plugin-icon

ZeroBot Security

Oleh ZeroBot·
Full-stack antibot, firewall, captcha, and threat intelligence for WordPress — powered by the ZeroBot platform.
antibot
captcha
firewall
Penilaian
Tambahkan ulasan
Versi
1.0.17
Terakhir diperbarui
May 18, 2026
ZeroBot Security

ZeroBot Security brings the full ZeroBot antibot platform to WordPress, adding six layered defenses managed from a single dashboard. Every event is screened against a 1.5M+ IP intelligence database, fingerprint-based scoring, and real-time threat sharing across the ZeroBot network.

Six Protection Layers

  • Page Protection — Per-page antibot screening. Renders Cloudflare Turnstile or the ZeroBot native slider captcha for borderline visitors before letting them through.
  • Firewall — Site-wide screening of every public request against the ZeroBot threat database.
  • Login Brute-Force Guard — Tracks failed logins per IP, auto-blocks after N attempts, optionally pushes IPs to your ZeroBot blacklist.
  • Comment Guard — Blocks bot comments before they’re saved.
  • REST API Guard — Screens public REST calls (with configurable exempt routes).
  • XML-RPC Guard — Disables XML-RPC entirely (a major attack vector).

Full Platform Management

  • Domain Rules — Create, edit, and delete antibot rules from inside wp-admin.
  • Whitelist — IPs, CIDR ranges, and ASNs scoped per service. Bulk import supported.
  • Blacklist — Same scoping and bulk import as the whitelist.
  • Threat Logs — Filterable, paginated viewer of every traffic event with CSV export.
  • Dashboard — Live stats, 7-day traffic chart, recent threats, account info.

Other Features

  • Cloudflare / proxy IP detection (CF-Connecting-IP, X-Real-IP, X-Forwarded-For)
  • Decision cache via WordPress object cache (Redis/Memcached) with transient fallback
  • Fail-open by default — never breaks your site if the API is unreachable
  • Daily license verification via wp-cron
  • WP-admin dashboard widget showing bots/humans (24h)
  • Pure PHP + vanilla JS — no jQuery, no React, no external CDN

External Services

This plugin connects to the following third-party service to provide its core bot-detection and threat-intelligence features. Nothing is contacted until the administrator enters a license key and activates a protection layer.

1. ZeroBot API (https://zerobot.info)

  • What it does: Classifies visitors as human or bot, synchronizes domain rules / whitelists / blacklists, and returns threat log data for the dashboard.
  • When it’s called: On every public request that one of the enabled protection layers handles (Firewall, Page Protection, Login Guard, Comment Guard, REST API Guard). Also called from the admin dashboard for stats, rules, lists, and traffic logs. Also called once per day by wp-cron for license verification.
  • Data transmitted: Visitor IP address, user agent, current URL host, site domain, and the plugin’s license key. No post content, no customer personal data, no form submissions.
  • What it returns: A JSON decision object (is_bot, reason, risk_score, optional captcha_html), plan metadata, and aggregate stats for the dashboard.
  • Terms & Privacy: https://zerobot.info/terms — https://zerobot.info/policy

2. ZeroBot Fingerprint Collector (https://zerobot.info/fingerprint/index.js)

  • What it does: Collects client-side browser signals (canvas, WebGL, fonts, behavior) to detect headless browsers, VMs, and automation frameworks.
  • When it’s loaded: Injected on public pages and the login screen ONLY when the administrator enables “Browser Fingerprint” in Protection Settings. It is disabled by default; the plugin does not load any external JavaScript out of the box.
  • Data transmitted: Browser fingerprint signals and the visitor’s IP address. No WordPress user data, no cookies, no form data.
  • What it returns: A risk score used to decide whether a visitor should face a soft challenge.
  • Terms & Privacy: https://zerobot.info/terms — https://zerobot.info/policy

3. FlagCDN (https://flagcdn.com)

  • What it does: Serves tiny country-flag PNG images for the admin-only traffic log.
  • When it’s loaded: Only inside wp-admin, only when the administrator opens the Dashboard or Threat Logs page. It is never loaded on the public site. Only 2-letter ISO country codes are transmitted as part of the image URL.
  • Data transmitted: The 2-letter country code and standard image-request metadata. No visitor data, no WordPress data, no cookies.
  • Service homepage: https://flagcdn.com

If you do not wish to transmit any data to ZeroBot, simply do not activate a license — the plugin stays dormant.

Privacy

This plugin does not store visitor personal data in your WordPress database beyond IP addresses in the local threat-log table (wp_zb_threats, dropped on uninstall). It does not set any cookies on visitors. Data sent to the ZeroBot service is described in the External Services section above.

Gratisdi paket berbayar
Mulai
Dengan menginstal, Anda menyetujui Ketentuan Layanan WordPress.com dan Persyaratan plugin Pihak Ketiga.
Diuji hingga
WordPress 6.9.4
Plugin ini tersedia untuk diunduh untuk diinstal di situs .
Unduh