PHP integration
Any PHP site — Laravel, CodeIgniter, WordPress custom themes, plain index.php. Single include, screening in 20 lines.
Quickstart — 20-line drop-in
Create zerobot.php next to your site entry point, then require it at the top of every page you want protected (or at the top of your front controller).
<?php // zerobot.php — drop-in bot screening const ZEROBOT_LICENSE = 'YOUR_LICENSE_KEY'; const ZEROBOT_DOMAIN = 'yoursite.com'; $ip = $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? ''; $ua = $_SERVER['HTTP_USER_AGENT'] ?? ''; $url = 'https://api.zerobot.info/v3/openapi?' . http_build_query([ 'license' => ZEROBOT_LICENSE, 'ip' => $ip, 'domain' => ZEROBOT_DOMAIN, 'useragent' => $ua, ]); $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 5, ]); $res = curl_exec($ch); curl_close($ch); $data = json_decode($res, true); if (is_array($data) && !empty($data['is_bot'])) { http_response_code(403); exit('Blocked: ' . ($data['reason'] ?? 'bot')); } // Fall through = visitor is human. Render your page normally.
Fail-open behavior: if the API times out or returns nothing, $data['is_bot'] is null and the request passes through. Your site never breaks because of a network blip.
Include Mode — hosted script, no API code
The simplest integration: no API calls to write. Download ZeroBot.php from your dashboard (Download Antibot), upload it next to the page you want to protect, then include it at the very top of that PHP file. Bots are blocked before anything renders; verified humans fall straight through into your page.
<?php // Top of your page — before ANY HTML output include 'ZeroBot.php'; ?> <!-- Your real page below. Bots never reach this line. --> <!DOCTYPE html> <html> <body> <h1>Welcome — you passed ZeroBot's checks.</h1> </body> </html>
Three requirements: (1) leave the rule's Redirect Link EMPTY — that is what switches the script into passthrough/include mode instead of redirecting; (2) put the include before any HTML output, so the bot block runs first; (3) set the rule's Antibot Link to the public URL of this file. Prefer the classic gateway behavior? Set a Redirect Link on the rule and the script will send verified humans there instead of passing through.
Laravel middleware
Create app/Http/Middleware/ZeroBot.php:
<?php namespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; use Illuminate\Support\Facades\Http; class ZeroBot { public function handle(Request $request, Closure $next) { $res = Http::timeout(5)->get('https://api.zerobot.info/v3/openapi', [ 'license' => config('services.zerobot.key'), 'ip' => $request->ip(), 'domain' => $request->getHost(), 'useragent' => $request->userAgent() ?? '', ]); if ($res->ok() && $res->json('is_bot')) { abort(403, $res->json('reason', 'bot')); } return $next($request); } }
Register in app/Http/Kernel.php under $middleware for all routes, or $middlewareGroups['web'] for web only.
Response shape
Every /v3/openapi call returns the same JSON structure:
{
"username": "encrypted",
"is_bot": true,
"reason": "DATACENTER",
"risk_score": 60,
"country_code": "us",
"country_name": "United States",
"asn": "AS15169",
"isp": "Google LLC",
"hostname": "dns.google",
"tor": false,
"vpn": false,
"datacenter": true,
"left": 471, // license days remaining
"plan": "ISP"
}
Best practices
- Cache per-IP. Store the verdict in APCu / Redis for 5-60 minutes to avoid hitting the API on every pageview by the same visitor.
- Skip admin paths. Don't screen wp-admin, /admin, /api/webhooks, etc. — check
$_SERVER['REQUEST_URI']before the API call. - Honor Cloudflare IPs. If your site is behind CF, read
HTTP_CF_CONNECTING_IP—REMOTE_ADDRis the CF edge, not the visitor. - Fail open on timeout. Never let a ZeroBot outage take your site down. Wrap the API call in try/catch and default to
is_bot=false.