Appearance
Install Botfighter
Paste one script tag on your site. That's it.
html
<script
src="https://botfighter.dev/botfighter.js"
data-site="YOUR-SITE-ID"
data-api="https://api.botfighter.dev"
data-honeypot="true"
defer>
</script>Finding your Site ID
Log in at dash.botfighter.dev → your Site ID is shown at the top of the dashboard.
Snippet attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
data-site | Yes | — | Your unique site ID from the dashboard |
data-honeypot | No | true | Render an invisible honeypot link to catch naive bots — set false to disable |
data-sample | No | 1.0 | Sampling rate (0.0–1.0). Set to 0.1 to report 10% of visits |
data-privacy | No | false | Strip IP and canvas fingerprint before sending — GDPR-friendly mode |
Where to put it
The snippet needs to render before </body> on every page — but on virtually every real platform, that's one edit, not per-page work. You add it once to whatever your site already uses to render every page the same way:
- CMS or store platform (WordPress, Shopify, Ghost, Webflow, Wix...) → your theme's shared footer/layout template. One save, live on every page instantly. See your platform guide.
- Static site generator (Hugo, Jekyll, Eleventy, Astro...) → the shared layout partial (e.g.
layouts/partials/footer.html), then rebuild. - Single-page app (React, Vue, Svelte) → your root
index.html, once. - Raw static HTML with no shared template (a handful of hand-authored
.htmlfiles) → this is the one real exception. If you're on Netlify, use Snippet Injection (Site settings → Post processing) to inject it site-wide with zero file edits. Otherwise, a server-side include (<!--#include virtual="/inc/botfighter.html" -->on Apache/nginx) keeps it to one file to maintain. Editing every page by hand is a last resort for a two- or three-page site, not a real plan for a large one.
html
<!-- your page content -->
<script
src="https://botfighter.dev/botfighter.js"
data-site="YOUR-SITE-ID"
data-api="https://api.botfighter.dev"
data-honeypot="true"
defer>
</script>
</body>The defer attribute means it loads after your content — no impact on page rendering.
What the snippet does NOT do
- Does not set cookies
- Does not block or redirect any visitor
- Does not slow down page load (
defer+ async signal POST) - Does not send any data to third parties
Want it to actually stop bots, not just see them? The snippet is JS-only, so non-JS scrapers (curl, Python, headless tools) never trigger it at all. See Real blocking (server-side) for a WordPress plugin, PHP snippet, npm middleware, or edge function that returns a real 403 before content is served.
Verify it's working
- Open your site in a browser
- Open DevTools → Network tab → filter by
signal - You should see a
POSTtohttps://api.botfighter.dev/signalreturning{"ok":true} - Within a few seconds, the visit appears in your dashboard
Platform guides
Pick your platform for step-by-step instructions:
- WordPress
- Shopify
- Ghost
- Webflow
- Wix
- Hugo
- Squarespace
- Vercel / Netlify
- Other website builders (GoDaddy, Namecheap, Weebly, IONOS MyWebsite, Hostinger Website Builder, Strikingly, Jimdo, Site123, Web.com, one.com)
- HTML / Other
E-commerce:
Need help? Check the dashboard for your live signal feed.