SmartKiller
Web Security Blog · v2.1
Blog Features Contact Get SmartKiller
Protection active — 24 / 7

Your website deserves
to feel safe again.

SmartKiller is a lightweight PHP firewall that quietly handles the bad stuff — bots, scrapers, brute-force attempts — so you never have to think about it. Works with or without Cloudflare.

Get SmartKiller free → Read the blog
No monthly fees
One-time setup
PHP + MySQL only
SEO-safe by design
smartkiller.log — live
# SmartKiller v2.1 — request monitor

ALLOWGooglebot/2.1 — whitelisted crawler
ALLOW203.0.113.12 — normal visitor
BLOCKsqlmap/1.7 — malicious scanner
LIMIT198.51.100.4 — rate limit reached
BLOCK192.0.2.55 — known bad IP
ALLOWbingbot/2.0 — whitelisted crawler
LIMIT172.16.0.9 — download cap exceeded
WATCHMonitoring incoming requests
uptime: 99.9%● protection active0 errors

Featured

Latest guide
Guide · January 2026

How SmartKiller Protects Your PHP Site — Step by Step

A plain-English walkthrough of every check SmartKiller runs on each visitor. Understand what happens at each stage and why it matters.

Read full guide
🛡
// request pipeline

All Articles

3 posts
Comparison · February 2026

Cloudflare vs. SmartKiller: Do You Need Both?

They protect different layers. Here's how to decide which one you need — or why using both makes sense for most sites.

Feb 2026
Deep Dive · February 2026

Rate Limiting: The Quiet Defence Your Site Probably Doesn't Have

Most sites have no limit on how many times one IP can hammer them. Here's why that's a problem — and exactly how SmartKiller fixes it.

Feb 2026

Why it matters

Real concerns, real answers
🤖

"Bots are hammering my site"

Automated scanners probe every site on the web, looking for vulnerabilities — non-stop, day and night.

SmartKiller blocks 30+ scanner signatures before they load a single page.
💀

"Someone is brute-forcing my login"

Bots try thousands of passwords automatically. Without rate limiting, there's nothing to stop them.

Rate limiting kicks in and the IP is blocked automatically after too many attempts.
📥

"People abuse my download links"

Scrapers can exhaust your bandwidth in minutes by looping file downloads silently in the background.

Download limits per IP cut off abusers without touching normal users.
😟

"I don't want to break my SEO"

Accidentally blocking Google is a real fear. The wrong HTTP response can get pages deindexed.

Googlebot and 29 crawlers are always whitelisted. Block page sends HTTP 429, not 200.

How It Works

6 steps
01

Is this a search bot?

Google, Bing, Yandex and 27 others pass through immediately — no rate limits, no friction.

02

Is this a known attacker?

Scanners like sqlmap and nikto announce themselves. SmartKiller spots and blocks them instantly.

03

What's this IP's history?

A quick DB check: trusted, watched, temporarily blocked, or permanently limited.

04

Is it requesting too much?

Three independent counters track traffic, downloads, and rapid page refreshes separately.

05

Does the URL look suspicious?

URIs are matched against patterns that flag attack probes no real visitor would ever send.

06

All clear — visitor gets through.

Legitimate visitors experience nothing. No CAPTCHAs, no delays, no friction whatsoever.

Deployment

2 options
Option A

🔒 Standalone

  • Any shared hosting with PHP + MySQL
  • Two lines added to your pages
  • All settings in config.php
  • No cloud dashboard needed
Option B — Recommended

🛡 Alongside Cloudflare

  • Cloudflare absorbs volumetric floods
  • SmartKiller handles app-level abuse
  • One line enables real-IP detection
  • Works even if Cloudflare goes offline