-client.php # Live Sync API (212 lines)
│ ├── class-woocommerce-connector.php # WC hooks (259 lines)
│ ├── class-toon-encoder.php # TOON serialization (119 lines)
│ ├── class-config.php # Config helper (104 lines)
│ ├── class-rate-limiter.php # Rate limiting (89 lines)
│ ├── class-scraper.php # Content scraper (74 lines)
│ ├── class-frontend.php # Meta tags + beacon (56 lines)
│ ├── class-http-signatures.php # RFC 9421 sigs (40 lines)
│ └── class-ip-intel.php # IP intelligence (28 lines)
├── backend/
│ ├── production-worker.js # CF Worker API (468 lines)
│ ├── worker.js # Dev worker (382 lines)
│ ├── database.js # DB manager (314 lines)
│ └── stripe-integration.js # Stripe manager (300 lines)
├── database/
│ └── schema.sql # PostgreSQL schema (226 lines)
├── assets/
│ ├── css/ (admin.css, analytics.css)
│ └── js/ (admin.js, analytics.bundle.js, src/)
└── docs/ (API_REFERENCE.md, SECURITY.md)
includes/class-bot-detector.php$known_bots array: 'BotName' => ['company' => 'Company', 'type' => 'ai_crawler']get_bot_multiplier() in backend/production-worker.jsEdit includes/class-bot-detector.php → analyze_heuristically(). Scoring:
sites.pricing_per_request in PostgreSQL (default $0.001)analyzeBotRequest() in backend/production-worker.jsadd_submenu_page() call in class-admin.php → add_admin_menu()live_sync_page())__construct() and handler methodenqueue_admin_scripts() for the new page slugclass-woocommerce-connector.php → register_hooks()on_product_updated() patternbuild_product_event() structure$this->api_client->send_live_event()backend/production-worker.js using router.get/post()validateApiKey() middlewaredocs/API_REFERENCE.mdincludes/class-api-client.phpdatabase/schema.sql for PostgreSQL changesactivate() in crawlguard-wp.php (uses dbDelta())crawlguard_logs, crawlguard_rate_limits, crawlguard_signing_keys, crawlguard_fingerprintsinit hook → process_request()
→ Skip admin/REST/AJAX/cron
→ Rate Limiter (if enabled)
→ HTTP Signatures (if enabled)
→ Bot Detector → $bot_info
→ IP Intelligence (if enabled)
→ JS Challenge (if bot + no cookie)
→ API Client → monetization decision
→ Log to crawlguard_logs
→ Serve content or paywall
All optional features are gated behind crawlguard_options['feature_flags']:
enable_rate_limiting → Rate Limiterenable_http_signatures → HTTP Signaturesenable_ip_intel → IP Intelligencecrawlguard_verifiedsha256(IP + SECURE_AUTH_SALT + date('Ymd'))Required: DATABASE_URL, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, JWT_SECRET, CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID
All settings stored in wp_options as serialized array under key crawlguard_options.
docs/API_REFERENCE.md in the plugin directory for endpoint documentationdocs/SECURITY.md in the plugin directory for security considerations| Issue | Impact |
|---|---|
database.js uses mock DB connection | Backend queries return empty in dev |
verifyWebhook() lacks HMAC verification | Security risk if deployed |
No @neondatabase/serverless import in worker | Worker cannot reach production DB |
| No automated test suite | Manual testing only |
npm run build # Webpack production build
npm run dev # Webpack watch mode
npm run lint # ESLint check
npm run package # Create distribution ZIP