If you run a WordPress site, your access logs are probably full of noise: scanners poking at wp-login.php, bots requesting .env files that don't exist, and crawlers with fake user-agents pretending to be Googlebot. Most security plugins block some of this, but very few use that same detection layer to give you cleaner analytics.
That's the idea behind xZeroProtect, a free, open-source WordPress plugin I just released.
🔗 Plugin: https://wordpress.org/plugins/xzeroprotect/
🔗 Firewall library: https://github.com/webrium/xzeroprotect
🔗 Plugin source: https://github.com/webrium/xzeroprotect-wp
The idea
I started by building a standalone, dependency-free PHP firewall library (xzeroprotect) — no Redis, no external services, everything file-based. Once it could reliably tell a real visitor from a bot, it made sense to go one step further: use that same signal to power visitor analytics that are already clean, instead of bolting a stats plugin on top of unfiltered traffic.
So the WordPress plugin does two jobs with one pass:
- Firewall — blocks the request if it looks malicious.
- Analytics — if the request passes every check, it gets recorded as a real visit.
Nothing that looks like a bot ever makes it into your stats.
What it actually blocks
- SQL injection, XSS, path traversal, LFI/RFI, and command injection patterns in GET/POST/cookies
- Known scanner and exploit-tool user-agents (
sqlmap,nikto,nmap,masscan, and more) - Requests to sensitive paths (
.env,.git,phpmyadmin,wp-config, common webshell names, etc.) - Repeat offenders, via a sliding-window rate limiter with automatic (and escalating) IP bans
One detail I'm fairly happy with is crawler verification: instead of trusting the User-Agent header (which anyone can fake), Googlebot/Bingbot/etc. are verified with double-DNS lookup — reverse-resolve the visitor's IP, check the hostname matches the expected suffix (e.g. .googlebot.com), then forward-resolve that hostname again and confirm it matches the original IP. This is the method Google and Bing themselves recommend, and it means legitimate crawlers are never accidentally rate-limited or banned.
There's also an optional Apache integration: permanently banned IPs get synced into .htaccess, so Apache rejects them before PHP even starts.
The dashboard
Once it's running, the plugin gives you:
- A traffic chart (visits / unique visitors / blocked requests) over 7, 14, or 30 days
- Top pages by hits and unique visitors
- Device breakdown (desktop / mobile / tablet)
- A breakdown of why things got blocked
- A real-visitor log with browser, OS, and device detail
- A blocked-request log with attack type and reason
Visitor uniqueness is tracked with a daily-resetting SHA-256 fingerprint (IP + user-agent + date), so raw IPs aren't stored in the fingerprint itself.
Getting started
Plugins → Add New → search "xZeroProtect" → Install → Activate
By default it runs in Production mode (block + log), but there's also a Learning mode that only logs what would be blocked — useful for a few days of tuning before you flip it live. WordPress core paths (/wp-admin, /wp-login.php, /wp-json) are always whitelisted, so there's no risk of locking yourself out.
Requirements: WordPress 6.0+, PHP 8.0+, MySQL 5.7+ / MariaDB 10.3+. No Redis, no external API calls, no cloud dependency — everything runs on your own server and database.
Why I'm sharing it
It's brand new, completely free, and MIT-licensed — both the plugin and the underlying PHP library are open source, so you can read exactly what it's doing or reuse the firewall library in any PHP 8 project, WordPress or not.
If you try it, I'd genuinely appreciate feedback, bug reports, or feature ideas — either on the WordPress.org support forum or as a GitHub issue.
Built by Webrium. MIT licensed.
Top comments (0)