ZeroBot Security
| 开发者 | zerobot |
|---|---|
| 更新时间 | 2026年5月18日 22:58 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
ZeroBot Security brings the full ZeroBot antibot platform to WordPress, adding six layered defenses
managed from a single dashboard. Every event is screened against a 1.5M+ IP intelligence database,
fingerprint-based scoring, and real-time threat sharing across the ZeroBot network.
Six Protection Layers
- Page Protection — Per-page antibot screening. Renders Cloudflare Turnstile or the ZeroBot native slider captcha for borderline visitors before letting them through.
- Firewall — Site-wide screening of every public request against the ZeroBot threat database.
- Login Brute-Force Guard — Tracks failed logins per IP, auto-blocks after N attempts, optionally pushes IPs to your ZeroBot blacklist.
- Comment Guard — Blocks bot comments before they're saved.
- REST API Guard — Screens public REST calls (with configurable exempt routes).
- XML-RPC Guard — Disables XML-RPC entirely (a major attack vector).
- Domain Rules — Create, edit, and delete antibot rules from inside wp-admin.
- Whitelist — IPs, CIDR ranges, and ASNs scoped per service. Bulk import supported.
- Blacklist — Same scoping and bulk import as the whitelist.
- Threat Logs — Filterable, paginated viewer of every traffic event with CSV export.
- Dashboard — Live stats, 7-day traffic chart, recent threats, account info.
- Cloudflare / proxy IP detection (CF-Connecting-IP, X-Real-IP, X-Forwarded-For)
- Decision cache via WordPress object cache (Redis/Memcached) with transient fallback
- Fail-open by default — never breaks your site if the API is unreachable
- Daily license verification via wp-cron
- WP-admin dashboard widget showing bots/humans (24h)
- Pure PHP + vanilla JS — no jQuery, no React, no external CDN
安装:
- Upload the plugin zip via Plugins → Add New → Upload
- Activate the plugin
- Go to ZeroBot → License and enter your license key
- Configure protection layers in ZeroBot → Protection
常见问题:
Will this plugin break my site if the ZeroBot API is down?
No. The default Fail Mode is "Fail Open" — visitors are allowed through silently and the incident is logged to the PHP error log. You can switch to Fail Closed in Protection Settings if you prefer strict security.
How much does it call the ZeroBot API?
Every visitor decision is cached per-IP for 24 hours by default, so repeat visitors do not trigger additional API calls. A page that gets 1,000 hits/hour from returning visitors typically results in only a handful of API calls.
Does the fingerprint collector always run?
No. The fingerprint collector is disabled by default and only injects on the public site when the administrator turns on "Browser Fingerprint" under Protection Settings.
Does it work with WooCommerce?
Yes — the REST API Guard auto-exempts /wc/store/ routes. Add other custom routes to the
exempt list as needed.
Does it support multisite?
Single-site only in v1.0. Multisite support is planned for v1.1.
更新日志:
1.0.17
- New: searchable multi-country picker on the Protection Settings page. Replaces the plain-text "Allowed Countries" input with a chip-based UI that lists all 249 ISO countries with flag emoji, alphabetical search, and a clear "Allow all / Only specific" mode toggle.
- Fix: visitors blocked by country policy now correctly show a yellow "Denied" badge on the Dashboard's Recent Activity widget. They were previously stacked into the red "Bot" bucket even though the block reason was "Country Denied (XX)".
- Fix: country flags now render in both the Dashboard widget and the
Threat Logs table. The flag helper expects a 2-letter ISO code, but the
API ships the country as a name -- so flags silently failed for every
row. A new
Helpers::countryNameToCode()lookup resolves names to codes, and the flag image renders before the country name on every log row. - Change: removed the Score column from the Dashboard Recent Activity widget and the Threat Logs table. The Reason already explains why a request was flagged, and the numeric score added visual noise without decision-relevant information.
- Security: tightened the firewall verdict cache to bot-only. Clean verdicts are no longer cached, so an IP that turns malicious mid-cache doesn't keep passing through for up to 24 hours. Bot verdicts continue to be cached for instant re-blocking.
- Compliance:
$_SERVER['REQUEST_URI']inXmlRpcGuard::register()is now run throughwp_unslash()andsanitize_text_field()before the regex match, clearing the two PHPCS warnings about that variable.
- Fix: critical error on every wp-admin page caused by a missing
License::isDomainAuthorized()method that theadmin_noticeshook called. The method now exists on the License class, fails open when no authorization state has been recorded yet, and gets set true/false byactivate()based on whether the auto domain-registration call to the ZeroBot platform succeeded (HTTP 200) or reported the domain as already registered (HTTP 409).
- WordPress.org review compliance: removed the broken
flagpedia.net/privacyURL from the External Services section of readme.txt. - The chart-data bootstrap on the admin dashboard now ships via
wp_add_inline_script()attached to the existingzerobot-security-adminhandle, instead of an inline<script>tag. No behavioural change — the same JS payload is delivered through the official WordPress enqueue API.
- WordPress.org review compliance: replaced the short "zb_" prefix everywhere it appeared in PHP and JS (AJAX action names, option keys, transient keys, nonce names, cron hooks, JS globals, custom DB table names, WP_Error codes, and the admin script handle) with the full "zerobot_security_" prefix so every plugin-defined identifier is at least the WP.org-required 4 characters and is uniquely namespaced.
- No functional or UI changes — the rename is purely cosmetic (CSS class names beginning with "zb-" are stylesheet-internal and were left unchanged, since they don't conflict with WordPress core or other plugins).
- Second Plugin Check compliance pass: final 3 errors resolved (wrap countryFlagImg() output in wp_kses(); add translators comment for "Cleared %d cached decisions"; etc.). Input-sanitization warnings addressed across Helpers, Firewall, ProtectionSettings, LicensePage.
- Fingerprint script now passes the plugin version to wp_enqueue_script() for reliable cache-busting.
- Uninstall variables renamed to zerobot_security_* prefix.
- Full Plugin Check compliance pass: wrap every Helpers::icon() SVG output through wp_kses() with a tight SVG tag allowlist; add wp_unslash() + sanitize calls on every $_SERVER / $_POST / $GET read; gate error_log() behind WP_DEBUG; replace date() with gmdate(); rename plugin constants to ZEROBOT_SECURITY* prefix; drop load_plugin_textdomain (WP 4.6+ auto-loads translations); add translators comments for all placeholders; LoginGuard queries use esc_sql() for the table identifier; uninstall uses prefixed variables and prepared statements.
- Fingerprint script now enqueued via
wp_enqueue_script()with ascript_loader_tagfilter for the data attributes, replacing the rawecho '<script>'. Respects standard WordPress script filters. - DecisionCache::flush() no longer issues a raw LIKE query — iterates the
matching transient option names and calls
delete_transient()for each, so the object cache and transient DB stay in sync. - Threat Logs are now always scoped to the current WordPress site's host (the "Domain" filter is removed — it's redundant and could leak cross-domain data).
- Firewall self-heals domain-deauthorization in real time: the plugin flags the site immediately on the first failed API call instead of waiting for the daily verify cron, so the warning banner shows up right after the admin removes the domain from authorized_domains.
- Admin warning banner is now shown on every wp-admin page, not only the plugin's own screens.
- Country flags in the Dashboard and Threat Logs render as reliable PNG images (via flagcdn.com) instead of Unicode emoji, which some platforms don't render.
- Per-IP decision cache extended to 24 hours to reduce API load
- Allowed-countries enforcement moved server-side so denied requests are logged correctly
- Login verification (device 2FA) toggle added per user
- Browser Fingerprint layer now also injects on wp-login.php and via wp_footer fallback
- Fingerprint collector no longer skipped for logged-in users (configurable)
- "Country Denied" badge styled distinctly from generic bot block
- Threat Logs show the visitor path alongside IP / ISP / country
- /v3/openapi now receives allowed_countries from the plugin so geo-blocks are enforced server-side and logged with the correct reason
- Decision caching logic refactored so every request logs correctly
- Fingerprint injection improvements
- "Clear Threats for this Domain" action in Threat Logs
- "Path" column in Threat Logs showing the URL the visitor accessed
- Initial release
- Full Dashboard, License, Rules, Whitelist, Blacklist, Protection Settings, Threat Logs
- Six protection layers: Page, Firewall, Login, Comment, REST API, XML-RPC
- Decision caching with object cache + transient fallback
- CSV export for threat logs
- WP-admin dashboard widget
- Cloudflare / proxy IP detection