Integrations → WordPress
ZeroBot Security — WordPress plugin
Full-stack antibot, firewall, captcha, and threat intelligence in your wp-admin. Six protection layers, one dashboard, zero code.
Install
- In your wp-admin: open Plugins → Add New, search for "ZeroBot Security", and click Install Now → Activate. All downloads happen through WordPress.org — no third-party zips.
- Go to ZeroBot → License and paste your license key (grab it from the ZeroBot dashboard).
- Your current domain is auto-registered when you activate the license. No manual authorization step needed.
- Open ZeroBot → Protection Settings, flip the master switch, and turn on the layers you want.
Six protection layers
Every layer is disabled by default. Turn them on from ZeroBot → Protection Settings, plus the master switch at the top.
| Layer | What it does |
|---|---|
| Firewall | Site-wide screening of every public request. Blocks bots on page load before PHP does any work. |
| Page Protection | Per-URL antibot with captcha fallback for borderline traffic (Cloudflare Turnstile or ZeroBot native slider). |
| Login Guard | Rate-limits failed logins per IP, auto-blacklists offenders, screens login IPs against the ZeroBot blacklist. |
| Comment Guard | Rejects spam comments before they're saved to the DB. |
| REST API Guard | Screens public REST calls. Auto-exempts WooCommerce Store API and ZeroBot's own routes. |
| XML-RPC Guard | Disables XML-RPC (or screens it per-request). A top brute-force attack vector. |
Settings reference
| Setting | Default | Notes |
|---|---|---|
| Master switch | Off | Turns every protection layer on/off globally. Leave it off while you configure, flip on to go live. |
| Allowed countries | all | ISO 2-letter codes, comma-separated. Non-matching visitors are blocked with reason Country Denied. Enforced server-side. |
| Firewall exempt paths | (empty) | One path per line. Any URL matching any line skips the firewall (useful for webhooks, health checks). |
| Fail mode | Fail-open | When the API is unreachable: open lets traffic through, closed returns 503. Switch to closed only if you'd rather block than risk a bot getting through. |
| Login max attempts / block minutes | 5 / 15 | Threshold and cooldown for the Login Guard. |
| Browser fingerprint | Off | Injects the fingerprint collector on every front-end page. Detects headless browsers & automation. Off by default because it's the only layer that loads external JS. |
Dashboard & logs
- Dashboard — license status, 24h / 7d stats, recent-threat table scoped to this site only.
- Threat Logs — filterable viewer of every
/v3/openapidecision for this site. CSV export, one-click whitelist/blacklist action per row. - Whitelist / Blacklist — IPs, CIDR ranges, ASNs. Scoped to
service=all— covers antibot, hosting, shortener, redirection at once.
Troubleshooting
- "The plugin doesn't seem to block anyone."
- Check the master switch AND the specific protection toggle are both on. Open an incognito window — if you're logged in as admin, the Firewall skips you by design. Bots coming from datacenters or known-bad IPs will be blocked; residential visitors are correctly allowed through.
- "My IP shows up once then never again."
- The 24-hour per-IP decision cache. Click Clear Cache in Protection Settings to force a re-check on your next visit.
- "Domain not authorized" banner at the top of wp-admin.
- Your domain was removed from the ZeroBot Authorized Domains list (or the license was deactivated). Click Authorize this domain in the banner — it re-registers this site instantly.
- "I want to see every visit logged for debugging."
- The plugin de-duplicates per IP for 24h by design. For full verbose logging, contact support to enable per-request logging temporarily on your account.
Want the raw API instead?
If you're running a custom theme or want the API in non-WordPress code, see the PHP drop-in, Node.js, Python, or cURL/REST guides. The WordPress plugin is just a wrapper around /v3/openapi, /v3/antibot, and /v3/account/*.