DEV Community

Cover image for xZeroProtect: A Free WordPress Firewall That Also Tells You Who Your Real Visitors Are
Benyamin Khalife
Benyamin Khalife

Posted on

xZeroProtect: A Free WordPress Firewall That Also Tells You Who Your Real Visitors Are

If you run a WordPress site, your access logs are probably full of noise: scanners poking at wp-login.php, bots requesting .env files that don't exist, and crawlers with fake user-agents pretending to be Googlebot. Most security plugins block some of this, but very few use that same detection layer to give you cleaner analytics.

That's the idea behind xZeroProtect, a free, open-source WordPress plugin I just released.

🔗 Plugin: https://wordpress.org/plugins/xzeroprotect/
🔗 Firewall library: https://github.com/webrium/xzeroprotect
🔗 Plugin source: https://github.com/webrium/xzeroprotect-wp

The idea

I started by building a standalone, dependency-free PHP firewall library (xzeroprotect) — no Redis, no external services, everything file-based. Once it could reliably tell a real visitor from a bot, it made sense to go one step further: use that same signal to power visitor analytics that are already clean, instead of bolting a stats plugin on top of unfiltered traffic.

So the WordPress plugin does two jobs with one pass:

  1. Firewall — blocks the request if it looks malicious.
  2. Analytics — if the request passes every check, it gets recorded as a real visit.

Nothing that looks like a bot ever makes it into your stats.

What it actually blocks

  • SQL injection, XSS, path traversal, LFI/RFI, and command injection patterns in GET/POST/cookies
  • Known scanner and exploit-tool user-agents (sqlmap, nikto, nmap, masscan, and more)
  • Requests to sensitive paths (.env, .git, phpmyadmin, wp-config, common webshell names, etc.)
  • Repeat offenders, via a sliding-window rate limiter with automatic (and escalating) IP bans

One detail I'm fairly happy with is crawler verification: instead of trusting the User-Agent header (which anyone can fake), Googlebot/Bingbot/etc. are verified with double-DNS lookup — reverse-resolve the visitor's IP, check the hostname matches the expected suffix (e.g. .googlebot.com), then forward-resolve that hostname again and confirm it matches the original IP. This is the method Google and Bing themselves recommend, and it means legitimate crawlers are never accidentally rate-limited or banned.

There's also an optional Apache integration: permanently banned IPs get synced into .htaccess, so Apache rejects them before PHP even starts.

The dashboard

Once it's running, the plugin gives you:

  • A traffic chart (visits / unique visitors / blocked requests) over 7, 14, or 30 days
  • Top pages by hits and unique visitors
  • Device breakdown (desktop / mobile / tablet)
  • A breakdown of why things got blocked
  • A real-visitor log with browser, OS, and device detail
  • A blocked-request log with attack type and reason

Visitor uniqueness is tracked with a daily-resetting SHA-256 fingerprint (IP + user-agent + date), so raw IPs aren't stored in the fingerprint itself.

Getting started

Plugins → Add New → search "xZeroProtect" → Install → Activate
Enter fullscreen mode Exit fullscreen mode

By default it runs in Production mode (block + log), but there's also a Learning mode that only logs what would be blocked — useful for a few days of tuning before you flip it live. WordPress core paths (/wp-admin, /wp-login.php, /wp-json) are always whitelisted, so there's no risk of locking yourself out.

Requirements: WordPress 6.0+, PHP 8.0+, MySQL 5.7+ / MariaDB 10.3+. No Redis, no external API calls, no cloud dependency — everything runs on your own server and database.

Why I'm sharing it

It's brand new, completely free, and MIT-licensed — both the plugin and the underlying PHP library are open source, so you can read exactly what it's doing or reuse the firewall library in any PHP 8 project, WordPress or not.

If you try it, I'd genuinely appreciate feedback, bug reports, or feature ideas — either on the WordPress.org support forum or as a GitHub issue.


Built by Webrium. MIT licensed.

Top comments (0)