feat: initial InformatiQ Toolkit plugin

Merges informatiq-wp-secure + informatiq-utils + HoneypotFields into
a single unified plugin with the following improvements:

- Fixed deactivation bug: all protection methods now guard themselves
  with their own option check so toggling off via AJAX takes effect
  immediately without any hook re-registration.
- Added rate-limiting for good/legitimate bots (Googlebot, Bingbot,
  DuckDuckBot, Yandex, etc.) via transient sliding-window counters;
  configurable per-bot limits in goodbots.conf (BotName|req/min);
  returns HTTP 429 with Retry-After: 60 when over limit.
- Unified MySQL-backed logging (itk_bot_log + itk_honeypot_log tables)
  replaces the old wp_options-based 100-entry cap.
- New Dashboard tab with terminal-style bot activity monitor: total
  blocked, today's count, rate-limited hits, top threat sources
  (bar chart), top IPs, top honeypot form types, active-module
  status panel.
- All optimizations from utils.php merged into Optimization tab as
  toggleable settings (was always-on before).
- Single admin page (Settings → InformatiQ Toolkit) with 8 tabs:
  Dashboard | Bot Blocker | Protection | Optimization | Honeypot |
  Bot Logs | Honeypot Logs | Config Files.
- Config file editor for badbots.conf, goodbots.conf, referrers.conf,
  networks.conf, allowed-ips.conf with AJAX save and transient flush.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/allowed-ips.conf

@@ -0,0 +1,6 @@
+194.56.239.153
+109.69.48.0
+195.154.47.0
+127.0.0.1
+192.168.0.0/24
+192.168.1.1/24

config/badbots.conf

@@ -0,0 +1,406 @@
+# OpenAI bots are handled separately in the plugin code
+
+# Common malicious bots and user agents from .htaccess
+jorgee
+morfeus
+firefox/40.1
+firefox/34.0
+firefox/32.1
+firefox/19.0
+firefox/38.0
+firefox/18.0
+wget
+curl
+libwww-perl
+WinHttp
+okhttp
+python
+java
+WebReaper
+WebSauger
+Website eXtractor
+Website Quester
+Webster
+WebStripper
+WebWhacker
+WebZIP
+Whacker
+BatchFTP
+HTTrack
+Harvest
+Collector
+Copier
+Extractor
+lftp
+libWeb/clsHTTP
+Mirror
+Net Vampire
+Offline Explorer
+Offline Navigator
+PageGrabber
+Sucker
+SuperHTTP
+Teleport
+Vacuum
+Web Sucker
+WebAuto
+WebBandit
+Webclipping.com
+WebCopier
+WebEnhancer
+WebFetch
+WebLeacher
+WWWOFFLE
+WWW-Collector-E
+Go-Ahead-Got-It
+gotit
+GrabNet
+lwp-trivial
+LWP::Simple
+Magnet
+Mag-Net
+moget
+MIDown tool
+NetSpider
+NetZIP
+Reaper
+Recorder
+ReGet
+RepoMonkey
+Siphon
+SiteSnagger
+AppsViewer
+Lynx
+Acunetix
+FHscan
+Baidu
+Yandex
+Download Demon
+Download Devil
+Download Wonder
+EirGrabber
+EasyDL
+Mass Downloader
+RealDownload
+SmartDownload
+EmailCollector
+EmailSiphon
+EmailWolf
+WebEMailExtrac
+EmailSiphon
+Mail
+slurp
+MJ12
+FastProbe
+spbot
+dotbot
+semrush
+Daum
+duckduckgo
+teoma
+Aboundex
+80legs
+360Spider
+Cogentbot
+Alexibot
+asterias
+attach
+BackDoorBot
+BackWeb
+Bandit
+Bigfoot
+Black.Hole
+BlackWidow
+BlowFish
+BotALot
+Buddy
+BuiltBotTough
+Bullseye
+BunnySlippers
+Cegbfeieh
+CheeseBot
+CherryPicker
+ChinaClaw
+CopyRightCheck
+cosmos
+Crescent
+Custo
+AIBOT
+DISCo
+DIIbot
+DittoSpyder
+dragonfly
+Drip
+eCatch
+ebingbong
+EroCrawler
+EyeNetIE
+Foobot
+flunky
+FrontPage
+Grafula
+hloader
+HMView
+humanlinks
+IlseBot
+Indy Library
+InfoNaviRobot
+InfoTekies
+Intelliseek
+InterGET
+Internet Ninja
+Iria
+Jakarta
+JennyBot
+JetCar
+JOC
+JustView
+Jyxobot
+Kenjin.Spider
+Keyword.Density
+larbin
+LexiBot
+likse
+MarkWatch
+Mata.Hari
+Memo
+Microsoft.URL
+Microsoft URL Control
+MIIxpc
+Missigua Locator
+Mister PiX
+NAMEPROTECT
+Navroad
+NearSite
+NetAnts
+Netcraft
+NetMechanic
+NextGenSearchBot
+NICErsPRO
+niki-bot
+NimbleCrawler
+Ninja
+NPbot
+Octopus
+Openfind
+OutfoxBot
+Papa Foto
+pavuk
+pcBrowser
+PHP version tracker
+Pockey
+ProPowerBot/2.14
+ProWebWalker
+psbot
+Pump
+QueryN.Metasearch
+SlySearch
+Snake
+Snapbot
+Snoopy
+sogou
+SpaceBison
+SpankBot
+spanner
+Sqworm
+Stripper
+SuperBot
+Surfbot
+suzuran
+Szukacz/1.4
+tAkeOut
+Telesoft
+TurnitinBot/1.5
+The.Intraformant
+TheNomad
+TightTwatBot
+Titan
+True_Robot
+turingos
+TurnitinBot
+URLy.Warning
+VCI
+VoidEYE
+WebmasterWorldForumBot
+WebGo IS
+Widow
+WISENutbot
+Xaldon
+Zeus
+ZmEu
+Zyborg
+crawle
+igdeSpyder
+Robot
+Aport
+spider
+Parser
+ahref
+zoom
+Powermarks
+SafeDNS
+BLEXBot
+aria2
+wikido
+Qwantify
+DotBot
+FatBot
+grapeshot
+Nutch
+linkdexbot
+Twitterbot
+Google-HTTP-Java-Client
+MetaCommentBot
+Veoozbot
+ScoutJet
+DomainAppender
+Windows 2005
+Go-http-client
+Drupal
+OrangeBot
+CCBot
+WBSearchBot
+SEOkicks
+WHR
+sqlmap
+ltx71
+aiHitBot
+InfoPath
+Superfeedr
+rogerbot
+Alltop
+heritrix
+indiensolidaritet
+Experibot
+magpie
+RSSInclude
+wp-android
+XML-RPC.NET
+Synapse
+GimmeUSAbot
+istellabot
+interfax
+vebidoobot
+oBot
+Jetty
+mozilla16.2.exe
+dataaccessd
+(compatible;)
+Dalvik
+eCairn
+istellabot
+InetURL
+BazQux
+Wotbox
+null
+scrapy-redis
+weborama-fetcher
+TrapitAgent
+UNKNOWN
+SeznamBot
+Dataprovider
+msnbot-Products
+masscan
+istellabot
+BUbiNG
+.NET
+cliqzbot
+Deepnet
+Ziba
+SMTBot
+MojeekBot
+linqia
+portscout
+Dataprovider
+ia_archiver
+Dalvik
+MEGAsync
+GroupHigh
+Moreover
+YisouSpider
+YahooCacheSystem
+Clickagy
+Go-http-client
+SMUrlExpander
+XoviBot
+MSIE3.00
+MSIE2.00
+MSIE4.00
+MSIECrawler
+Windows 2005
+Windows 2008
+Windows 2004
+Windows 2003
+Windows 2002
+XoviBot
+Qwantify
+BOT for JCE
+Jorgee
+YaK
+iTunes
+Mechanize
+Mail.RU_Bot
+zgrab
+Owler
+Barkrowler
+SearchmetricsBot
+extlinks
+archive-it
+BDCbot
+SuperPagesUrlVerifyBot
+Siteimprove
+Freshbot
+WebDAV
+ips-agent
+PiplBot
+coccocbot-web
+Alexa Toolbar
+scrapinghub
+Twingly
+sysscan
+trendictionbot0
+DnyzBot
+rogerbot
+GridBot
+DnyzBot
+PiplBot
+BoardReader
+SafeDNSBot
+Insideview
+coccocbot
+PolycomVVX
+^Mozilla/5.0$
+^The Knowledge AI
+SputnikBot
+od-database-crawler
+Hype%20Machine
+The Hype Machine Engine
+Apache-HttpClient
+Goodzer
+Knowledge
+Linguee
+serpstatbot
+PHP/5
+PHP/4
+PHP/3
+Thumbtack-Thunderdome
+Googlebot-Image
+Googlebot-Video
+bingpreview
+msnbot-media
+Exabot
+Image Stripper
+Image Sucker
+Express WebPictures
+Web Image Collector
+Web.Image.Collector
+YandexImages
+Firefox mutant
+Ukraine Local
+Mozilla/3.Mozilla/2.01
+Mozilla.*NEWT
+LinkextractorPro
+LinkScan/8.1a.Unix
+LNSpiderguy
+LinkWalker
+Xenu

config/goodbots.conf

@@ -0,0 +1,23 @@
+# Good/Legitimate bots - these are rate-limited but NOT blocked
+# Format: BotName|rate_per_minute
+# Lines starting with # are comments
+
+Googlebot|60
+Bingbot|60
+DuckDuckBot|60
+Baiduspider|30
+YandexBot|30
+Sogou|20
+Applebot|30
+facebot|30
+ia_archiver|20
+Twitterbot|30
+LinkedInBot|30
+Slurp|30
+MJ12bot|20
+AhrefsBot|10
+SemrushBot|10
+DotBot|20
+PetalBot|20
+Bytespider|20
+GPTBot|0

config/networks.conf

@@ -0,0 +1,254 @@
+# IP addresses and networks to block extracted from .htaccess
+
+# Aliyun
+121.40.0.0/14
+121.40.0.0/15
+
+# Cyveillance subnets
+38.100.19.8/29
+38.100.21.0/24
+38.100.41.64/26
+38.105.71.0/25
+38.105.83.0/27
+38.112.21.140/30
+38.118.42.32/29
+65.213.208.128/27
+65.222.176.96/27
+65.222.185.72/29
+
+# Poneytelecom subnets
+62.4.0.0/19
+62.210.0.0/16
+195.154.0.0/16
+212.47.224.0/19
+212.83.128.0/19
+212.83.160.0/19
+212.129.0.0/18
+
+# Ecatel & Leaseweb subnets
+80.82.64.0/24
+80.82.65.0/24
+80.82.66.0/24
+80.82.67.0/24
+80.82.68.0/24
+80.82.69.0/24
+80.82.70.0/24
+80.82.76.0/24
+80.82.77.0/24
+80.82.78.0/24
+80.82.79.0/24
+89.248.160.0/21
+89.248.168.0/24
+89.248.169.0/24
+89.248.170.0/23
+89.248.172.0/23
+89.248.174.0/24
+93.174.88.0/21
+94.102.48.0/20
+188.72.106.0/24
+188.72.117.0/24
+185.56.80.125
+
+# Aboundex 
+173.192.34.95
+
+# Bluecoat
+8.21.4.254
+65.46.48.192/30
+65.160.238.176/28
+85.92.222.0/24
+206.51.36.0/22
+216.52.23.0/24
+
+# Cyberpatrol
+38.103.17.160/27
+
+# Internet Identity - Anti-Phishing
+66.113.96.0/20
+70.35.113.192/27
+
+# Ironport
+204.15.80.0/22
+
+# Lightspeed Systems Security
+66.17.15.128/26
+69.84.207.32/27
+69.84.207.128/25
+
+# Layered Technologies
+72.36.128.0/17
+72.232.0.0/16
+72.233.0.0/17
+216.32.0.0/14
+
+# M86
+67.192.231.224/29
+208.90.236.0/22
+
+# Phish-Inspector.com
+209.147.127.208/28
+
+# Prescient Software, Inc. Phishmongers
+198.186.190.0/23
+198.186.192.0/23
+198.186.194.0/24
+
+# urlfilterdb
+207.210.99.32/29
+
+# websense-in.car1.sandiego1.level3.net
+4.53.120.22
+
+# Websense
+66.194.6.0/24
+67.117.201.128/28
+69.67.32.0/20
+131.191.87.0/24
+204.15.64.0/21
+208.80.192.0/21
+212.62.26.64/27
+213.168.226.0/24
+213.168.241.0/30
+213.168.242.0/30
+213.236.150.16/28
+
+# IP Strada & co.
+162.211.104.0/22
+162.218.56.0/21
+198.89.232.0/21
+199.15.232.0/21
+199.15.232.0/24
+199.15.233.0/24
+199.15.234.0/24
+199.15.235.0/24
+199.15.237.0/24
+199.15.238.0/24
+199.15.239.0/24
+
+# DigitalOcean
+45.55.100.0/22
+45.55.116.0/22
+67.207.66.0/24
+104.131.192.0/19
+104.131.224.0/19
+107.170.0.0/17
+107.170.128.0/19
+107.170.160.0/19
+138.197.240.0/22
+138.197.252.0/22
+159.203.152.0/22
+162.243.0.0/17
+162.243.191.0/24
+162.243.192.0/18
+192.241.160.0/19
+192.241.240.0/20
+
+# vHoster Ukraine doing WP bruteforce
+91.200.12.0/22
+
+# Drake Holdings
+192.92.196.0/24
+204.79.180.0/24
+
+# Hetzner Denies
+193.47.99.0/24
+188.40.0.0/16
+185.12.64.0/22 
+178.63.0.0/16
+176.9.0.0/16
+213.239.192.0/18
+213.133.96.0/19
+88.198.0.0/16
+85.10.192.0/18
+78.46.0.0/15
+5.9.0.0/17
+5.9.0.0/16
+46.4.0.0/16
+88.99.0.0/16
+91.220.49.0/24
+91.233.8.0/22
+94.130.0.0/16
+95.216.0.0/16
+95.217.0.0/16
+136.243.0.0/16
+138.201.0.0/16
+144.76.0.0/16
+148.251.0.0/16
+176.102.168.0/21
+185.50.120.0/23
+185.107.52.0/22
+185.126.28.0/22
+185.136.140.0/23
+185.141.200.0/24
+185.141.202.0/24
+185.171.224.0/22
+185.185.26.0/23
+185.189.228.0/24
+185.189.230.0/24
+185.189.231.0/24
+185.209.124.0/22
+185.216.237.0/24
+185.228.8.0/22
+193.25.170.0/23
+193.110.6.0/23
+193.223.77.0/24
+194.42.180.0/22
+194.42.184.0/22
+194.145.226.0/24
+195.60.226.0/24
+195.248.224.0/24
+197.242.84.0/22
+
+# Seznam bot
+77.75.72.0/23
+77.75.74.0/24
+77.75.75.0/24
+77.75.76.0/23
+77.75.78.0/23
+185.66.188.0/22
+
+# Quasi Networks - Spammers
+145.249.104.0/22
+185.216.140.0/23
+188.72.103.0/24
+188.72.106.0/24
+188.72.117.0/24
+196.16.0.0/14
+213.184.105.0/24
+213.184.113.0/24
+213.184.115.0/24
+213.184.117.0/24
+
+# DataShack / Wholesale Internet / VPN Consumer Network / My Server Planet / VoIP DediNet & co.
+63.141.224.0/19
+69.30.192.0/24
+69.30.204.0/24
+69.30.220.0/24
+69.30.228.0/24
+69.30.235.0/24
+69.30.237.0/24
+69.197.148.0/24
+69.197.152.0/24
+69.197.170.0/24
+69.197.171.0/24
+69.197.173.0/24
+69.197.178.0/24
+74.91.16.0/20
+104.37.30.0/24
+107.150.32.0/19
+142.54.160.0/19
+173.46.91.0/24
+173.46.93.0/24
+192.151.144.0/20
+192.187.96.0/19
+198.204.224.0/19
+199.168.96.0/21
+204.12.199.0/24
+204.12.200.0/24
+204.12.203.0/24
+204.12.205.0/24
+204.12.245.0/24
+208.67.0.0/24
+208.67.1.0/24
+208.110.85.0/24
+208.110.87.0/24

config/payloads.conf

@@ -0,0 +1,66 @@
+# Known attack payload regex patterns
+# One pattern per line, these are checked against request parameters and user input
+# Lines starting with # are comments
+
+# XSS attack patterns
+# Pattern for alert/prompt/confirm execution
+/(?:<|%3C|&lt;)(?:script|iframe|svg|img|a).*?(?:alert|prompt|confirm|eval)\s*\(.*?\)/i
+# Pattern for script injection
+/(?:<|%3C|&lt;)script.*?(?:>|%3E|&gt;)/i
+# Pattern for event handlers like onerror, onload, etc.
+/\bon(?:error|load|click|mouseover|focus|blur)\s*=\s*["']?(?:alert|prompt|confirm|eval)/i
+# Pattern for javascript: protocol
+/javascript\s*:\s*(?:alert|prompt|confirm|eval)/i
+# Pattern for data URI scheme with script
+/data\s*:\s*(?:text|application)\/(?:javascript|html).*?base64/i
+
+# SQL Injection patterns
+# Pattern for basic SQL injection attempts
+/(?:'\s*OR\s*'[\w\d]+'?\s*=\s*'[\w\d]+)|(?:"\s*OR\s*"[\w\d]+"?\s*=\s*"[\w\d]+")/i
+# Pattern for SQL comments
+/(?:--|#|\/\*)[^\w\d]*(?:union|select|insert|update|delete|drop|alter)/i
+# Pattern for UNION SELECT attempts
+/union\s+(?:all\s+)?select/i
+# Pattern for SQL batch commands
+/;\s*(?:drop|alter|create|truncate|rename|insert|update|delete)/i
+
+# Remote file inclusion patterns
+# Pattern for external URL inclusion
+/(?:https?|ftp|php|data|file):\/\/[^\s\n"')>]+/i
+# Pattern for directory traversal
+/(?:\.\.\/|\.\.\\|\.\.\%2f|\.\.\%5c)[^\s\n"')>]+/i
+# Pattern for PHP wrapper usage
+/php:\/\/(?:filter|input|memory|output|temp)/i
+
+# Command injection patterns
+# Pattern for shell command execution
+/[;&|`]\s*(?:ls|cat|cd|pwd|echo|rm|cp|mv|sudo|chmod|chown|wget|curl)/i
+# Pattern for command substitution
+/\$\([^\)]*\)|`[^`]*`/i
+# Pattern for direct system command injection
+/system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|eval\s*\(/i
+
+# Local file inclusion patterns
+# Pattern for path traversal
+/(?:\/|\\|\.\.|%2f|%5c)(?:etc|bin|usr|home|var|root|windows|system32)/i
+# Pattern for sensitive file access
+/(?:\/|\\|\.\.|%2f|%5c)(?:passwd|shadow|hosts|config|wp-config|web\.config)/i
+
+# XML/XXE injection patterns
+/<!(?:DOCTYPE|ENTITY)[\s\S]*?(?:SYSTEM|PUBLIC)[\s\S]*?["']/i
+
+# CSRF token extraction
+/(?:csrf|xsrf|token|auth)["']?\s*[:=]\s*["']?[a-zA-Z0-9_-]+/i
+
+# Serialization attacks
+/[ORCo]:[0-9]+:/i
+
+# General suspicious patterns
+# Pattern for base64 encoded payloads
+/(?:[A-Za-z0-9+\/]{20,}={0,2})/
+# Pattern for hex encoded payloads
+/(?:0x[A-Fa-f0-9]{10,})/
+# Pattern for URL encoded characters sequence
+/(?:%[0-9A-Fa-f]{2}){8,}/
+# Pattern for large number of special characters
+/[!@#$%^&*()_+\-=\[\]{}|;':",./<>?]{10,}/

config/referrers.conf

@@ -0,0 +1,35 @@
+# Known spam or malicious referrers from .htaccess
+free-social-buttions.com
+best-seo-offer.com
+buttons-for-your-website.com
+www1.free-social-buttons.com
+www2.free-social-buttons.com
+www3.free-social-buttons.com
+100dollars-seo.com.com
+anonymizeme.pro
+site.ru
+www4.free-social-buttons.com
+free-social-buttons.com
+buttons-for-website.com
+social-buttons.com
+anticrawler.org
+blackhatworth.com
+best-seo-offer.com
+buttons-for-your-website.com
+best-seo-solution.com
+adcash.com
+darodar.com
+priceg.com
+hulfingtonpost.com
+gobongo.info
+slftsdybbg.ru
+ilovevitaly.com
+ilovevitaly.co
+ilovevitaly.ru
+webmonetizer.net
+make-money-online.com
+cenoval.ru
+o-o-6-o-o.com
+7makemoneyonline.com
+semalt.com
+keywords-monitoring-success.com