Folder Guard — Protected By ZeroBot

What is Folder Guard?

Folder Guard is a small PHP package you drop onto your own server.
Once a folder is protected, every request to it is checked against your ZeroBot account before the page loads — so bots are stopped while real visitors pass through untouched.

It connects to your existing ZeroBot account with your license key, so your whitelist, blacklist, traffic logs and settings stay in sync with your main dashboard.
Nothing is stored with a third party.

How protection works

When a visitor opens a protected folder, the guard runs before your page and asks ZeroBot whether the request is a bot or a human, then applies your chosen rule:

• It loads automatically on every request inside a protected folder (via .user.ini or .htaccess).
• Each request is decided live against your ZeroBot account — no stale caching.
• It is fail-open by design: if ZeroBot is ever unreachable, your site keeps working normally.
• Every visit is logged to your account, so it appears in both the package and your main ZeroBot dashboard.

Requirements

• PHP 8.1 or newer.
• Apache (mod_php), or PHP-FPM / FastCGI / LiteSpeed — the package configures both automatically.
• An active ZeroBot license key (found in your dashboard under Profile).
• A free domain slot on your plan.
  Folder Guard authorizes your domain automatically, and that uses one of your plan's domain slots.

Domain authorization

When you log in, Folder Guard authorizes your domain automatically.
It adds the domain to your ZeroBot account so the protection running on your folders is recognized and every visit is logged to both dashboards.

Authorizing a domain uses one of your plan's domain slots.
If no slot is free, the domain can't be authorized — and until it is, Folder Guard can't protect your folders and visitors are simply let through.
Free a slot by removing an unused domain in your dashboard, or upgrade your plan to add more.

Install in 4 steps

No code or command line required — just upload and open it in your browser.

Protecting a folder

Open the Protected Folders tab, enter the absolute path of the folder you want to guard (the field is pre-filled with your web root), and click Protect folder.
The guard activates immediately on Apache, and within about five minutes on PHP-FPM.

Protection rules

In Settings you decide, separately, what happens to bots and to real humans:

When a bot is detected

• Block — show a clean "access denied" page.
• Challenge — present the ZeroBot slider captcha; solving it lets the visitor through.
• Redirect — send the visitor to a URL of your choice.
• Log only — record the visit but do not block (great for testing).

When a real human visits

• Do nothing — let them straight through (the default).
• Challenge — ask even humans to pass the captcha.
• Block — deny everyone (useful to fully close a folder).
• Redirect — send humans to another URL.

The ZeroBot captcha

When the challenge rule is active, suspected bots see the genuine ZeroBot slider captcha.
Once a visitor solves it, they get a short-lived pass and are not challenged again — exactly the same captcha used across the ZeroBot platform.

Device fingerprint (optional)

You can enable the ZeroBot device-fingerprint script from Settings.
It collects 40+ browser signals (canvas, WebGL, audio, timezone and more) on protected pages to sharpen bot detection over time.

Whitelist & Blacklist

Allow or block specific IPs straight from the package.
Because it is synced with your ZeroBot account, every change applies everywhere your account protects — and shows up in your main dashboard too.

Traffic & Logs

The Traffic tab shows live verdicts for every request, exactly like your main dashboard:

• IP, status (bot or human), the page that was visited, browser, OS and country.
• Filter by page, paginate through the history, and clear the log when you want.
• An Activity Log records every whitelist and blacklist change you make.

Turning protection on & off

A single switch in Settings pauses or resumes protection across every folder at once, without removing your configuration.
When off, every visitor is simply let through — handy for maintenance.

Troubleshooting

If a protected folder still lets visitors through, check these four points.
They cover the handful of setups where activation needs a small nudge.

It only protects PHP requests

Folder Guard runs through PHP's auto_prepend_file, so it activates only on requests that PHP handles.
Static .html pages, images, or a folder served without PHP are not protected.
Point it at the folder that runs your PHP app, or add it to that app's entry point.

cPanel / LiteSpeed activation

On LiteSpeed the setting lives in .user.ini and is cached for about 5 minutes, so it is not instant.
Changing your PHP version in Select PHP Version forces a fresh read.
If it still does not activate, your host may not honor .user.ini or .htaccess php_value at all.
Enable the htscanner PHP extension under Select PHP Version and Extensions to make it work.
Keep the curl extension enabled too, because Folder Guard uses it to reach the API.

Bots get through but appear in the logs

That means the bot action is set to Log, which records bots without stopping them.
Open Settings and set the bot action to Block, or Challenge, to actually stop them.

Connected in the dashboard, but nothing is logged

Protection reads your license from a file named .env.php inside the install folder, not from .env.example, which is only a sample and should never be edited.
The dashboard can still look connected from your browser session even when this file is missing.
If you moved or renamed the install folder, just open Settings once and Folder Guard re-saves the license automatically.

Thank You

Need a hand?
Reach us on our Telegram channel or at support@zerobot.info — we're happy to help you get set up.