SmartKiller
Web Security Blog · v2.1
Blog Features Contact Get SmartKiller
Home / Blog

Security in plain English

No jargon. No doom and gloom. Clear, honest articles about keeping your website safe — whether you're a developer or a site owner who just wants things to work.

Guide · By ©FreddyDeveloper

How SmartKiller Protects Your PHP Site — Step by Step

A lot of security tools feel like a black box. You install them, hope they work, and don't really understand what's going on. This guide walks through exactly what SmartKiller does to every request that arrives at your site — in plain language, no assumptions.

The big picture

SmartKiller runs a quick, layered series of checks before your application code does anything. Good visitors pass through without noticing a thing. Bad ones — bots, scanners, rate abusers — get stopped quietly and shown a clear message with a countdown until they can try again.

Step 1 — Is this a search engine bot?

The very first check is whether the visitor is a legitimate crawler like Googlebot or Bingbot. These are the robots that index your site — you want them. So they're always let through unconditionally, with no rate limits or further checks. SmartKiller recognises 30 crawlers: all of Google's bots, Bing, Yandex, DuckDuckBot, and social media previewers from Slack, Discord, Telegram, WhatsApp, and others.

Good to know: Because legitimate crawlers are always whitelisted, SmartKiller will never accidentally harm your SEO — even if your rate limits are very tight.

Step 2 — Is this a known attack tool?

After the good bots, SmartKiller checks for known malicious tools. Scanners like sqlmap (SQL injection), nikto (vulnerability scanning), and masscan (bulk scanning) all identify themselves in their request headers. SmartKiller spots these signatures and blocks them immediately — before they touch anything at all.

Step 3 — What's the history of this IP?

SmartKiller keeps a record of every IP it has dealt with. A quick database lookup reveals the IP's current status:

StatusWhat it meansWhat happens
WhitelistedA trusted IP you've approved (e.g. your office)Let through immediately, no checks at all
TrackedWas blocked before, now being watchedLet through, but every action is logged
BlockedMisbehaved recently — temporary restrictionShown 429 block page; auto-released after 1 hour
Permanently limitedRepeated offender — 5+ violationsAlways blocked; only removed manually by you

Step 4 — Is it sending too many requests?

For normal visitors with no history, SmartKiller checks three things independently:

  • General rate limit — is this IP sending an unusually high number of requests in a short window?
  • Download limit — has this IP downloaded more files than normal in the last hour?
  • Refresh limit — is this IP reloading the same page over and over within seconds?

Keeping these three counters separate means normal visitors are never caught by a tight download limit, and someone refreshing a page too often doesn't get penalised if their total traffic is perfectly fine.

Step 5 — Does the URL look like an attack?

The URL is checked against a configurable list of suspicious patterns — SQL injection strings, path traversal attempts, common scanner probes. A real visitor would never type these. They're almost always automated.

What happens when someone gets blocked?

Blocked visitors see a clean page with a countdown until their block expires. The page sends HTTP 429 — the correct code, which tells search engines this isn't real content. If a legitimate visitor thinks they were blocked by mistake, the page shows your contact info so they can reach out.

No manual work needed: Blocks expire automatically every hour. Only permanent limits — given after 5+ violations — require your manual review.
SmartKiller v2.1 · ©FreddyDeveloper Next: Cloudflare vs. SmartKiller →
Comparison · By ©FreddyDeveloper

Cloudflare vs. SmartKiller: Do You Need Both?

If you already use Cloudflare, you might wonder why you'd also need SmartKiller. The answer is that they protect different things at different layers — and understanding the difference helps you use both more effectively.

What Cloudflare is really good at

Cloudflare is a global network that sits between the internet and your server. Its strength is absorbing large, fast attacks — thousands of requests per second from hundreds of IPs simultaneously. It handles that traffic before it ever reaches your hosting provider. For volumetric attacks, it's excellent.

What it cannot do easily on the free tier: make nuanced, application-level decisions. It doesn't know that a specific IP downloaded your files 30 times today, or that your login form is being slowly hammered under the radar. And it can be bypassed entirely if someone finds your server's real IP and connects directly.

What SmartKiller adds

SmartKiller runs on your server, inside your PHP application. It has access to everything Cloudflare doesn't: your database, your request history, and the full context of what's happening at the application level. And because it lives in your code, it works even if Cloudflare is bypassed or goes offline.

The practical split: Cloudflare stops the floods. SmartKiller handles the persistent drips. Together they cover both ends of the threat spectrum — and you only need one small config change to make them work in tandem.

Using both together — one line of code

When your site runs behind Cloudflare, the real visitor's IP is passed in a header called CF-Connecting-IP. By default, SmartKiller reads REMOTE_ADDR, which behind Cloudflare would be Cloudflare's server IP — not the visitor's. That would break rate limiting. Fixing it takes one line in smartkiller.php:

// In getRealIP() — uncomment when behind Cloudflare: if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];

What if I don't want Cloudflare?

That's completely fine. SmartKiller works perfectly as a standalone firewall on any PHP + MySQL hosting. For most small to medium websites, SmartKiller alone is more than enough.

Tip: Start without Cloudflare and add it later if needed. SmartKiller will keep working — just uncomment that one line when you do.
SmartKiller v2.1 · ©FreddyDeveloper Next: Rate Limiting →
Deep Dive · By ©FreddyDeveloper

Rate Limiting: The Quiet Defence Your Site Probably Doesn't Have

Imagine leaving your front door open with a "take one" sign on a bowl of candy. Most people take one. A few grab a handful. And occasionally, someone takes the whole bowl. That's what happens to a website with no rate limiting.

What rate limiting actually does

Rate limiting is simply a rule: "You can make this many requests in this window. After that, you wait." It's one of the most effective and least disruptive defences you can add, because legitimate users almost never hit the limit, while bots — which fire requests as fast as the server accepts them — hit it almost immediately.

Why track by IP address?

SmartKiller tracks requests by IP address — the most practical approach for public-facing PHP applications. It works for unauthenticated visitors on login pages, download pages, and public APIs. The trade-off is that shared IPs (large offices, universities) may have many real people behind them, so set your thresholds generously at first and tune from there.

Sliding window — more accurate than fixed buckets

SmartKiller uses a sliding window: it counts all requests from an IP in the last N seconds (configurable by you). This is more accurate than a fixed window, which resets at a clock boundary and can be exploited by timing requests right after a reset. With a sliding window, the limit always reflects the most recent activity.

Three counters instead of one

SmartKiller keeps three separate rate counters per IP, and this matters a lot in practice:

  • General requests — total page visits in a time window. Catches scrapers with high overall volume.
  • Downloads — file downloads specifically. Be strict about bandwidth without penalising normal browsing.
  • Page refreshes — rapid repeated hits on the same URI. Catches bots hammering a single endpoint even when their total count looks normal.

Without separate counters you'd be forced to pick: a strict global limit that catches abusers but also blocks power users, or a generous limit that's too easy for bots to stay under. Three counters lets you be firm exactly where it matters.

Offenses and escalation — the key to fairness

Tripping a limit once doesn't mean you're permanently locked out. SmartKiller gives each IP an offense count. Each violation adds one. Temporary 1-hour blocks are issued along the way. After 5 total offenses, the IP is permanently limited and requires your manual review. This escalation is intentional and fair:

  • A real user who accidentally hammers F5 too many times gets a 1-hour block and moves on normally.
  • An automated bot that keeps returning after each block gets escalated and eventually removed from normal traffic entirely.
Practical tip: Start with generous limits and tighten them after a few days of real traffic. SmartKiller logs every decision so you can review which IPs are hitting limits before adjusting thresholds.
SmartKiller v2.1 · ©FreddyDeveloper Get SmartKiller free →