After using xZeroProtect across several projects, I kept running into the same friction points — default rules that blocked legitimate API clients, a .php extension rule that silently broke non-routed apps, and an auto-ban threshold that was a little too eager. Version 1.1.1 fixes all of that, and adds something new.
What is xZeroProtect?
A lightweight, file-based PHP 8 firewall library. No database, no Redis, no external service. Drop it into any PHP project, call run(), and it handles the rest — rate limiting, IP banning, payload scanning, bot detection, and crawler verification.
composer require webrium/xzeroprotect
use Webrium\XZeroProtect\XZeroProtect;
$firewall = XZeroProtect::init();
$firewall->run();
That's the whole setup for most projects.
What changed in 1.1.1
Smarter default blocked agents
The previous release blocked curl/, wget/, python-requests, and go-http-client out of the box. That made sense for public-facing websites, but caused real problems for anyone exposing an API — every legitimate client using those libraries got blocked on install.
These four are no longer in the default list. If your site doesn't serve an API and you want to block them, it's one line:
$firewall->patterns->addAgent('curl/');
$firewall->patterns->addAgent('wget/');
$firewall->patterns->addAgent('python-requests');
$firewall->patterns->addAgent('go-http-client');
libwww-perl and lwp-trivial are still blocked by default — there's no modern legitimate use case for those.
.php extension no longer blocked by default
The old default blocked any URL containing .php. The intention was good — modern routed applications (Laravel, Symfony, Slim) have no public .php files, so blocking the extension stops a lot of scanner noise.
The problem: anyone running a traditional PHP app, or a CMS like WordPress, would have all their pages blocked immediately after installation.
.php is now opt-in:
// Only add this if your app uses modern routing
// and no public .php files exist
$firewall->patterns->addPath('.php');
Auto-ban threshold raised from 5 to 10
The previous threshold of 5 violations before a ban was aggressive. A real user hitting a few 404s, a misconfigured uptime monitor, or a developer testing locally could end up banned for 24 hours.
The new default is 10 — still firm enough to catch actual scanners and brute-force attempts, but with enough room to avoid false positives on legitimate traffic.
New: VisitInfo and real visitor tracking
This release introduces opt-in visitor tracking. After all firewall checks pass, you can record the visit — and since the firewall has already filtered out bots and scanners, what gets recorded is real human traffic.
use Webrium\XZeroProtect\VisitInfo;
$firewall->enableTracking(function (VisitInfo $visit) {
// Store however you like — the library doesn't care
$db->insert('visits', $visit->toArray());
});
$firewall->run();
The VisitInfo object gives you everything you need:
$visit->ip
$visit->path
$visit->method
$visit->fingerprint // daily SHA-256 hash — for unique visitor counting
$visit->device->browser // 'Chrome', 'Firefox', 'Safari' ...
$visit->device->os // 'Windows', 'macOS', 'Android', 'iOS' ...
$visit->device->type // 'desktop' | 'mobile' | 'tablet'
$visit->date() // formatted timestamp
$visit->toArray() // flat array ready for DB insert
Tracking is disabled by default — you enable it explicitly. The library stays zero-dependency; how and where you store data is entirely up to you.
I'll be writing a dedicated post covering the full tracking API, unique visitor fingerprinting, and some practical analytics patterns. This is just the introduction.
What didn't change
The core API is identical. No breaking changes. If you were on 1.0.x, updating is safe:
composer update webrium/xzeroprotect
All existing configuration, custom rules, IP bans, and rate limit data carry over.
Links
- GitHub: github.com/webrium/xzeroprotect
- Packagist: packagist.org/packages/webrium/xzeroprotect
- Changelog: github.com/webrium/xzeroprotect/releases/tag/1.1.1
Feedback and issues welcome on GitHub.
Top comments (0)