Complications of AI training. Any solution?

Don’t forget to block access to your uploads and RSS feed. Here’s some code you can place in your .htaccess file (anywhere above the ClassicPress block):

# Protect media files and RSS Feed
<IfModule mod_rewrite.c>
	RewriteRule ^feed/$ - [R=400,L]
	RewriteCond %{REQUEST_FILENAME} -s
	RewriteRule ^wp-content/uploads/(.*)$ dl-file.php?file=$1 [QSA,L]
</IfModule>

Then upload this file to your root folder (the one that also contains the .htaccess file): Wordpress login to download uploaded files · GitHub

In fact, it’s like picking up the sea with a teaspoon. You’re on the internet, and there’s no way to protect your content 100%. There are ways to limit their visibility with restricted areas, passwords etc. But crawlers and spiders arrive always and everywhere, because robot.txt directives are respected according to convenience. Furthermore, scraping bots are violent and pay no attention to anyone, especially those who should be at the limit of legality.

There is no way to have your cake and eat it too. In other words: music authors have been fighting against the digital smuggling of their music for thirty years now. But it’s a losing fight from the start, and many of them eventually put their oars back in the boat and adapted. Not to mention the authors of fonts or software.

So, as frustrating as it is, this is the situation.

Rather, rather than worrying so much about something that you can’t actually fight (at least with current technologies), images are still a source of income. So, to say: if you have good, marketable artwork, you might as well put these images up for sale on your website, so that a potential person interested in using the image for a t-shirt or ebook cover , rather than stealing it and using it illegally, he is induced to buy the license to use it. By using some precautions, conditions of use and a competitive price, you can greatly limit illegal use. It doesn’t eliminate it, but you can compensate with an additional area of ​​​​business: downloading digital products.

Yeah. This is VERY sound advice.
If you can’t beat 'em, join 'em.

Hm…I see. Ok … Thank you all for your suggestions.

AI doesn’t harm only visual artists… Good move btw…

We’re telling you: it’s a losing battle with current technologies. Instead, really think about digitizing your products, to expand your business. Many honest people, rather than stealing your image for a t-shirt or CD cover, prefer to purchase the rights, downloading the image legally. You can use many digital product sales platforms (excluding Deviant Art) for this purpose, or you can set up an e-commerce site (e.g. Classic Commerce) and sell everything directly on your site.

Just putting my two cents in here…
I will not go into the copyright infringements by AI (as we all seem to agree on that), but I would like to comment on the technical (server) part.

Adding “Disallow” to the robots.txt only works for legit bots and crawlers (Bingbot, Googlebot, DuckDuckGoBot, Ahrefs, DotBot, etc), because these actually call the robots.txt file first to check your permission before crawling the rest of the site. Malicious bots do not call/visit/read the robots.txt file, so you will need to block those in your .htaccess root file.

This what I am currently using is:

RewriteEngine On
RewriteBase /
ServerSignature Off
Options +FollowSymLinks

# Always block Bad Bots
RewriteCond %{HTTP_USER_AGENT} (wpthemedetector|builtwith|isitwp|wapalyzer|mShots|WhatCMS|gochyu|wpdetector|scanwp) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (axios|ccbot|claudebot|colly|dataprovider|dataproviderbot|example|fasthttp|fidget-spinner-bot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (fuzz|go-http-client|gptbot|guzzlehttp|kocmohabt|kstandbot|LabyrinthBot||lua-resty|lua-resty-http) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ngx_lua|node|node-fetch|oupwis|owler|pycurl|python|python-|quic-go|ruby|spawning-ai|spider|symfony) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (telegrambot|test-bot|wp_is_mobile|wpbot|YisouSpider) [NC]
RewriteRule ^.* - [F]

# Block Bots, but allow /robots.txt
RewriteCond %{HTTP_USER_AGENT} (adstxtcrawlertp|AwarioBot|BacklinksExtendedBot|blexbotBytespider|DataForSeoBot|domainstatsbot|ev-crawler) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ImagesiftBot|ioncrawl|MojeekBot|mj12bot|Netcraft|netEstate|paloaltonetworks|petalbot|SeekportBot|webtech|yandexbot|zoominfobot) [NC]
RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule ^.* - [F]

# Block outdated Browsers, used by malicious bots.
RewriteCond %{HTTP_USER_AGENT} (msie|headlesschrome|opera|presto) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Mozilla/)([0-3]\.\d) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Windows\sNT\s)(\d\.\d) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Firefox/)(\d\.|\d\d\.|\d[0-1]\d\.) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=OPR/)(\d\d\.|[1][0]\d\.) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Edg/)(\d\d\.|[1][0-1]\d\.) [NC]
RewriteRule ^.* - [F]

# Block outdated Chrome, if not Bingbot (uses Chrome/116)
RewriteCond %{HTTP_USER_AGENT} (?<=Chrome/)(\d\.|\d\d\.|[1][0-1]\d\.) [NC]
RewriteCond %{HTTP_USER_AGENT} !bingbot
RewriteRule ^.* - [F]

Since I switched to a LiteSpeed server BrowserMatchNoCase did not work anymore.

To remove feed links and other exposures from the front end <head>, you can use this:

function clean_wp_head() {
	add_filter( 'the_generator', '__return_false' );					 // Removes the generator name from the RSS feeds.
	remove_action( 'wp_head', 'wp_generator' );							 // Removes the WP version.
	remove_action( 'wp_head', 'feed_links', 2 ); 						 // Removes Post and Comment Feeds.
	remove_action( 'wp_head', 'feed_links_extra', 3 ); 					 // Removes application/rss+xml => /feed/
	remove_action( 'wp_head', 'rsd_link' ); 							 // Removes the EditURI link.
	remove_action( 'wp_head', 'wp_shortlink_wp_head' ); 				 // Removes example.com/?p=ID
	remove_action( 'wp_head', 'wp_oembed_add_discovery_links' ); 		 // Removes the oEmbed discovery links.
	remove_action( 'wp_head', 'rest_output_link_wp_head', 10 ); 		 // Removes the REST-API wp-json link. 
	remove_action( 'wp_head', 'wlwmanifest_link' ); 					 // Windows Live Writer => Deprecated in WordPress 6.3.0.
	remove_action( 'template_redirect', 'rest_output_link_header', 11 ); // Source: Disable REST-API plugin.
	remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' ); 				 // Source: Disable REST-API plugin.
}
add_action( 'init', 'clean_wp_head', 30, 1 );

Unfortunately the .htaccess rules block the entire website (403 forbidden). Just tested.

You are correct, @iljester. My apologies.
There was a mistake in the Edge condition. It ended with [NC,OR] instead of [NC].

I have edited the post and copy/paste should work now.

Sorry, but it still doesn’t work. It takes me to the Apache test page.

screenshot-2024.07.06-22_41_011920×574 43.4 KB

This does not work. The rest seems to work. Unfortunately I can’t find the error.

Aha, found it! There is a double semi-colon (|) behind LabyrinthBot.

Also, the WordPress scraper BuiltWith bot states on their website that they use BuiltWith as User Agent, but my log files show that is incorrect. They use BW/1.2 and an URL ending with oupwis. So I added that.

What I did not take into account when posting my first reply, was that my hosting provider has ModSecurity installed on the LiteSpeed server which runs several security checks, but often too rigorously…

Here is an updated and tested version:

RewriteEngine On
RewriteBase /
ServerSignature Off
Options +FollowSymLinks

# Always block Bad Bots and empty User Agents.
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Spawning-AI$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (msie|headlesschrome|opera|presto|symfony|trindent|hbrowser|kbrowser|lbrowser|yabrowser|yowser) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (wpthemedetector|builtwith|isitwp|wapalyzer|mShots|WhatCMS|gochyu|wpdetector|scanwp|oupwis) [NC]
RewriteRule ^.* - [F]

# Block Bots, but allow /robots.txt
RewriteCond %{HTTP_USER_AGENT} (adstxtcrawlertp|aiohttp|anonymousfox|awariobot|axios|backlinksextendedbot|bandit|baiduspider|blexbot|businessbot|bytespider) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ccbot|censysinspect|claudebot|colly|dalvik|dataforseobot|dataprovider|dataproviderbot|domainstatsbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ev-crawler|example|exabot|facebookexternalhit|facebot|fasthttp|fidget-spinner-bot|fontradar|fuzz|go-http-client|gptbot|guzzlehttp) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (imagesiftbot|ioncrawl|kocmohabt|kstandbot|labyrinthbot|lua-resty|lua-resty-http|mail\.ru|mj12bot|mojeekbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (neteestate|ngx_lua|node|node-fetch|owler|paloaltonetworks|petalbot|pingbot|pycurl|python|python-|quic-go|ruby) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (scrapy|seekportbot|semrushbot|seznam|spawning-ai|spider|telegrambot|test-bot|webtech|wp_is_mobile|wpbot|yandex|yisouspider|zoominfobot) [NC]
RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule ^.* - [F]

# Block outdated Browsers, used by malicious bots.
RewriteCond %{HTTP_USER_AGENT} (?<=Mozilla/)([0-3]\.\d) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Windows\sNT\s)(\d\.\d) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Firefox/)(\d\.|\d\d\.|\d[0-1]\d\.) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=OPR/)(\d\.|\d\d\.|[1][0]\d\.) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (?<=Edg/)(\d\.|\d\d\.|[1][0-1]\d\.) [NC]
RewriteRule ^.* - [F]

# Block outdated Chrome, if not Bingbot (uses Chrome/116).
RewriteCond %{HTTP_USER_AGENT} (?<=Chrome/)(\d\.|\d\d\.|[1][0-1]\d\.) [NC]
RewriteCond %{HTTP_USER_AGENT} !bingbot
RewriteRule ^.* - [F]

In addition I also shortened my robots.txt drastically, by specifying only the allowed bots and blocking everything else. Edit to your own needs.

User-agent: *
Disallow: /feed/
Disallow: /trackback/
Disallow: /comments/
Disallow: /xmlrpc.php
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/cache/
Disallow: /wp-content/languages/
Disallow: /wp-content/mu-plugins/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Allow: /wp-content/uploads/

User-agent: Applebot
User-agent: bingbot
User-agent: BingPreview
User-agent: DotBot
User-agent: DuckDuckBot
User-agent: Googlebot
User-agent: GoogleOther
User-agent: LinkedInBot
User-agent: MSNBot
User-agent: NetcraftSurveyAgent
User-agent: rogerbot
User-agent: Yahoo
Allow:/

User-agent: AdsBot-Google
User-agent: Googlebot-News
User-agent: Mediapartners-Google
User-agent: *
Disallow: /

You can test your robots.txt with this easy tool:

Ok. As soon as I can I will test!

Yes, it works. Now let’s see if it will produce results. However, I would like to point out that I have a fairly powerful firewall that rejects any attempt at illegal access. Thank you for sharing it. I have several, but this one looks very good.
As for the robot.txt. I have blocked a number of legal bots, but it is also interesting to do the opposite. Establish who can enter and who cannot.

As long as they call the robots.txt, of course.

Glad to help out…
And it goes without saying that this snippet is just part of my .htaccess and other security measures.

Am I a big fan of Jeff Starr’s plugins and snippets.

I took a look at the plugins. Interesting. But I wouldn’t know to what extent they are compatible with my firewall and my other htaccess rules. I’m trying to use snippets suggested by Jeff Star now. Now I see what happens. For the moment, I’m noticing that my firewall no longer logs me any attempted XSS attack. This is probably due to the fact that attempts are blocked at the htaccess level, and are no longer intercepted by the firewall.

@iljester Do you mind if I ask which firewall you use?
I use WordFence, but obviously some settings related to core files are not active when using CP.

I wrote to you privately (I only give you some information in private). I’m just telling you that my site is constantly under attack. While this is almost normal for a WP-based website, it’s my fault for attracting rubbish because of the links to my site in the credits in the themes I published on WP.
Now I’m trying to fix it with theme updates.
Tip: if you publish a theme, don’t link directly to your websites!

Thanks for the info.
Any of my sites that have been public for awhile are subjected to attacks on a daily basis as well, I am not sure there is even a realistic way to stop them.