Agent Guard Installation Instructions for WordPress

Installing an Agent Guard on your WordPress website is one of the best ways to protect your site from AI crawlers, scrapers, bad bots, risky requests, trap visitors, and automated abuse.

Xobytes built AgentShield as a WordPress Agent Guard plugin for website owners who want more control over suspicious automated traffic. It helps detect, log, block, and temporarily ban risky visitors before they can abuse your website.

You can get AgentShield here:
<a href=”https://xobytes.com/shop/product/agent-shield-protect-against-agentic-software/”>AgentShield — Protect Against Agentic Software</a>

This guide will walk you through the full Agent Guard installation process.

What Is Agent Guard?

Agent Guard is a website protection layer designed for the new internet.

Older security tools mostly focus on spam, login attacks, and known malware patterns. However, modern websites now face AI crawlers, agentic software, automated browsers, scrapers, and bots that can scan pages, test forms, hit API routes, and probe for sensitive files.

AgentShield works like an Agent Guard for WordPress. It helps defend your site against:

AI crawlers, AI agents, content scrapers, bad bots, headless browsers, honeypot visitors, bad file probes, suspicious user agents, risky POST requests, repeated blocked activity, and automated abuse.

Before You Install AgentShield

Before installing AgentShield, make sure you have:

A WordPress website, administrator access, a copy of the AgentShield plugin ZIP file, and a valid license key from Xobytes.

If you have not purchased the plugin yet, visit the AgentShield product page here:
Get AgentShield for WordPress

Step 1: Download AgentShield

After purchasing AgentShield, log into your Xobytes account and download the plugin ZIP file.

Do not unzip the file unless you are manually installing it through FTP or your hosting file manager.

The file should look similar to:

agent-shield.zip

Step 2: Upload the Plugin to WordPress

Log into your WordPress admin dashboard.

Then go to:

Plugins > Add New > Upload Plugin

Click Choose File, select the AgentShield ZIP file, and click Install Now.

After WordPress uploads the file, click:

Activate Plugin

AgentShield should now appear in your WordPress admin menu.

Step 3: Activate Your AgentShield License

After activating the plugin, go to:

AgentShield > License

Paste your license key into the license field.

Then click:

Activate License

AgentShield will connect to the Xobytes license server and validate your license.

Once the license is active, you can use the plugin on your website.

Step 4: Start in Monitor Mode First

The best first step is to run AgentShield in Monitor Mode.

Go to:

AgentShield > Settings

Find the Protection Mode setting.

Choose:

Monitor

Monitor Mode logs suspicious traffic without blocking it. This gives you time to review what AgentShield sees before turning on stronger protection.

This is the safest way to start.

Step 5: Review the AgentShield Dashboard

Next, go to:

AgentShield > Dashboard

The dashboard gives you a quick overview of your website protection.

You can see items like:

Current mode, blocked requests, monitored requests, critical events, temporary bans, total logs, top triggered rules, honeypot trap URLs, and recent events.

This helps you understand what kind of traffic is hitting your website.

Step 6: Check Your Logs

Go to:

AgentShield > Logs

The logs show request details such as:

Date, decision, risk level, score, triggered rule, IP address, path, and user agent.

This section is important because it helps you identify real threats.

For example, if a visitor tries to access:

/.env
/wp-config.php
/preview/phpinfo.php
/adminer.php
/database.sql

That is usually not a normal visitor. It is often a bot, scanner, scraper, or automated probe.

Step 7: Allow Important Search Engines

You do not want to block Google, Bing, Yahoo, DuckDuckGo, or other important discovery bots from safe public pages.

Go to:

AgentShield > Settings > Search Engine & Organic Traffic

Enable:

Allow important search engine bots for organic search traffic

You can also allow social preview bots so links shared on platforms like Facebook, LinkedIn, X, Slack, Discord, Telegram, and WhatsApp can still generate previews.

The recommended setting is:

Allow safe public crawling

This allows trusted crawlers to view public pages, but it does not give them permission to access sensitive paths, trap URLs, private exports, login routes, or attack probes.

Step 8: Enable Main Protection Rules

In the settings page, review the Main Protection Rules section.

Recommended options include:

Block known AI crawlers
Block known scraper tools on risky routes
Block XML-RPC requests
Block public access to /wp-json/wp/v2/users
Protect wp-login.php from automated tools
Protect admin-ajax.php from suspicious automation
Block sensitive file and vulnerability probes
Enable honeypot trap URLs

These settings help AgentShield detect and stop suspicious automated behavior.

Step 9: Use Honeypot Trap URLs

AgentShield includes honeypot trap URLs.

These are URLs normal users should never visit.

Examples may include:

/agent-shield-trap/
/ai-agent-trap/
/private-export/
/download-all-content/

If a bot or scraper visits one of these trap URLs, AgentShield can block and log the request.

Depending on your settings, AgentShield can also temporarily ban that IP from the entire site.

Step 10: Enable Temporary Full-Site IP Bans

Temporary bans help AgentShield respond to serious threats.

Go to:

AgentShield > Settings > Temporary Full-Site IP Bans

Recommended settings:

Enable temporary full-site IP bans
Ban IPs that hit honeypot/trap URLs
Ban IPs that probe sensitive files
Ban IPs that exceed the request rate limit
Ban IPs after repeated blocked requests

A good starting point is:

Honeypot/trap ban length: 168 hours
Bad file probe ban length: 168 hours
Rate-limit ban length: 24 hours
Repeated-block ban length: 24 hours

This means serious offenders can be banned for a week, while rate-limit abuse and repeated blocks can be banned for one day.

Step 11: Turn On Balanced Mode

After reviewing your logs in Monitor Mode, switch to Balanced Mode.

Go to:

AgentShield > Settings > Protection Mode

Choose:

Balanced

Balanced Mode blocks obvious risky traffic while still being safer than Strict Mode.

This is the recommended setting for most websites.

Step 12: Use Strict Mode Carefully

Strict Mode blocks more automation.

It can be useful for websites that are under heavy scraping, scanning, or bot abuse. However, it may require more allowlist tuning.

Use Strict Mode if:

Your site is being heavily scanned, your logs show repeated bad file probes, bots are hitting sensitive paths, scrapers are copying your content, or you want more aggressive protection.

If you are unsure, stay in Balanced Mode.

Step 13: Add Trusted IPs to the Allowlist

If you use trusted services that need access to your site, add them to the allowlist.

This may include:

Your own office IP, your developer’s IP, your uptime monitor, trusted automation tools, or trusted API services.

Be careful with allowlists. Only add IPs and user agents you trust.

Step 14: Use the Manual Blocklist

AgentShield lets you manually block bad IPs.

From the logs dashboard, you can review suspicious requests and add offenders to the blocklist.

This is useful when you see repeated abuse from the same IP address.

Manual blocklist entries are stronger than temporary bans because they are intended to permanently block known offenders.

Step 15: Protect Yourself From Lockouts

Security tools should protect your site, but they should not lock out the website owner.

AgentShield includes admin safety features.

Recommended safety settings:

Never block safe homepage visits
Enable emergency rescue link support
Skip logged-in administrators
Do not block wp-login.php

You can also add an emergency access key to your wp-config.php file.

Example:

define('ASWF_EMERGENCY_ACCESS_KEY', 'change-this-to-a-long-random-secret-key');

Then, if you ever get locked out, you can visit:

https://yourwebsite.com/?aswf_rescue=change-this-to-a-long-random-secret-key

For a full emergency shutoff, you can add:

define('ASWF_DISABLE_FIREWALL', true);

Only use that if you need to disable AgentShield long enough to get back into your site.

Step 16: Check the Blocked Page Product Card

When AgentShield blocks a suspicious visitor, it can display a modern blocked-page message with a product card.

This is useful for websites that want to show where the protection came from.

The product card can include:

Product image, product name, short description, price or CTA text, view product button, and add-to-cart button.

For Xobytes, this card links back to the AgentShield product page:

AgentShield — Protect Against Agentic Software

Recommended AgentShield Setup

For most WordPress websites, start with this setup:

Protection Mode: Monitor for the first day
Then switch to: Balanced
Search engine bots: Allowed for safe public crawling
Social preview bots: Allowed
Honeypot trap URLs: Enabled
Bad file probe blocking: Enabled
Temporary full-site IP bans: Enabled
Rate limiting: Enabled
Admin safety: Enabled
Emergency rescue: Enabled

This gives you strong protection without being too aggressive.

Common Installation Problems

The Plugin Will Not Upload

Make sure you are uploading the ZIP file, not the unzipped plugin folder.

If your server blocks larger uploads, increase your WordPress upload limit or upload the plugin through your hosting file manager.

The License Will Not Activate

Check that your license key was copied correctly.

Also make sure your website can make outbound requests to the Xobytes license server.

Search Engines Are Being Blocked

Go to the Search Engine & Organic Traffic section and enable trusted search engine crawling.

Use the safer setting that allows public crawling but still blocks sensitive routes.

You Got Locked Out

Use the emergency rescue link if you added an emergency key.

If needed, add this to wp-config.php:

define('ASWF_DISABLE_FIREWALL', true);

Then log in, adjust your settings, and remove the line when finished.

Final Thoughts

Agent Guard protection is becoming more important for WordPress websites.

AI crawlers, scrapers, automated browsers, and agentic tools are changing how websites are accessed. Some of that traffic is helpful. However, some of it can be risky, aggressive, or abusive.

AgentShield gives WordPress site owners a direct way to monitor, block, and control that traffic.

If you want to protect your WordPress website from AI agents, scrapers, bad bots, file probes, risky requests, and automated abuse, you can get AgentShield here:

Get AgentShield for WordPress by Xobytes