WordPress integration for Cloak4U

The WordPress integration adds Cloak4U’s invalid-traffic check to a WordPress site with a small plugin or a few lines of code. On each visit it collects minimal signals, asks Cloak4U for a decision, and blocks only on an explicit block — otherwise it fails open to your normal page. This guide covers installation, the code, caching, and the security practices that keep it safe.

How the WordPress integration works

WordPress renders pages with PHP, so the integration hooks in early in the request — before the page HTML is sent — and calls the Cloak4U decision endpoint. Valid visitors continue to the same approved landing page as everyone else; only visits classified as invalid are blocked or challenged. Because the check defaults to allow, a slow or unreachable service never locks out your real audience.

Before you start

  • A WordPress site you can install plugins on (or edit a child theme).
  • A Cloak4U campaign and its token from the dashboard.
  • Knowledge of which page or template you want to protect.
  • Access to your caching plugin’s settings, if you run one.

Throughout, use demo_tok_XXXXXXXX as a placeholder token and YOUR_APP_DOMAIN for your app domain. Store the real token using a WordPress option or an environment variable, never hard-coded in a public template.

Step 1: Install the plugin

  1. In your dashboard, go to Plugins → Add New.
  2. Upload the Cloak4U plugin package (or a site-specific snippets plugin if you prefer to paste code).
  3. Click Activate.
  4. Open the plugin settings and paste your campaign token. The plugin stores it as a WordPress option rather than in a template file.

Using a plugin keeps the integration separate from your theme, so a theme update will not wipe it out. If you must edit theme files, use a child theme so your changes survive updates.

Step 2: Add the integration code

If you are adding code manually rather than using the plugin UI, hook the check into an early WordPress action and read the token from a stored option. Keep the request behind a short timeout and default to allowing traffic. The pattern mirrors the PHP integration: collect minimal signals, call the endpoint, and block only on an explicit block decision. Always store the token with an option like get_option() or an environment variable — never as a literal string in a public file.

Skip the check for logged-in users if you do not want to evaluate your own editors, and allowlist legitimate crawlers in your Cloak4U settings so indexing is unaffected.

The integration sends every valid visitor to the same approved page. It does not show one version to reviewers and another to users — that would be deceptive cloaking and is out of scope. Blocking means stopping invalid traffic, not redirecting it to a decoy.

Step 3: Handle caching plugins

Full-page caching serves a stored copy of your page without running PHP, which means the live Cloak4U check never fires. The right fix is to exclude the protected page from the cache — not to disable caching for your whole site. Here is where to look in the popular plugins:

  • WP Super Cache: Settings → WP Super Cache → Advanced → “Rejected URLs”, and add your page path.
  • LiteSpeed Cache: Cache → Excludes → “Do Not Cache URIs”, and add the page.
  • W3 Total Cache: Performance → Page Cache → “Never cache the following pages”.
  • WP Rocket: Settings → Advanced Rules → “Never Cache URL(s)”.

Also exclude the page from any CDN or host-level full-page cache. Leave the rest of your site cached for speed — only the protected landing page needs to bypass the page cache so each visit is evaluated live.

Security best practices

Follow WordPress security standards so the integration cannot be abused:

  • Verify nonces on any settings form or admin action with wp_verify_nonce() to prevent cross-site request forgery.
  • Escape all output with esc_html(), esc_attr(), or esc_url() so nothing you print can inject markup.
  • Sanitize all input with functions like sanitize_text_field() before storing or using it.
  • Check capabilities with current_user_can() before exposing settings, so only authorized roles can change the configuration.
  • Keep the token private in a WordPress option or environment variable, and use file permissions of 644 for files and 755 for folders — never 777.
  • Collect only minimal signals. The integration never stores cookies, sessions, passwords, or uploaded files.

Testing your integration

  • Normal visit: load the protected page in a private window and confirm it renders normally.
  • Cache check: confirm the page is excluded from your cache by looking for a cache-status header or a “not cached” note in the plugin.
  • Block path: use a test decision URL or preview token from the dashboard to simulate a block and confirm the blocked response appears.
  • Fail-open check: confirm the page still loads if the service is temporarily unreachable.
  • Logs: verify visits appear in your Cloak4U click log with a decision, reason code, and risk score.

Limitations and risks

Detection is probabilistic. Aggressive settings can block real users on shared or mobile networks; loose settings let more invalid traffic through. Caching misconfiguration is the most common issue — if decisions seem stale, re-check your exclusions. Cloak4U does not guarantee that every bot is caught or that no legitimate visitor is ever challenged. Review your logs regularly and use the allowlist for sources and crawlers you trust.

Conclusion

With a small plugin, correct cache exclusions, and standard WordPress security practices, Cloak4U filters invalid traffic on WordPress without slowing the rest of your site or interfering with SEO. Install it, exclude the protected page from caching, test the block and fail-open paths, then tune sensitivity from your reports. Prefer a code-first approach? See the PHP integration, or for a no-server option try the JavaScript integration.

Frequently asked questions

Do I need a plugin to use Cloak4U on WordPress?
A small plugin is the cleanest way — it keeps the integration separate from your theme so updates do not overwrite it. You can also add the code to a child theme or a site-specific snippet plugin. Either way, the code asks Cloak4U for a decision and fails open.
Why does caching break the integration?
Full-page caching plugins serve a saved copy of the page without running PHP, so your live traffic check never executes. The fix is to exclude the protected page from the cache, not to disable caching for the whole site.
Which caching plugins do I need to configure?
The common ones are WP Super Cache, LiteSpeed Cache, W3 Total Cache, and WP Rocket. Each has a setting to exclude specific URLs or pages from the page cache. Add your protected landing page there.
Is the WordPress integration secure?
It is when you follow WordPress standards: verify nonces on any form actions, escape all output, sanitize all input, and check user capabilities before privileged actions. The integration collects only minimal signals and never stores cookies, sessions, or passwords.
Will Cloak4U block my logged-in editors or Googlebot?
Only if you configure it to. You can skip the check for logged-in users and allowlist legitimate crawlers such as Googlebot in your Cloak4U settings, so editing and SEO are unaffected.

Protect your WordPress landing page

Install the plugin, exclude the page from caching, and start filtering invalid traffic with transparent, auditable decisions.