PHP-Integration
Jede PHP-Seite — Laravel, CodeIgniter, eigene WordPress-Themes, einfache index.php. Ein include, Screening in 20 Zeilen.
Schnellstart — 20 Zeilen
Erstelle zerobot.php neben dem Einstiegspunkt deiner Seite und binde es mit require am Anfang jeder zu schützenden Seite ein (oder am Anfang deines Front-Controllers).
<?php // zerobot.php — drop-in bot screening const ZEROBOT_LICENSE = 'YOUR_LICENSE_KEY'; const ZEROBOT_DOMAIN = 'yoursite.com'; $ip = $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? ''; $ua = $_SERVER['HTTP_USER_AGENT'] ?? ''; $url = 'https://api.zerobot.info/v3/openapi?' . http_build_query([ 'license' => ZEROBOT_LICENSE, 'ip' => $ip, 'domain' => ZEROBOT_DOMAIN, 'useragent' => $ua, ]); $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 5, ]); $res = curl_exec($ch); curl_close($ch); $data = json_decode($res, true); if (is_array($data) && !empty($data['is_bot'])) { http_response_code(403); exit('Blocked: ' . ($data['reason'] ?? 'bot')); } // Fall through = visitor is human. Render your page normally.
Fail-Open-Verhalten: Wenn die API timeoutet oder nichts zurückgibt, ist $data['is_bot'] null und die Anfrage geht durch. Deine Seite bricht nicht wegen Netzwerkproblemen.
Include Mode — hosted script, no API code
The simplest integration: no API calls to write. Download ZeroBot.php from your dashboard (Download Antibot), upload it next to the page you want to protect, then include it at the very top of that PHP file. Bots are blocked before anything renders; verified humans fall straight through into your page.
<?php // Top of your page — before ANY HTML output include 'ZeroBot.php'; ?> <!-- Your real page below. Bots never reach this line. --> <!DOCTYPE html> <html> <body> <h1>Welcome — you passed ZeroBot's checks.</h1> </body> </html>
Three requirements: (1) leave the rule's Redirect Link EMPTY — that is what switches the script into passthrough/include mode instead of redirecting; (2) put the include before any HTML output, so the bot block runs first; (3) set the rule's Antibot Link to the public URL of this file. Prefer the classic gateway behavior? Set a Redirect Link on the rule and the script will send verified humans there instead of passing through.
Laravel-Middleware
Erstelle app/Http/Middleware/ZeroBot.php:
<?php namespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; use Illuminate\Support\Facades\Http; class ZeroBot { public function handle(Request $request, Closure $next) { $res = Http::timeout(5)->get('https://api.zerobot.info/v3/openapi', [ 'license' => config('services.zerobot.key'), 'ip' => $request->ip(), 'domain' => $request->getHost(), 'useragent' => $request->userAgent() ?? '', ]); if ($res->ok() && $res->json('is_bot')) { abort(403, $res->json('reason', 'bot')); } return $next($request); } }
Registriere ihn in app/Http/Kernel.php unter $middleware für alle Routen oder $middlewareGroups['web'] nur für Web.
Response-Format
Jeder Aufruf von /v3/openapi liefert dieselbe JSON-Struktur zurück:
{
"username": "encrypted",
"is_bot": true,
"reason": "DATACENTER",
"risk_score": 60,
"country_code": "us",
"country_name": "United States",
"asn": "AS15169",
"isp": "Google LLC",
"hostname": "dns.google",
"tor": false,
"vpn": false,
"datacenter": true,
"left": 471, // license days remaining
"plan": "ISP"
}
Best Practices
- Cache per-IP. Store the verdict in APCu / Redis for 5-60 minutes to avoid hitting the API on every pageview by the same visitor.
- Skip admin paths. Don't screen wp-admin, /admin, /api/webhooks, etc. — check
$_SERVER['REQUEST_URI']before the API call. - Honor Cloudflare IPs. If your site is behind CF, read
HTTP_CF_CONNECTING_IP—REMOTE_ADDRis the CF edge, not the visitor. - Fail open on timeout. Never let a ZeroBot outage take your site down. Wrap the API call in try/catch and default to
is_bot=false.