Every visitor gets a trust score between 0 and 100. The score starts at 100 and decreases each time a risk rule fires. Yaplet ships with 23 built-in rules — you can't add new rule logic, but you can change how much each rule contributes to lowering the score. A rule at weight zero is effectively disabled.
Open the rules page
Go to Security → Rules. All 23 rules are listed, grouped into five categories, with their current weights shown.
The five rule categories
Account Takeover
Detects mid-session changes that suggest a stolen session or credential stuffing:
- Country changed mid-session (within 30 minutes)
- Device changed mid-session (within 30 minutes)
- IP address changed mid-session (within 30 minutes)
Behavior
Patterns in visitor activity across multiple sessions:
- Multiple countries (3+), numerous IP addresses (10+), multiple devices (3+)
- High rage clicks (5+), high console errors (10+), high network errors (10+)
- Night-time activity (midnight–5 AM UTC), very short sessions, dormant visitor returning
- Brand new visitor — a positive rule that increases trust by 20 points
Bot Detection
High-confidence signals for automated access:
- Suspicious user agent (bot/crawler signature) — default weight: Extreme (+70)
- Suspicious URL pattern (visits to
/wp-admin,.env,phpinfo, etc.)
IP Analysis
Rules based on IP reputation data:
- Known bad IP range — Extreme (+70)
- TOR exit node — Extreme (+70)
- VPN or proxy network — High (+20)
- Hosting / datacenter ASN — Medium (+10)
Blacklist
One rule that fires when you manually blacklist a visitor. Always Extreme.
Weight levels
| Level | Score change | When to use |
|---|---|---|
| Disabled | 0 | Rule never fires — ignore this signal entirely |
| Positive | -20 (trust increase) | A good signal that should boost trust |
| Medium | +10 | Mild risk indicator |
| High | +20 | Significant risk |
| Extreme | +70 | A single trigger pushes the visitor into the danger zone |
Change a rule weight
- Find the rule in the list.
- Click the weight dropdown and select a new level.
- A save bar appears at the top of the page showing unsaved changes.
- Click Save changes to apply, or Reset to discard.
Important: Weight changes apply going forward. Existing visitor trust scores are not retroactively recalculated when you save.
Common tuning examples
- Global audience? Set "Night-time activity" to Disabled — midnight UTC is daytime for users in Asia-Pacific.
- VPN-heavy team? Reduce "VPN or proxy network" to Medium or Disabled so remote employees don't fill the review queue.
- B2B SaaS with office users? Increase "Hosting/datacenter ASN" weight — traffic from datacenters is unusual for end-users but normal for bots.