How SmartKiller Protects Your PHP Site — Step by Step
A lot of security tools feel like a black box. You install them, hope they work, and don't really understand what's going on. SmartKiller is different — this guide walks through exactly what happens to every request that arrives at your site, in plain language, no assumptions.
The big picture
SmartKiller runs a quick, layered series of checks before your application code does anything. Good visitors pass through without noticing a thing. Bad ones — bots, scanners, rate abusers — get stopped quietly, shown a clear message, and given a countdown until they can try again.
Step 1 — Is this a search engine bot?
The very first check is whether the visitor is a legitimate crawler like Googlebot or Bingbot. These are the robots that index your site — you want them. So they're always let through unconditionally, with no rate limits or further checks.
SmartKiller recognises 30 crawlers: all of Google's bots, Bing, Yandex, DuckDuckBot, and social media previewers from Slack, Discord, Telegram, WhatsApp, and others.
Good to know: Because legitimate crawlers are always whitelisted, SmartKiller will never accidentally harm your SEO — even if your rate limits are very tight.
Step 2 — Is this a known attack tool?
After the good bots, SmartKiller checks for known malicious tools. Scanners like sqlmap (SQL injection), nikto (vulnerability scanning), and masscan (bulk scanning) all identify themselves in their request headers. SmartKiller spots these signatures and blocks them immediately — before they touch anything.
Step 3 — What's the history of this IP?
SmartKiller keeps a record of every IP it has dealt with. A quick database lookup checks the IP's current status:
| Status | What it means | What happens |
|---|
| Whitelisted | A trusted IP you've approved (e.g. your own office) | Let through immediately, no checks at all |
| Tracked | Was blocked before, now being watched | Let through, but every action is logged |
| Blocked | Misbehaved recently — temporary restriction | Shown the 429 block page; auto-released after 1 hour |
| Permanently limited | Repeated offender — 5+ violations | Always blocked; only removed manually by you |
Step 4 — Is it sending too many requests?
For normal visitors with no history, SmartKiller checks three things independently:
- General rate limit — is this IP sending an unusually high number of requests in a short window?
- Download limit — has this IP downloaded more files than normal in the last hour?
- Refresh limit — is this IP reloading the same page over and over within seconds?
Keeping these three counters separate means normal visitors are never caught by a tight download limit, and someone refreshing a page too often doesn't get penalised if their total traffic is perfectly fine.
Step 5 — Does the URL look like an attack?
The URL is checked against a configurable list of suspicious patterns. Things like SQL injection strings, path traversal attempts, and common scanner probes match here. A real visitor would never type these — they're almost always automated attacks.
What happens when someone gets blocked?
Blocked visitors see a clean page with a countdown until their block expires. The page sends HTTP 429 — the correct code, which tells search engines this isn't real content and to come back later. If a legitimate visitor thinks they were blocked by mistake, the page shows your Telegram contact so they can reach out.
No manual work needed: Blocks expire automatically every hour. Only permanent limits — given after 5+ violations — require your manual review.
Cloudflare vs. SmartKiller: Do You Need Both?
If you already use Cloudflare, you might wonder why you'd also need SmartKiller. The answer is that they protect different things at different layers — and understanding the difference helps you use both more effectively.
What Cloudflare is really good at
Cloudflare is a global network that sits between the internet and your server. It excels at absorbing large, fast attacks — thousands of requests per second from hundreds of IPs simultaneously. It absorbs that traffic before it ever reaches your hosting provider. For volumetric attacks, it's excellent.
What it cannot do easily on the free tier: make nuanced, application-level decisions. It doesn't know that a specific IP downloaded your files 30 times today, or that one IP is slowly hammering your login form under the radar. And it can be bypassed entirely if someone finds your server's real IP and connects directly.
What SmartKiller adds
SmartKiller runs on your server, inside your PHP application. It has access to everything Cloudflare doesn't: your database, your request history, and the full context of what's happening at the application level. It handles abuse that slips through CDN filters — and because it lives in your code, it works even if Cloudflare is bypassed or goes offline.
The practical split: Cloudflare stops the floods. SmartKiller handles the persistent drips. Together they cover both ends of the threat spectrum.
Using both together — one line of code
When your site runs behind Cloudflare, the real visitor's IP is passed in a header called CF-Connecting-IP. By default, SmartKiller reads REMOTE_ADDR, which behind Cloudflare would be Cloudflare's server IP — not the visitor's. That would break rate limiting entirely. Fixing it is one line:
// In smartkiller.php → getRealIP()
// Uncomment when running behind Cloudflare:
if (!empty($_SERVER['HTTP_CF_CONNECTING_IP']))
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
What if I don't want Cloudflare?
That's completely fine. SmartKiller works perfectly as a standalone firewall on any PHP + MySQL hosting. For most small to medium websites, SmartKiller alone is more than enough.
Tip: Start without Cloudflare and add it later if needed. SmartKiller will keep working — just uncomment that one line when you do.
Rate Limiting: The Quiet Defence Your Site Probably Doesn't Have
Imagine leaving your front door open with a "take one" sign on a bowl of candy. Most people take one. A few grab a handful. And occasionally, someone takes the whole bowl. That's what happens to a website with no rate limiting — most visitors behave fine, but the ones who don't can cause real damage.
What rate limiting actually does
Rate limiting is simply a rule: "You can make this many requests in this window. After that, you wait." It's one of the most effective and least disruptive defences you can add, because legitimate users almost never hit the limit, while bots — which fire requests as fast as the server accepts them — hit it immediately.
Why track by IP address?
SmartKiller tracks requests by IP address — the most practical approach for public-facing PHP applications. It works for unauthenticated visitors on login pages, download pages, and public APIs where you don't have a user identity yet. The trade-off is that shared IPs (large offices, universities) may have many real people behind them, so set your thresholds generously at first.
Sliding window — more accurate than fixed buckets
SmartKiller uses a sliding window: it counts all requests from an IP in the last N seconds (configurable). This is more accurate than a fixed window, which resets at a clock boundary and can be exploited by timing requests just after a reset. With a sliding window, the limit always reflects the most recent activity.
Three counters instead of one
SmartKiller keeps three separate rate counters per IP. This matters a lot in practice:
- General requests — total page visits in a time window. Catches scrapers with high overall volume.
- Downloads — file downloads specifically. Be strict about bandwidth without penalising normal browsing.
- Page refreshes — rapid repeated hits on the same URI. Catches bots hammering a single endpoint even when their total request count looks normal.
Without separate counters you'd have to choose: a strict global limit that catches abusers but also blocks power users, or a generous limit that's too easy for bots. Three counters lets you be firm exactly where it matters.
Offenses and escalation — the key to fairness
Tripping a limit once doesn't mean you're permanently locked out. SmartKiller gives each IP an offense count. Each violation adds one. Temporary 1-hour blocks are issued along the way. After 5 total offenses, the IP is permanently limited and requires your manual review.
- A real user who accidentally hammers F5 too many times gets a 1-hour block and moves on normally.
- An automated bot that keeps coming back after each block gets escalated and eventually removed from normal traffic — where it belongs.
Practical tip: Start with generous limits and tighten them after a few days of real traffic. SmartKiller logs every decision so you can review which IPs are hitting limits before adjusting. Better to be too generous at first than to block a real user.