Integración PHP
Cualquier sitio PHP — Laravel, CodeIgniter, temas personalizados de WordPress, simple index.php. Un include, filtrado en 20 líneas.
Inicio rápido — 20 líneas
Crea zerobot.php junto al punto de entrada del sitio y haz require en cada página que quieras proteger (o en el controlador frontal).
<?php // zerobot.php — drop-in bot screening const ZEROBOT_LICENSE = 'YOUR_LICENSE_KEY'; const ZEROBOT_DOMAIN = 'yoursite.com'; $ip = $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? ''; $ua = $_SERVER['HTTP_USER_AGENT'] ?? ''; $url = 'https://api.zerobot.info/v3/openapi?' . http_build_query([ 'license' => ZEROBOT_LICENSE, 'ip' => $ip, 'domain' => ZEROBOT_DOMAIN, 'useragent' => $ua, ]); $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 5, ]); $res = curl_exec($ch); curl_close($ch); $data = json_decode($res, true); if (is_array($data) && !empty($data['is_bot'])) { http_response_code(403); exit('Blocked: ' . ($data['reason'] ?? 'bot')); } // Fall through = visitor is human. Render your page normally.
Comportamiento fail-open: si la API expira o no devuelve nada, $data['is_bot'] es null y la petición pasa. Tu sitio nunca se rompe por un problema de red.
Include Mode — hosted script, no API code
The simplest integration: no API calls to write. Download ZeroBot.php from your dashboard (Download Antibot), upload it next to the page you want to protect, then include it at the very top of that PHP file. Bots are blocked before anything renders; verified humans fall straight through into your page.
<?php // Top of your page — before ANY HTML output include 'ZeroBot.php'; ?> <!-- Your real page below. Bots never reach this line. --> <!DOCTYPE html> <html> <body> <h1>Welcome — you passed ZeroBot's checks.</h1> </body> </html>
Three requirements: (1) leave the rule's Redirect Link EMPTY — that is what switches the script into passthrough/include mode instead of redirecting; (2) put the include before any HTML output, so the bot block runs first; (3) set the rule's Antibot Link to the public URL of this file. Prefer the classic gateway behavior? Set a Redirect Link on the rule and the script will send verified humans there instead of passing through.
Middleware Laravel
Crea app/Http/Middleware/ZeroBot.php:
<?php namespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; use Illuminate\Support\Facades\Http; class ZeroBot { public function handle(Request $request, Closure $next) { $res = Http::timeout(5)->get('https://api.zerobot.info/v3/openapi', [ 'license' => config('services.zerobot.key'), 'ip' => $request->ip(), 'domain' => $request->getHost(), 'useragent' => $request->userAgent() ?? '', ]); if ($res->ok() && $res->json('is_bot')) { abort(403, $res->json('reason', 'bot')); } return $next($request); } }
Regístralo en app/Http/Kernel.php bajo $middleware para todas las rutas, o $middlewareGroups['web'] solo para web.
Formato de la respuesta
Cada llamada a /v3/openapi devuelve la misma estructura JSON:
{
"username": "encrypted",
"is_bot": true,
"reason": "DATACENTER",
"risk_score": 60,
"country_code": "us",
"country_name": "United States",
"asn": "AS15169",
"isp": "Google LLC",
"hostname": "dns.google",
"tor": false,
"vpn": false,
"datacenter": true,
"left": 471, // license days remaining
"plan": "ISP"
}
Buenas prácticas
- Cache per-IP. Store the verdict in APCu / Redis for 5-60 minutes to avoid hitting the API on every pageview by the same visitor.
- Skip admin paths. Don't screen wp-admin, /admin, /api/webhooks, etc. — check
$_SERVER['REQUEST_URI']before the API call. - Honor Cloudflare IPs. If your site is behind CF, read
HTTP_CF_CONNECTING_IP—REMOTE_ADDRis the CF edge, not the visitor. - Fail open on timeout. Never let a ZeroBot outage take your site down. Wrap the API call in try/catch and default to
is_bot=false.