Integraciones → WordPress
ZeroBot Security — plugin de WordPress
Antibot, firewall, captcha e inteligencia de amenazas en tu wp-admin. Seis capas de protección, un panel, cero código.
Instalación
- En tu wp-admin: abre Plugins → Añadir nuevo, busca "ZeroBot Security" y haz clic en Instalar → Activar. Todas las descargas son de WordPress.org — nada de zips externos.
- Ve a ZeroBot → Licencia y pega tu clave (del panel de ZeroBot).
- Tu dominio actual se registra automáticamente al activar la licencia. No hay pasos manuales.
- Abre ZeroBot → Configuración de protección, activa el interruptor maestro y las capas que quieras.
Seis capas de protección
Cada capa está desactivada por defecto. Actívalas desde ZeroBot → Configuración de protección, además del interruptor maestro.
| Layer | What it does |
|---|---|
| Firewall | Site-wide screening of every public request. Blocks bots on page load before PHP does any work. |
| Page Protection | Per-URL antibot with captcha fallback for borderline traffic (Cloudflare Turnstile or ZeroBot native slider). |
| Login Guard | Rate-limits failed logins per IP, auto-blacklists offenders, screens login IPs against the ZeroBot blacklist. |
| Comment Guard | Rejects spam comments before they're saved to the DB. |
| REST API Guard | Screens public REST calls. Auto-exempts WooCommerce Store API and ZeroBot's own routes. |
| XML-RPC Guard | Disables XML-RPC (or screens it per-request). A top brute-force attack vector. |
Referencia de configuración
| Setting | Default | Notes |
|---|---|---|
| Master switch | Off | Turns every protection layer on/off globally. Leave it off while you configure, flip on to go live. |
| Allowed countries | all | ISO 2-letter codes, comma-separated. Non-matching visitors are blocked with reason Country Denied. Enforced server-side. |
| Firewall exempt paths | (empty) | One path per line. Any URL matching any line skips the firewall (useful for webhooks, health checks). |
| Fail mode | Fail-open | When the API is unreachable: open lets traffic through, closed returns 503. Switch to closed only if you'd rather block than risk a bot getting through. |
| Login max attempts / block minutes | 5 / 15 | Threshold and cooldown for the Login Guard. |
| Browser fingerprint | Off | Injects the fingerprint collector on every front-end page. Detects headless browsers & automation. Off by default because it's the only layer that loads external JS. |
Panel y registros
- Dashboard — license status, 24h / 7d stats, recent-threat table scoped to this site only.
- Threat Logs — filterable viewer of every
/v3/openapidecision for this site. CSV export, one-click whitelist/blacklist action per row. - Whitelist / Blacklist — IPs, CIDR ranges, ASNs. Scoped to
service=all— covers antibot, hosting, shortener, redirection at once.
Solución de problemas
- "The plugin doesn't seem to block anyone."
- Check the master switch AND the specific protection toggle are both on. Open an incognito window — if you're logged in as admin, the Firewall skips you by design. Bots coming from datacenters or known-bad IPs will be blocked; residential visitors are correctly allowed through.
- "My IP shows up once then never again."
- The 24-hour per-IP decision cache. Click Clear Cache in Protection Settings to force a re-check on your next visit.
- "Domain not authorized" banner at the top of wp-admin.
- Your domain was removed from the ZeroBot Authorized Domains list (or the license was deactivated). Click Authorize this domain in the banner — it re-registers this site instantly.
- "I want to see every visit logged for debugging."
- The plugin de-duplicates per IP for 24h by design. For full verbose logging, contact support to enable per-request logging temporarily on your account.
¿Prefieres la API directa?
Si usas un tema personalizado o la API fuera de WordPress, consulta las guías PHP, Node.js, Python o cURL/REST. El plugin de WordPress es solo un wrapper sobre /v3/openapi, /v3/antibot y /v3/account/*.