Title: xZeroProtect Author: Ben Khalife Published: June 27, 2026 Last modified: June 27, 2026 --- Search plugins ![](https://ps.w.org/xzeroprotect/assets/icon-256x256.png?rev=3588106) # xZeroProtect By [Ben Khalife](https://profiles.wordpress.org/benkhalifedev/) [Download](https://downloads.wordpress.org/plugin/xzeroprotect.1.1.3.zip) * [Details](https://pcd.wordpress.org/plugins/xzeroprotect/#description) * [Reviews](https://pcd.wordpress.org/plugins/xzeroprotect/#reviews) * [Installation](https://pcd.wordpress.org/plugins/xzeroprotect/#installation) * [Development](https://pcd.wordpress.org/plugins/xzeroprotect/#developers) [Support](https://wordpress.org/support/plugin/xzeroprotect/) ## Description xZeroProtect brings the power of the [xZeroProtect PHP library](https://github.com/webrium/xzeroprotect) to WordPress with a clean admin dashboard. The plugin source is available at [github.com/webrium/xzeroprotect-wp](https://github.com/webrium/xzeroprotect-wp). **What it does:** * Blocks bots, scanners, and common web attacks (SQLi, XSS, path traversal, command injection) * Rate-limits IPs and automatically bans repeat offenders * Verifies legitimate crawlers (Googlebot, Bingbot) via double-DNS — they’re never blocked * Tracks **real** visitor analytics — bot traffic is already filtered out before anything is recorded * Shows unique visitors, top pages, device breakdown, and block reasons in a dashboard * Zero external dependencies — no Redis, no external API, everything on disk and in your database **Dashboard includes:** * Traffic overview chart (visits, unique visitors, blocked) * Top pages by hits and unique visitors * Device breakdown (desktop / mobile / tablet) * Block reason breakdown * Real visitor log with browser, OS, and device info * Blocked request log with attack type and reason ### Privacy Policy xZeroProtect stores visitor data (IP address, browser, OS, device type) and blocked request data locally in your WordPress database. No data is transmitted to external servers. All stored data is automatically deleted after the configured retention period (default: 30 days). All data is permanently removed when the plugin is uninstalled. ## Installation 1. Upload the plugin via **Plugins Add New Plugin Upload Plugin** and select the plugin zip file, or extract the `xzeroprotect` folder into `/wp-content/plugins/` 2. Activate the plugin in **Plugins Installed Plugins** 3. Go to **xZeroProtect Settings** to configure ## FAQ ### Will this block me from my own admin? No. The plugin automatically whitelists `/wp-admin`, `/wp-login.php`, and other WordPress core paths. Logged-in administrators are also exempt. ### Does it work on shared hosting? Yes — that’s one of its main advantages. No Redis, no system-level access, no external services required. ### What happens to my data if I deactivate the plugin? Data is kept on deactivation. It is only removed when you **delete** the plugin ( uninstall). ## Reviews There are no reviews for this plugin. ## Contributors & Developers “xZeroProtect” is open source software. The following people have contributed to this plugin. Contributors * [ Ben Khalife ](https://profiles.wordpress.org/benkhalifedev/) [Translate “xZeroProtect” into your language.](https://translate.wordpress.org/projects/wp-plugins/xzeroprotect) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/xzeroprotect/), check out the [SVN repository](https://plugins.svn.wordpress.org/xzeroprotect/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/xzeroprotect/) by [RSS](https://plugins.trac.wordpress.org/log/xzeroprotect/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.1.3 * Renamed plugin slug from xzeroprotect-wp to xzeroprotect (resolves trademarked- term warning for the “wp” suffix) * Fixed Text Domain to match the new slug (“xzeroprotect”) across all strings * Renamed main plugin file to xzeroprotect.php * Removed the unused “Domain Path” header (no languages folder bundled) * Moved firewall storage directory from uploads/xzeroprotect-wp to uploads/xzeroprotect * Sanitized $_POST[‘days’] in AJAX handlers before casting * Added phpcs ignore annotations for safe, already-prepared direct DB queries * Renamed internal constants from XZPWP_* to XZP_* #### 1.1.2 * Updated bundled Chart.js to v4.5.1 * Moved firewall storage to the WordPress uploads directory (wp_upload_dir()) * Replaced inline dashboard with wp_add_inline_script * Removed unnecessary load_plugin_textdomain() call (handled by WordPress.org since 4.6) * Removed directory asset files from the plugin package #### 1.1.1 * Added real visitor tracking with device and browser detection * Added unique visitor fingerprinting (daily-resetting SHA-256) * Added analytics dashboard: traffic chart, top pages, device breakdown, block reasons * Added real visitor log and blocked request log * Removed curl, wget, python-requests, go-http-client from default blocked agents * Removed .php extension from default blocked paths to avoid false positives * Raised auto-ban violations threshold from 5 to 10 #### 1.0.0 * Initial release ## Meta * Version **1.1.3** * Last updated **1 day ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **7.0** * PHP version ** 8.0 or higher ** * Language * [English (US)](https://wordpress.org/plugins/xzeroprotect/) * Tags * [analytics](https://pcd.wordpress.org/plugins/tags/analytics/)[bot protection](https://pcd.wordpress.org/plugins/tags/bot-protection/) [firewall](https://pcd.wordpress.org/plugins/tags/firewall/)[security](https://pcd.wordpress.org/plugins/tags/security/) [WAF](https://pcd.wordpress.org/plugins/tags/waf/) * [Advanced View](https://pcd.wordpress.org/plugins/xzeroprotect/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/xzeroprotect/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/xzeroprotect/reviews/) ## Contributors * [ Ben Khalife ](https://profiles.wordpress.org/benkhalifedev/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/xzeroprotect/)