Integrationen → WordPress
ZeroBot Security — WordPress-Plugin
Antibot, Firewall, Captcha und Threat Intelligence direkt im wp-admin. Sechs Schutz-Layer, ein Dashboard, kein Code.
Installation
- Im wp-admin: Plugins → Installieren öffnen, nach "ZeroBot Security" suchen, Jetzt installieren → Aktivieren. Alle Downloads laufen über WordPress.org — keine Drittanbieter-ZIPs.
- Gehe zu ZeroBot → Lizenz und füge deinen Lizenzschlüssel ein (aus dem ZeroBot-Dashboard).
- Deine aktuelle Domain wird beim Aktivieren der Lizenz automatisch registriert. Kein manueller Schritt.
- Öffne ZeroBot → Schutz-Einstellungen, aktiviere den Haupt-Schalter und die gewünschten Layer.
Sechs Schutz-Layer
Jeder Layer ist standardmäßig aus. Aktiviere sie unter ZeroBot → Schutz-Einstellungen plus den Haupt-Schalter oben.
| Layer | What it does |
|---|---|
| Firewall | Site-wide screening of every public request. Blocks bots on page load before PHP does any work. |
| Page Protection | Per-URL antibot with captcha fallback for borderline traffic (Cloudflare Turnstile or ZeroBot native slider). |
| Login Guard | Rate-limits failed logins per IP, auto-blacklists offenders, screens login IPs against the ZeroBot blacklist. |
| Comment Guard | Rejects spam comments before they're saved to the DB. |
| REST API Guard | Screens public REST calls. Auto-exempts WooCommerce Store API and ZeroBot's own routes. |
| XML-RPC Guard | Disables XML-RPC (or screens it per-request). A top brute-force attack vector. |
Einstellungs-Referenz
| Setting | Default | Notes |
|---|---|---|
| Master switch | Off | Turns every protection layer on/off globally. Leave it off while you configure, flip on to go live. |
| Allowed countries | all | ISO 2-letter codes, comma-separated. Non-matching visitors are blocked with reason Country Denied. Enforced server-side. |
| Firewall exempt paths | (empty) | One path per line. Any URL matching any line skips the firewall (useful for webhooks, health checks). |
| Fail mode | Fail-open | When the API is unreachable: open lets traffic through, closed returns 503. Switch to closed only if you'd rather block than risk a bot getting through. |
| Login max attempts / block minutes | 5 / 15 | Threshold and cooldown for the Login Guard. |
| Browser fingerprint | Off | Injects the fingerprint collector on every front-end page. Detects headless browsers & automation. Off by default because it's the only layer that loads external JS. |
Dashboard & Logs
- Dashboard — license status, 24h / 7d stats, recent-threat table scoped to this site only.
- Threat Logs — filterable viewer of every
/v3/openapidecision for this site. CSV export, one-click whitelist/blacklist action per row. - Whitelist / Blacklist — IPs, CIDR ranges, ASNs. Scoped to
service=all— covers antibot, hosting, shortener, redirection at once.
Fehlerbehebung
- "The plugin doesn't seem to block anyone."
- Check the master switch AND the specific protection toggle are both on. Open an incognito window — if you're logged in as admin, the Firewall skips you by design. Bots coming from datacenters or known-bad IPs will be blocked; residential visitors are correctly allowed through.
- "My IP shows up once then never again."
- The 24-hour per-IP decision cache. Click Clear Cache in Protection Settings to force a re-check on your next visit.
- "Domain not authorized" banner at the top of wp-admin.
- Your domain was removed from the ZeroBot Authorized Domains list (or the license was deactivated). Click Authorize this domain in the banner — it re-registers this site instantly.
- "I want to see every visit logged for debugging."
- The plugin de-duplicates per IP for 24h by design. For full verbose logging, contact support to enable per-request logging temporarily on your account.
Lieber die rohe API?
Wenn du ein eigenes Theme fährst oder die API ohne WordPress nutzen willst, siehe die Guides PHP, Node.js, Python oder cURL/REST. Das WordPress-Plugin ist nur ein Wrapper um /v3/openapi, /v3/antibot und /v3/account/*.