{"id":324306,"date":"2026-06-27T13:01:45","date_gmt":"2026-06-27T13:01:45","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/xzeroprotect\/"},"modified":"2026-06-27T13:01:31","modified_gmt":"2026-06-27T13:01:31","slug":"xzeroprotect","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/xzeroprotect\/","author":23513593,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.3","stable_tag":"1.1.3","tested":"7.0","requires":"6.0","requires_php":"8.0","requires_plugins":null,"header_name":"xZeroProtect","header_author":"Webrium","header_description":"Lightweight firewall for WordPress \u2014 blocks bots, scanners, and common attacks with zero external dependencies. Tracks real visitor analytics filtered from bot traffic.","assets_banners_color":"07224c","last_updated":"2026-06-27 13:01:31","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/webrium\/xzeroprotect-wp","header_author_uri":"https:\/\/github.com\/webrium","rating":0,"author_block_rating":0,"active_installs":0,"downloads":30,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.1.3":{"tag":"1.1.3","author":"benkhalifedev","date":"2026-06-27 13:01:31"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3588106,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3588106,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3588106,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.1.3"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[232,166108,1174,600,18199],"plugin_category":[36,54],"plugin_contributors":[269111],"plugin_business_model":[],"class_list":["post-324306","plugin","type-plugin","status-publish","hentry","plugin_tags-analytics","plugin_tags-bot-protection","plugin_tags-firewall","plugin_tags-security","plugin_tags-waf","plugin_category-analytics","plugin_category-security-and-spam-protection","plugin_contributors-benkhalifedev","plugin_committers-benkhalifedev"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xzeroprotect\/assets\/icon-128x128.png?rev=3588106","icon_2x":"https:\/\/ps.w.org\/xzeroprotect\/assets\/icon-256x256.png?rev=3588106","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>xZeroProtect brings the power of the <a href=\"https:\/\/github.com\/webrium\/xzeroprotect\">xZeroProtect PHP library<\/a> to WordPress with a clean admin dashboard. The plugin source is available at <a href=\"https:\/\/github.com\/webrium\/xzeroprotect-wp\">github.com\/webrium\/xzeroprotect-wp<\/a>.<\/p>\n\n<p><strong>What it does:<\/strong><\/p>\n\n<ul>\n<li>Blocks bots, scanners, and common web attacks (SQLi, XSS, path traversal, command injection)<\/li>\n<li>Rate-limits IPs and automatically bans repeat offenders<\/li>\n<li>Verifies legitimate crawlers (Googlebot, Bingbot) via double-DNS \u2014 they're never blocked<\/li>\n<li>Tracks <strong>real<\/strong> visitor analytics \u2014 bot traffic is already filtered out before anything is recorded<\/li>\n<li>Shows unique visitors, top pages, device breakdown, and block reasons in a dashboard<\/li>\n<li>Zero external dependencies \u2014 no Redis, no external API, everything on disk and in your database<\/li>\n<\/ul>\n\n<p><strong>Dashboard includes:<\/strong><\/p>\n\n<ul>\n<li>Traffic overview chart (visits, unique visitors, blocked)<\/li>\n<li>Top pages by hits and unique visitors<\/li>\n<li>Device breakdown (desktop \/ mobile \/ tablet)<\/li>\n<li>Block reason breakdown<\/li>\n<li>Real visitor log with browser, OS, and device info<\/li>\n<li>Blocked request log with attack type and reason<\/li>\n<\/ul>\n\n<h3>Privacy Policy<\/h3>\n\n<p>xZeroProtect stores visitor data (IP address, browser, OS, device type) and blocked\nrequest data locally in your WordPress database. No data is transmitted to external\nservers. All stored data is automatically deleted after the configured retention period\n(default: 30 days). All data is permanently removed when the plugin is uninstalled.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin via <strong>Plugins \u2192 Add New Plugin \u2192 Upload Plugin<\/strong> and select the plugin zip file, or extract the <code>xzeroprotect<\/code> folder into <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin in <strong>Plugins \u2192 Installed Plugins<\/strong><\/li>\n<li>Go to <strong>xZeroProtect \u2192 Settings<\/strong> to configure<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20this%20block%20me%20from%20my%20own%20admin%3F\"><h3>Will this block me from my own admin?<\/h3><\/dt>\n<dd><p>No. The plugin automatically whitelists <code>\/wp-admin<\/code>, <code>\/wp-login.php<\/code>, and other WordPress core paths. Logged-in administrators are also exempt.<\/p><\/dd>\n<dt id=\"does%20it%20work%20on%20shared%20hosting%3F\"><h3>Does it work on shared hosting?<\/h3><\/dt>\n<dd><p>Yes \u2014 that's one of its main advantages. No Redis, no system-level access, no external services required.<\/p><\/dd>\n<dt id=\"what%20happens%20to%20my%20data%20if%20i%20deactivate%20the%20plugin%3F\"><h3>What happens to my data if I deactivate the plugin?<\/h3><\/dt>\n<dd><p>Data is kept on deactivation. It is only removed when you <strong>delete<\/strong> the plugin (uninstall).<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1.3<\/h4>\n\n<ul>\n<li>Renamed plugin slug from xzeroprotect-wp to xzeroprotect (resolves trademarked-term warning for the \"wp\" suffix)<\/li>\n<li>Fixed Text Domain to match the new slug (\"xzeroprotect\") across all strings<\/li>\n<li>Renamed main plugin file to xzeroprotect.php<\/li>\n<li>Removed the unused \"Domain Path\" header (no languages folder bundled)<\/li>\n<li>Moved firewall storage directory from uploads\/xzeroprotect-wp to uploads\/xzeroprotect<\/li>\n<li>Sanitized $_POST['days'] in AJAX handlers before casting<\/li>\n<li>Added phpcs ignore annotations for safe, already-prepared direct DB queries<\/li>\n<li>Renamed internal constants from XZPWP_* to XZP_*<\/li>\n<\/ul>\n\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>Updated bundled Chart.js to v4.5.1<\/li>\n<li>Moved firewall storage to the WordPress uploads directory (wp_upload_dir())<\/li>\n<li>Replaced inline dashboard  with wp_add_inline_script<\/li>\n<li>Removed unnecessary load_plugin_textdomain() call (handled by WordPress.org since 4.6)<\/li>\n<li>Removed directory asset files from the plugin package<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Added real visitor tracking with device and browser detection<\/li>\n<li>Added unique visitor fingerprinting (daily-resetting SHA-256)<\/li>\n<li>Added analytics dashboard: traffic chart, top pages, device breakdown, block reasons<\/li>\n<li>Added real visitor log and blocked request log<\/li>\n<li>Removed curl, wget, python-requests, go-http-client from default blocked agents<\/li>\n<li>Removed .php extension from default blocked paths to avoid false positives<\/li>\n<li>Raised auto-ban violations threshold from 5 to 10<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"Lightweight firewall for WordPress \u2014 blocks bots and scanners, tracks real visitor analytics with zero external dependencies.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/324306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=324306"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/benkhalifedev"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=324306"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=324306"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=324306"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=324306"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=324306"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=324306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}