{"id":305505,"date":"2026-05-17T21:18:45","date_gmt":"2026-05-17T21:18:45","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/zerobot-security\/"},"modified":"2026-05-17T21:16:53","modified_gmt":"2026-05-17T21:16:53","slug":"zerobot-security","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/zerobot-security\/","author":23485054,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.15","stable_tag":"1.0.15","tested":"6.9.4","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"ZeroBot Security","header_author":"ZeroBot","header_description":"Full-stack antibot, firewall, captcha, and threat intelligence for WordPress \u2014 powered by the ZeroBot platform.","assets_banners_color":"0d1325","last_updated":"2026-05-17 21:16:53","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"https:\/\/zerobot.info","rating":0,"author_block_rating":0,"active_installs":0,"downloads":33,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.15":{"tag":"1.0.15","author":"zerobot","date":"2026-05-17 21:16:53"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3534888,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3534888,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3534940,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3534940,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.15"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[262246],"plugin_tags":[7665,362,1174,600,263288],"plugin_category":[44,54],"plugin_contributors":[263289],"plugin_business_model":[],"class_list":["post-305505","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-antibot","plugin_tags-captcha","plugin_tags-firewall","plugin_tags-security","plugin_tags-threat-intelligence","plugin_category-discussion-and-community","plugin_category-security-and-spam-protection","plugin_contributors-zerobot","plugin_committers-zerobot"],"banners":{"banner":"https:\/\/ps.w.org\/zerobot-security\/assets\/banner-772x250.png?rev=3534940","banner_2x":"https:\/\/ps.w.org\/zerobot-security\/assets\/banner-1544x500.png?rev=3534940","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/zerobot-security\/assets\/icon-128x128.png?rev=3534888","icon_2x":"https:\/\/ps.w.org\/zerobot-security\/assets\/icon-256x256.png?rev=3534888","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>ZeroBot Security brings the full ZeroBot antibot platform to WordPress, adding six layered defenses\nmanaged from a single dashboard. Every event is screened against a 1.5M+ IP intelligence database,\nfingerprint-based scoring, and real-time threat sharing across the ZeroBot network.<\/p>\n\n<h4>Six Protection Layers<\/h4>\n\n<ul>\n<li><strong>Page Protection<\/strong> \u2014 Per-page antibot screening. Renders Cloudflare Turnstile or the ZeroBot\nnative slider captcha for borderline visitors before letting them through.<\/li>\n<li><strong>Firewall<\/strong> \u2014 Site-wide screening of every public request against the ZeroBot threat database.<\/li>\n<li><strong>Login Brute-Force Guard<\/strong> \u2014 Tracks failed logins per IP, auto-blocks after N attempts,\noptionally pushes IPs to your ZeroBot blacklist.<\/li>\n<li><strong>Comment Guard<\/strong> \u2014 Blocks bot comments before they're saved.<\/li>\n<li><strong>REST API Guard<\/strong> \u2014 Screens public REST calls (with configurable exempt routes).<\/li>\n<li><strong>XML-RPC Guard<\/strong> \u2014 Disables XML-RPC entirely (a major attack vector).<\/li>\n<\/ul>\n\n<h4>Full Platform Management<\/h4>\n\n<ul>\n<li><strong>Domain Rules<\/strong> \u2014 Create, edit, and delete antibot rules from inside wp-admin.<\/li>\n<li><strong>Whitelist<\/strong> \u2014 IPs, CIDR ranges, and ASNs scoped per service. Bulk import supported.<\/li>\n<li><strong>Blacklist<\/strong> \u2014 Same scoping and bulk import as the whitelist.<\/li>\n<li><strong>Threat Logs<\/strong> \u2014 Filterable, paginated viewer of every traffic event with CSV export.<\/li>\n<li><strong>Dashboard<\/strong> \u2014 Live stats, 7-day traffic chart, recent threats, account info.<\/li>\n<\/ul>\n\n<h4>Other Features<\/h4>\n\n<ul>\n<li>Cloudflare \/ proxy IP detection (CF-Connecting-IP, X-Real-IP, X-Forwarded-For)<\/li>\n<li>Decision cache via WordPress object cache (Redis\/Memcached) with transient fallback<\/li>\n<li>Fail-open by default \u2014 never breaks your site if the API is unreachable<\/li>\n<li>Daily license verification via wp-cron<\/li>\n<li>WP-admin dashboard widget showing bots\/humans (24h)<\/li>\n<li>Pure PHP + vanilla JS \u2014 no jQuery, no React, no external CDN<\/li>\n<\/ul>\n\n<h3>External Services<\/h3>\n\n<p>This plugin connects to the following third-party service to provide its core bot-detection\nand threat-intelligence features. Nothing is contacted until the administrator enters a\nlicense key and activates a protection layer.<\/p>\n\n<p><strong>1. ZeroBot API (https:\/\/zerobot.info)<\/strong><\/p>\n\n<ul>\n<li>What it does: Classifies visitors as human or bot, synchronizes domain rules \/ whitelists \/\nblacklists, and returns threat log data for the dashboard.<\/li>\n<li>When it's called: On every public request that one of the enabled protection layers handles\n(Firewall, Page Protection, Login Guard, Comment Guard, REST API Guard). Also called from the\nadmin dashboard for stats, rules, lists, and traffic logs. Also called once per day by\nwp-cron for license verification.<\/li>\n<li>Data transmitted: Visitor IP address, user agent, current URL host, site domain, and the\nplugin's license key. No post content, no customer personal data, no form submissions.<\/li>\n<li>What it returns: A JSON decision object (<code>is_bot<\/code>, <code>reason<\/code>, <code>risk_score<\/code>, optional\n  captcha_html), plan metadata, and aggregate stats for the dashboard.<\/li>\n<li>Terms &amp; Privacy: https:\/\/zerobot.info\/terms \u2014 https:\/\/zerobot.info\/policy<\/li>\n<\/ul>\n\n<p><strong>2. ZeroBot Fingerprint Collector (https:\/\/zerobot.info\/fingerprint\/index.js)<\/strong><\/p>\n\n<ul>\n<li>What it does: Collects client-side browser signals (canvas, WebGL, fonts, behavior) to detect\nheadless browsers, VMs, and automation frameworks.<\/li>\n<li>When it's loaded: Injected on public pages and the login screen ONLY when the administrator\nenables \"Browser Fingerprint\" in Protection Settings. It is disabled by default; the plugin\ndoes not load any external JavaScript out of the box.<\/li>\n<li>Data transmitted: Browser fingerprint signals and the visitor's IP address. No WordPress\nuser data, no cookies, no form data.<\/li>\n<li>What it returns: A risk score used to decide whether a visitor should face a soft challenge.<\/li>\n<li>Terms &amp; Privacy: https:\/\/zerobot.info\/terms \u2014 https:\/\/zerobot.info\/policy<\/li>\n<\/ul>\n\n<p><strong>3. FlagCDN (https:\/\/flagcdn.com)<\/strong><\/p>\n\n<ul>\n<li>What it does: Serves tiny country-flag PNG images for the admin-only traffic log.<\/li>\n<li>When it's loaded: Only inside wp-admin, only when the administrator opens the Dashboard or\nThreat Logs page. It is never loaded on the public site. Only 2-letter ISO country codes are\ntransmitted as part of the image URL.<\/li>\n<li>Data transmitted: The 2-letter country code and standard image-request metadata. No visitor\ndata, no WordPress data, no cookies.<\/li>\n<li>Service homepage: https:\/\/flagcdn.com<\/li>\n<\/ul>\n\n<p>If you do not wish to transmit any data to ZeroBot, simply do not activate a license \u2014 the\nplugin stays dormant.<\/p>\n\n<h3>Privacy<\/h3>\n\n<p>This plugin does not store visitor personal data in your WordPress database beyond IP\naddresses in the local threat-log table (<code>wp_zb_threats<\/code>, dropped on uninstall). It does\nnot set any cookies on visitors. Data sent to the ZeroBot service is described in the\nExternal Services section above.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin zip via Plugins \u2192 Add New \u2192 Upload<\/li>\n<li>Activate the plugin<\/li>\n<li>Go to <strong>ZeroBot \u2192 License<\/strong> and enter your license key<\/li>\n<li>Configure protection layers in <strong>ZeroBot \u2192 Protection<\/strong><\/li>\n<\/ol>\n\n<p>A ZeroBot license is required. Get one at https:\/\/zerobot.info<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20this%20plugin%20break%20my%20site%20if%20the%20zerobot%20api%20is%20down%3F\"><h3>Will this plugin break my site if the ZeroBot API is down?<\/h3><\/dt>\n<dd><p>No. The default Fail Mode is \"Fail Open\" \u2014 visitors are allowed through silently and the\nincident is logged to the PHP error log. You can switch to Fail Closed in Protection\nSettings if you prefer strict security.<\/p><\/dd>\n<dt id=\"how%20much%20does%20it%20call%20the%20zerobot%20api%3F\"><h3>How much does it call the ZeroBot API?<\/h3><\/dt>\n<dd><p>Every visitor decision is cached per-IP for 24 hours by default, so repeat visitors do not\ntrigger additional API calls. A page that gets 1,000 hits\/hour from returning visitors\ntypically results in only a handful of API calls.<\/p><\/dd>\n<dt id=\"does%20the%20fingerprint%20collector%20always%20run%3F\"><h3>Does the fingerprint collector always run?<\/h3><\/dt>\n<dd><p>No. The fingerprint collector is disabled by default and only injects on the public site\nwhen the administrator turns on \"Browser Fingerprint\" under Protection Settings.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20woocommerce%3F\"><h3>Does it work with WooCommerce?<\/h3><\/dt>\n<dd><p>Yes \u2014 the REST API Guard auto-exempts <code>\/wc\/store\/<\/code> routes. Add other custom routes to the\nexempt list as needed.<\/p><\/dd>\n<dt id=\"does%20it%20support%20multisite%3F\"><h3>Does it support multisite?<\/h3><\/dt>\n<dd><p>Single-site only in v1.0. Multisite support is planned for v1.1.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.15<\/h4>\n\n<ul>\n<li>WordPress.org review compliance: removed the broken <code>flagpedia.net\/privacy<\/code>\nURL from the External Services section of readme.txt.<\/li>\n<li>The chart-data bootstrap on the admin dashboard now ships via\n  wp_add_inline_script() attached to the existing <code>zerobot-security-admin<\/code>\nhandle, instead of an inline <code>&lt;script&gt;<\/code> tag. No behavioural change \u2014 the\nsame JS payload is delivered through the official WordPress enqueue API.<\/li>\n<\/ul>\n\n<h4>1.0.14<\/h4>\n\n<ul>\n<li>WordPress.org review compliance: replaced the short \"zb_\" prefix everywhere\nit appeared in PHP and JS (AJAX action names, option keys, transient keys,\nnonce names, cron hooks, JS globals, custom DB table names, WP_Error codes,\nand the admin script handle) with the full \"zerobot_security_\" prefix so\nevery plugin-defined identifier is at least the WP.org-required 4 characters\nand is uniquely namespaced.<\/li>\n<li>No functional or UI changes \u2014 the rename is purely cosmetic (CSS class\nnames beginning with \"zb-\" are stylesheet-internal and were left\nunchanged, since they don't conflict with WordPress core or other plugins).<\/li>\n<\/ul>\n\n<h4>1.0.12<\/h4>\n\n<ul>\n<li>Second Plugin Check compliance pass: final 3 errors resolved (wrap\ncountryFlagImg() output in wp_kses(); add translators comment for\n\"Cleared %d cached decisions\"; etc.). Input-sanitization warnings\naddressed across Helpers, Firewall, ProtectionSettings, LicensePage.<\/li>\n<li>Fingerprint script now passes the plugin version to wp_enqueue_script()\nfor reliable cache-busting.<\/li>\n<li>Uninstall variables renamed to zerobot_security_* prefix.<\/li>\n<\/ul>\n\n<h4>1.0.11<\/h4>\n\n<ul>\n<li>Full Plugin Check compliance pass: wrap every Helpers::icon() SVG output\nthrough wp_kses() with a tight SVG tag allowlist; add wp_unslash() +\nsanitize calls on every $<em>SERVER \/ $_POST \/ $_GET read; gate error_log()\nbehind WP_DEBUG; replace date() with gmdate(); rename plugin constants to\nZEROBOT_SECURITY<\/em>* prefix; drop load_plugin_textdomain (WP 4.6+ auto-loads\ntranslations); add translators comments for all placeholders; LoginGuard\nqueries use esc_sql() for the table identifier; uninstall uses prefixed\nvariables and prepared statements.<\/li>\n<li>Fingerprint script now enqueued via <code>wp_enqueue_script()<\/code> with a\n  script_loader_tag filter for the data attributes, replacing the raw\n  echo ''. Respects standard WordPress script filters.<\/li>\n<li>DecisionCache::flush() no longer issues a raw LIKE query \u2014 iterates the\nmatching transient option names and calls <code>delete_transient()<\/code> for each,\nso the object cache and transient DB stay in sync.<\/li>\n<li>Threat Logs are now always scoped to the current WordPress site's host (the\n\"Domain\" filter is removed \u2014 it's redundant and could leak cross-domain data).<\/li>\n<li>Firewall self-heals domain-deauthorization in real time: the plugin flags the\nsite immediately on the first failed API call instead of waiting for the\ndaily verify cron, so the warning banner shows up right after the admin\nremoves the domain from authorized_domains.<\/li>\n<li>Admin warning banner is now shown on every wp-admin page, not only the\nplugin's own screens.<\/li>\n<li>Country flags in the Dashboard and Threat Logs render as reliable PNG\nimages (via flagcdn.com) instead of Unicode emoji, which some platforms\ndon't render.<\/li>\n<\/ul>\n\n<h4>1.0.9<\/h4>\n\n<ul>\n<li>Per-IP decision cache extended to 24 hours to reduce API load<\/li>\n<li>Allowed-countries enforcement moved server-side so denied requests are logged correctly<\/li>\n<li>Login verification (device 2FA) toggle added per user<\/li>\n<\/ul>\n\n<h4>1.0.8<\/h4>\n\n<ul>\n<li>Browser Fingerprint layer now also injects on wp-login.php and via wp_footer fallback<\/li>\n<li>Fingerprint collector no longer skipped for logged-in users (configurable)<\/li>\n<\/ul>\n\n<h4>1.0.7<\/h4>\n\n<ul>\n<li>\"Country Denied\" badge styled distinctly from generic bot block<\/li>\n<li>Threat Logs show the visitor path alongside IP \/ ISP \/ country<\/li>\n<\/ul>\n\n<h4>1.0.6<\/h4>\n\n<ul>\n<li>\/v3\/openapi now receives allowed_countries from the plugin so geo-blocks are enforced\nserver-side and logged with the correct reason<\/li>\n<\/ul>\n\n<h4>1.0.5<\/h4>\n\n<ul>\n<li>Decision caching logic refactored so every request logs correctly<\/li>\n<li>Fingerprint injection improvements<\/li>\n<\/ul>\n\n<h4>1.0.3 - 1.0.4<\/h4>\n\n<ul>\n<li>\"Clear Threats for this Domain\" action in Threat Logs<\/li>\n<li>\"Path\" column in Threat Logs showing the URL the visitor accessed<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Full Dashboard, License, Rules, Whitelist, Blacklist, Protection Settings, Threat Logs<\/li>\n<li>Six protection layers: Page, Firewall, Login, Comment, REST API, XML-RPC<\/li>\n<li>Decision caching with object cache + transient fallback<\/li>\n<li>CSV export for threat logs<\/li>\n<li>WP-admin dashboard widget<\/li>\n<li>Cloudflare \/ proxy IP detection<\/li>\n<\/ul>","raw_excerpt":"Full-stack antibot, firewall, captcha, and threat intelligence for WordPress \u2014 powered by the ZeroBot platform.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/305505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=305505"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/zerobot"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=305505"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=305505"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=305505"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=305505"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=305505"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=305505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}