Title: ZeroBot Security
Author: ZeroBot
Published: <strong>17. 5. 2026</strong>
Last modified: 18. 5. 2026

---

Prohledat pluginy

![](https://ps.w.org/zerobot-security/assets/banner-772x250.png?rev=3534940)

![](https://ps.w.org/zerobot-security/assets/icon-256x256.png?rev=3534888)

# ZeroBot Security

 Autor: [ZeroBot](https://profiles.wordpress.org/zerobot/)

[Stáhnout](https://downloads.wordpress.org/plugin/zerobot-security.1.0.17.zip)

 * [Podrobnosti](https://cs.wordpress.org/plugins/zerobot-security/#description)
 * [Hodnocení](https://cs.wordpress.org/plugins/zerobot-security/#reviews)
 *  [Instalace](https://cs.wordpress.org/plugins/zerobot-security/#installation)
 * [Vývojáři](https://cs.wordpress.org/plugins/zerobot-security/#developers)

 [Podpora](https://wordpress.org/support/plugin/zerobot-security/)

## Popis

ZeroBot Security brings the full ZeroBot antibot platform to WordPress, adding six
layered defenses
 managed from a single dashboard. Every event is screened against
a 1.5M+ IP intelligence database, fingerprint-based scoring, and real-time threat
sharing across the ZeroBot network.

#### Six Protection Layers

 * **Page Protection** — Per-page antibot screening. Renders Cloudflare Turnstile
   or the ZeroBot
    native slider captcha for borderline visitors before letting 
   them through.
 * **Firewall** — Site-wide screening of every public request against the ZeroBot
   threat database.
 * **Login Brute-Force Guard** — Tracks failed logins per IP, auto-blocks after 
   N attempts,
    optionally pushes IPs to your ZeroBot blacklist.
 * **Comment Guard** — Blocks bot comments before they’re saved.
 * **REST API Guard** — Screens public REST calls (with configurable exempt routes).
 * **XML-RPC Guard** — Disables XML-RPC entirely (a major attack vector).

#### Full Platform Management

 * **Domain Rules** — Create, edit, and delete antibot rules from inside wp-admin.
 * **Whitelist** — IPs, CIDR ranges, and ASNs scoped per service. Bulk import supported.
 * **Blacklist** — Same scoping and bulk import as the whitelist.
 * **Threat Logs** — Filterable, paginated viewer of every traffic event with CSV
   export.
 * **Dashboard** — Live stats, 7-day traffic chart, recent threats, account info.

#### Other Features

 * Cloudflare / proxy IP detection (CF-Connecting-IP, X-Real-IP, X-Forwarded-For)
 * Decision cache via WordPress object cache (Redis/Memcached) with transient fallback
 * Fail-open by default — never breaks your site if the API is unreachable
 * Daily license verification via wp-cron
 * WP-admin dashboard widget showing bots/humans (24h)
 * Pure PHP + vanilla JS — no jQuery, no React, no external CDN

### External Services

This plugin connects to the following third-party service to provide its core bot-
detection
 and threat-intelligence features. Nothing is contacted until the administrator
enters a license key and activates a protection layer.

**1. ZeroBot API (https://zerobot.info)**

 * What it does: Classifies visitors as human or bot, synchronizes domain rules /
   whitelists /
    blacklists, and returns threat log data for the dashboard.
 * When it’s called: On every public request that one of the enabled protection 
   layers handles
    (Firewall, Page Protection, Login Guard, Comment Guard, REST 
   API Guard). Also called from the admin dashboard for stats, rules, lists, and
   traffic logs. Also called once per day by wp-cron for license verification.
 * Data transmitted: Visitor IP address, user agent, current URL host, site domain,
   and the
    plugin’s license key. No post content, no customer personal data, no
   form submissions.
 * What it returns: A JSON decision object (`is_bot`, `reason`, `risk_score`, optional
   
   captcha_html), plan metadata, and aggregate stats for the dashboard.
 * Terms & Privacy: https://zerobot.info/terms — https://zerobot.info/policy

**2. ZeroBot Fingerprint Collector (https://zerobot.info/fingerprint/index.js)**

 * What it does: Collects client-side browser signals (canvas, WebGL, fonts, behavior)
   to detect
    headless browsers, VMs, and automation frameworks.
 * When it’s loaded: Injected on public pages and the login screen ONLY when the
   administrator
    enables „Browser Fingerprint“ in Protection Settings. It is disabled
   by default; the plugin does not load any external JavaScript out of the box.
 * Data transmitted: Browser fingerprint signals and the visitor’s IP address. No
   WordPress
    user data, no cookies, no form data.
 * What it returns: A risk score used to decide whether a visitor should face a 
   soft challenge.
 * Terms & Privacy: https://zerobot.info/terms — https://zerobot.info/policy

**3. FlagCDN (https://flagcdn.com)**

 * What it does: Serves tiny country-flag PNG images for the admin-only traffic 
   log.
 * When it’s loaded: Only inside wp-admin, only when the administrator opens the
   Dashboard or
    Threat Logs page. It is never loaded on the public site. Only 2-
   letter ISO country codes are transmitted as part of the image URL.
 * Data transmitted: The 2-letter country code and standard image-request metadata.
   No visitor
    data, no WordPress data, no cookies.
 * Service homepage: https://flagcdn.com

If you do not wish to transmit any data to ZeroBot, simply do not activate a license—
the
 plugin stays dormant.

### Privacy

This plugin does not store visitor personal data in your WordPress database beyond
IP
 addresses in the local threat-log table (`wp_zb_threats`, dropped on uninstall).
It does not set any cookies on visitors. Data sent to the ZeroBot service is described
in the External Services section above.

## Instalace

 1. Upload the plugin zip via Plugins  Add New  Upload
 2. Activate the plugin
 3. Go to **ZeroBot  License** and enter your license key
 4. Configure protection layers in **ZeroBot  Protection**

A ZeroBot license is required. Get one at https://zerobot.info

## Nejčastější dotazy

### Will this plugin break my site if the ZeroBot API is down?

No. The default Fail Mode is „Fail Open“ — visitors are allowed through silently
and the
 incident is logged to the PHP error log. You can switch to Fail Closed 
in Protection Settings if you prefer strict security.

### How much does it call the ZeroBot API?

Every visitor decision is cached per-IP for 24 hours by default, so repeat visitors
do not
 trigger additional API calls. A page that gets 1,000 hits/hour from returning
visitors typically results in only a handful of API calls.

### Does the fingerprint collector always run?

No. The fingerprint collector is disabled by default and only injects on the public
site
 when the administrator turns on „Browser Fingerprint“ under Protection Settings.

### Does it work with WooCommerce?

Yes — the REST API Guard auto-exempts `/wc/store/` routes. Add other custom routes
to the
 exempt list as needed.

### Does it support multisite?

Single-site only in v1.0. Multisite support is planned for v1.1.

## Recenze

Pro tento plugin nejsou žádné recenze.

## Autoři

ZeroBot Security je otevřený software. Následující lidé přispěli k vývoji tohoto
pluginu.

Spolupracovníci

 *   [ ZeroBot ](https://profiles.wordpress.org/zerobot/)

[Přeložte “ZeroBot Security” do svého jazyka.](https://translate.wordpress.org/projects/wp-plugins/zerobot-security)

### Zajímá vás vývoj?

[Prohledejte kód](https://plugins.trac.wordpress.org/browser/zerobot-security/),
podívejte se do [SVN repozitáře](https://plugins.svn.wordpress.org/zerobot-security/),
nebo se přihlaste k[ odběru protokolu vývoje](https://plugins.trac.wordpress.org/log/zerobot-security/)
pomocí [RSS](https://plugins.trac.wordpress.org/log/zerobot-security/?limit=100&mode=stop_on_copy&format=rss).

## Přehled změn

#### 1.0.17

 * New: searchable multi-country picker on the Protection Settings page.
    Replaces
   the plain-text „Allowed Countries“ input with a chip-based UI that lists all 
   249 ISO countries with flag emoji, alphabetical search, and a clear „Allow all/
   Only specific“ mode toggle.
 * Fix: visitors blocked by country policy now correctly show a yellow
    „Denied“
   badge on the Dashboard’s Recent Activity widget. They were previously stacked
   into the red „Bot“ bucket even though the block reason was „Country Denied (XX)“.
 * Fix: country flags now render in both the Dashboard widget and the
    Threat Logs
   table. The flag helper expects a 2-letter ISO code, but the API ships the country
   as a name — so flags silently failed for every row. A new `Helpers::countryNameToCode()`
   lookup resolves names to codes, and the flag image renders before the country
   name on every log row.
 * Change: removed the Score column from the Dashboard Recent Activity
    widget and
   the Threat Logs table. The Reason already explains why a request was flagged,
   and the numeric score added visual noise without decision-relevant information.
 * Security: tightened the firewall verdict cache to bot-only. Clean
    verdicts are
   no longer cached, so an IP that turns malicious mid-cache doesn’t keep passing
   through for up to 24 hours. Bot verdicts continue to be cached for instant re-
   blocking.
 * Compliance: `$_SERVER['REQUEST_URI']` in `XmlRpcGuard::register()` is
    now run
   through `wp_unslash()` and `sanitize_text_field()` before the regex match, clearing
   the two PHPCS warnings about that variable.

#### 1.0.16

 * Fix: critical error on every wp-admin page caused by a missing
    License::isDomainAuthorized()
   method that the `admin_notices` hook called. The method now exists on the License
   class, fails open when no authorization state has been recorded yet, and gets
   set true/false by activate() based on whether the auto domain-registration call
   to the ZeroBot platform succeeded (HTTP 200) or reported the domain as already
   registered (HTTP 409).

#### 1.0.15

 * WordPress.org review compliance: removed the broken `flagpedia.net/privacy`
    
   URL from the External Services section of readme.txt.
 * The chart-data bootstrap on the admin dashboard now ships via
    wp_add_inline_script()
   attached to the existing `zerobot-security-admin` handle, instead of an inline`
   <script>` tag. No behavioural change — the same JS payload is delivered through
   the official WordPress enqueue API.

#### 1.0.14

 * WordPress.org review compliance: replaced the short „zb_“ prefix everywhere
    
   it appeared in PHP and JS (AJAX action names, option keys, transient keys, nonce
   names, cron hooks, JS globals, custom DB table names, WP_Error codes, and the
   admin script handle) with the full „zerobot_security_“ prefix so every plugin-
   defined identifier is at least the WP.org-required 4 characters and is uniquely
   namespaced.
 * No functional or UI changes — the rename is purely cosmetic (CSS class
    names
   beginning with „zb-“ are stylesheet-internal and were left unchanged, since they
   don’t conflict with WordPress core or other plugins).

#### 1.0.12

 * Second Plugin Check compliance pass: final 3 errors resolved (wrap
    countryFlagImg()
   output in wp_kses(); add translators comment for „Cleared %d cached decisions“;
   etc.). Input-sanitization warnings addressed across Helpers, Firewall, ProtectionSettings,
   LicensePage.
 * Fingerprint script now passes the plugin version to wp_enqueue_script()
    for 
   reliable cache-busting.
 * Uninstall variables renamed to zerobot_security_* prefix.

#### 1.0.11

 * Full Plugin Check compliance pass: wrap every Helpers::icon() SVG output
    through
   wp_kses() with a tight SVG tag allowlist; add wp_unslash() + sanitize calls on
   every $_SERVER / $\_POST / $\_GET read; gate error\_log() behind WP\_DEBUG; replace
   date() with gmdate(); rename plugin constants to ZEROBOT\_SECURITY* prefix; drop
   load\_plugin\_textdomain (WP 4.6+ auto-loads translations); add translators comments
   for all placeholders; LoginGuard queries use esc\_sql() for the table identifier;
   uninstall uses prefixed variables and prepared statements.
 * Fingerprint script now enqueued via `wp_enqueue_script()` with a
    script_loader_tag
   filter for the data attributes, replacing the raw echo “. Respects standard WordPress
   script filters.
 * DecisionCache::flush() no longer issues a raw LIKE query — iterates the
    matching
   transient option names and calls `delete_transient()` for each, so the object
   cache and transient DB stay in sync.
 * Threat Logs are now always scoped to the current WordPress site’s host (the
    „
   Domain“ filter is removed — it’s redundant and could leak cross-domain data).
 * Firewall self-heals domain-deauthorization in real time: the plugin flags the
   
   site immediately on the first failed API call instead of waiting for the daily
   verify cron, so the warning banner shows up right after the admin removes the
   domain from authorized_domains.
 * Admin warning banner is now shown on every wp-admin page, not only the
    plugin’s
   own screens.
 * Country flags in the Dashboard and Threat Logs render as reliable PNG
    images(
   via flagcdn.com) instead of Unicode emoji, which some platforms don’t render.

#### 1.0.9

 * Per-IP decision cache extended to 24 hours to reduce API load
 * Allowed-countries enforcement moved server-side so denied requests are logged
   correctly
 * Login verification (device 2FA) toggle added per user

#### 1.0.8

 * Browser Fingerprint layer now also injects on wp-login.php and via wp_footer 
   fallback
 * Fingerprint collector no longer skipped for logged-in users (configurable)

#### 1.0.7

 * „Country Denied“ badge styled distinctly from generic bot block
 * Threat Logs show the visitor path alongside IP / ISP / country

#### 1.0.6

 * /v3/openapi now receives allowed_countries from the plugin so geo-blocks are 
   enforced
    server-side and logged with the correct reason

#### 1.0.5

 * Decision caching logic refactored so every request logs correctly
 * Fingerprint injection improvements

#### 1.0.3 – 1.0.4

 * „Clear Threats for this Domain“ action in Threat Logs
 * „Path“ column in Threat Logs showing the URL the visitor accessed

#### 1.0.0

 * Initial release
 * Full Dashboard, License, Rules, Whitelist, Blacklist, Protection Settings, Threat
   Logs
 * Six protection layers: Page, Firewall, Login, Comment, REST API, XML-RPC
 * Decision caching with object cache + transient fallback
 * CSV export for threat logs
 * WP-admin dashboard widget
 * Cloudflare / proxy IP detection

## Meta

 *  Verze **1.0.17**
 *  Poslední aktualizace **před 1 týdnem**
 *  Aktivních instalací **Méně než 10**
 *  Verze WordPressu ** 5.8 nebo novější **
 *  Testováno až do WordPressu **6.9.4**
 *  Verze PHP ** 7.4 nebo novější **
 *  Jazyk
 * [English (US)](https://wordpress.org/plugins/zerobot-security/)
 * Štítky
 * [antibot](https://cs.wordpress.org/plugins/tags/antibot/)[captcha](https://cs.wordpress.org/plugins/tags/captcha/)
   [firewall](https://cs.wordpress.org/plugins/tags/firewall/)[security](https://cs.wordpress.org/plugins/tags/security/)
 *  [Podrobnosti](https://cs.wordpress.org/plugins/zerobot-security/advanced/)

## Hodnocení

Zatím nebyly zadány žádné recenze.

[Your review](https://wordpress.org/support/plugin/zerobot-security/reviews/#new-post)

[Zobrazit všechny recenze](https://wordpress.org/support/plugin/zerobot-security/reviews/)

## Spolupracovníci

 *   [ ZeroBot ](https://profiles.wordpress.org/zerobot/)

## Podpora

Potřebujete pomoc?

 [Fórum podpory](https://wordpress.org/support/plugin/zerobot-security/)