Visitor Filters
Active Visitor Security Gateway

Visitor intelligence and threat prevention

Collect visitor signals, evaluate rules in real time, and enforce decisions automatically. Block bots, throttle scrapers, and challenge suspicious traffic before it reaches your application.

Use the Free plan without a card, or start a 14-day Pro trial.

Live gateway
html
<script src="https://cdn.visitorfilters.com/vf.min.js" data-key="your-key" defer></script>

Integrates in minutes

Install paths for every stack

Use the official WordPress plugin for no-code setup, or install the TypeScript SDK for React, Vue, Next.js and custom JavaScript apps.

WordPress npm React Vue Next.js
No code

WordPress plugin

Install the plugin, paste your public site key, choose script delivery mode, and optionally enable WooCommerce purchase events.

  1. 1.Install VisitorFilters
  2. 2.Paste site key
  3. 3.Save configuration
SDK

npm package

Ship visitor intelligence inside modern frontend apps with typed helpers and framework integrations.

npm install @visitorfilters/tracker bash
Core JS React Vue Next.js

How it works

Three stages from request to decision. All automated, all in real time.

01

Collect

A lightweight script collects visitor signals — IP, user agent, behavior patterns, device fingerprint — and sends them to your VisitorFilters endpoint via signed payloads.

02

Evaluate

The rule engine checks each request against your policies: IP reputation, ASN lists, rate limits, geo-restrictions, and anomaly detection thresholds. Decisions are made in milliseconds.

03

Enforce

Based on the verdict: allow, block, challenge, throttle, or redirect. Legitimate visitors pass unnoticed. Threats are stopped before they touch your infrastructure.

Capabilities

Built for security teams

Everything you need to monitor, detect, and respond to malicious traffic.

Rule Engine

Multi-condition rules with AND/OR logic. Target by IP, ASN, country, user agent, path, rate, or risk score.

Anomaly Detection

Automatic detection of traffic spikes, rate anomalies, and behavioral deviations with configurable thresholds.

Honeytokens

Deploy invisible traps. When a bot scans hidden endpoints, it triggers immediate alerts and automatic enforcement.

Real-Time Dashboard

Live session monitoring, traffic analytics, geographic visualization, and device breakdowns — updated via WebSocket.

REST API & Webhooks

Full API with scoped keys for programmatic rule management. Outbound webhooks with HMAC signing and retry logic.

Scheduled Reports

Automated PDF reports delivered daily, weekly, or monthly. Threat summaries, blocked traffic analysis, and trend data.

AI Security Assistant

A weekly plain-language digest, vetted rule suggestions, and a copilot chat grounded in your own traffic data.

First-Party CAPTCHA

Privacy-friendly proof-of-work challenges with risk-adaptive difficulty — no third parties, embeddable on your own forms.

IP Threat Intelligence

A managed feed of known-malicious IP ranges scores every visitor and can trigger managed rules automatically.

Flexible plans for every scale

Start protecting your websites with our Free tier, or upgrade to Pro or Business to unlock advanced capabilities like Proxy/VPN Shield, Anomaly Detection, custom CAPTCHA/JS challenge screens, and REST API access.

Free

Get Started Free
  • 1 site
  • 10,000 events/month
  • 2 team members
  • 7-day data retention
  • Real-time dashboard
  • Anomaly detection Analyzes traffic patterns in real-time to automatically identify and flag suspicious behavior spikes and scraping attempts.
  • Honeytokens Deploys invisible trap URLs on your site. When automated scanners or bots request them, they are instantly identified and blocked.
  • Heatmaps Visualizes user click concentrations across desktop, tablet, and mobile devices to understand user interaction and optimize layouts.
  • REST API & Webhooks

Starter

Get Started
  • 2 sites
  • 50,000 events/month
  • 5 team members
  • 30-day data retention
  • Real-time dashboard
  • Anomaly detection Analyzes traffic patterns in real-time to automatically identify and flag suspicious behavior spikes and scraping attempts.
  • Honeytokens Deploys invisible trap URLs on your site. When automated scanners or bots request them, they are instantly identified and blocked.
  • Heatmaps Visualizes user click concentrations across desktop, tablet, and mobile devices to understand user interaction and optimize layouts.
  • REST API & Webhooks
Recommended

Pro

Start Trial
  • 5 sites
  • 200,000 events/month
  • 10 team members
  • 90-day data retention
  • Real-time dashboard
  • Anomaly detection Analyzes traffic patterns in real-time to automatically identify and flag suspicious behavior spikes and scraping attempts.
  • Honeytokens Deploys invisible trap URLs on your site. When automated scanners or bots request them, they are instantly identified and blocked.
  • Heatmaps Visualizes user click concentrations across desktop, tablet, and mobile devices to understand user interaction and optimize layouts.
  • REST API & Webhooks

Business

Get Started
  • 15 sites
  • 750,000 events/month
  • 25 team members
  • 180-day data retention
  • Real-time dashboard
  • Anomaly detection Analyzes traffic patterns in real-time to automatically identify and flag suspicious behavior spikes and scraping attempts.
  • Honeytokens Deploys invisible trap URLs on your site. When automated scanners or bots request them, they are instantly identified and blocked.
  • Heatmaps Visualizes user click concentrations across desktop, tablet, and mobile devices to understand user interaction and optimize layouts.
  • REST API & Webhooks
0
Events processed daily
0
Countries supported
0
Rule evaluation latency
0
Uptime SLA

Inside the product

Your security operations console

Every request your sites receive, scored and decided in one place — live traffic, verdicts, and the rules behind them.

console / overview LIVE
Events today
0
Blocked
0
CAPTCHA
0
Active sessions
0
Traffic 24h
203.0.113.24 ALLOW
198.51.100.7 CHALLENGE
203.0.113.88 BLOCK
198.51.100.61 ALLOW
203.0.113.140 BLOCK

Developer-first API

Manage rules, query analytics, and receive webhook events programmatically. Full REST API with scoped API keys, JSON responses, and HMAC-signed webhooks.

  • RESTful JSON API with versioning
  • Scoped API keys per site or tenant
  • Outbound webhooks with retry logic
  • HMAC-SHA256 webhook signatures
vf-api POST /v1/rules
# Block an IP address via API
curl -X POST \
  "https://visitorfilters.com/api/v1/rules" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"ip_block","ip":"1.2.3.4"}'
// Block an IP address via API
$response = Http::withToken('YOUR_API_KEY')
  ->post('https://visitorfilters.com/api/v1/rules', [
    'type' => 'ip_block',
    'ip' => '1.2.3.4',
  ]);
// Block an IP address via API
const res = await fetch('https://visitorfilters.com/api/v1/rules', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer YOUR_API_KEY`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ type: 'ip_block', ip: '1.2.3.4' })
});
# Block an IP address via API
import requests

response = requests.post(
  "https://visitorfilters.com/api/v1/rules",
  headers={
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
  },
  json={
    "type": "ip_block",
    "ip": "1.2.3.4"
  }
)
// Block an IP address via API
package main

import (
  "bytes"
  "net/http"
)

func main() {
  payload := []byte(`{"type":"ip_block","ip":"1.2.3.4"}`)
  req, _ := http.NewRequest("POST", "https://visitorfilters.com/api/v1/rules", bytes.NewBuffer(payload))
  req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
  req.Header.Set("Content-Type", "application/json")

  client := &http.Client{}
  client.Do(req)
}

See it in action

Watch how VisitorFilters evaluates a real visitor request in real time — from signal collection to enforcement decision.

visitorfilters — rule engine

Frequently asked questions

Add a single script tag to your website's head section with your unique site key. The collector is under 5 KB, loads asynchronously, and has zero impact on your page performance.

No. The collector script loads asynchronously and deferred — it never blocks page rendering. Typical latency overhead is under 1ms per request.

Blocked visitors receive a configurable response: a 403 page, a redirect, or a challenge page. You can customize the message and appearance to match your brand.

Yes. Add your IP or CIDR range to the whitelist under Rules → Whitelist. Whitelisted IPs bypass all rules and are never blocked, even by geo-block rules.

Yes, visitor event data is stored on VisitorFilters infrastructure for analytics purposes, within the retention period of your plan (7–365 days). You can export or delete visitor data at any time from Dashboard → Privacy.

Yes. Each plan allows multiple sites. The Free plan includes 1 site, Pro includes 5, Business includes 20, and Enterprise is unlimited. Each site has independent rules and analytics.

In Monitor mode, rules are evaluated and logged but no enforcement actions are taken — ideal for testing. In Protect mode, rules actively block, challenge, or redirect visitors.

Yes. You can cancel at any time from Dashboard → Billing. Your plan remains active until the end of the current billing period. No cancellation fees.

Start protecting your sites today

Deploy in under 5 minutes. One script tag, full visibility.

Get Started Free