Skip to content

Install Botfighter

Paste one script tag on your site. That's it.

html
<script
  src="https://botfighter.dev/botfighter.js"
  data-site="YOUR-SITE-ID"
  data-api="https://api.botfighter.dev"
  data-honeypot="true"
  defer>
</script>

Finding your Site ID

Log in at dash.botfighter.dev → your Site ID is shown at the top of the dashboard.

Snippet attributes

AttributeRequiredDefaultDescription
data-siteYesYour unique site ID from the dashboard
data-honeypotNotrueRender an invisible honeypot link to catch naive bots — set false to disable
data-sampleNo1.0Sampling rate (0.0–1.0). Set to 0.1 to report 10% of visits
data-privacyNofalseStrip IP and canvas fingerprint before sending — GDPR-friendly mode

Where to put it

The snippet needs to render before </body> on every page — but on virtually every real platform, that's one edit, not per-page work. You add it once to whatever your site already uses to render every page the same way:

  • CMS or store platform (WordPress, Shopify, Ghost, Webflow, Wix...) → your theme's shared footer/layout template. One save, live on every page instantly. See your platform guide.
  • Static site generator (Hugo, Jekyll, Eleventy, Astro...) → the shared layout partial (e.g. layouts/partials/footer.html), then rebuild.
  • Single-page app (React, Vue, Svelte) → your root index.html, once.
  • Raw static HTML with no shared template (a handful of hand-authored .html files) → this is the one real exception. If you're on Netlify, use Snippet Injection (Site settings → Post processing) to inject it site-wide with zero file edits. Otherwise, a server-side include (<!--#include virtual="/inc/botfighter.html" --> on Apache/nginx) keeps it to one file to maintain. Editing every page by hand is a last resort for a two- or three-page site, not a real plan for a large one.
html
  <!-- your page content -->

  <script
    src="https://botfighter.dev/botfighter.js"
    data-site="YOUR-SITE-ID"
    data-api="https://api.botfighter.dev"
    data-honeypot="true"
    defer>
  </script>
</body>

The defer attribute means it loads after your content — no impact on page rendering.

What the snippet does NOT do

  • Does not set cookies
  • Does not block or redirect any visitor
  • Does not slow down page load (defer + async signal POST)
  • Does not send any data to third parties

Want it to actually stop bots, not just see them? The snippet is JS-only, so non-JS scrapers (curl, Python, headless tools) never trigger it at all. See Real blocking (server-side) for a WordPress plugin, PHP snippet, npm middleware, or edge function that returns a real 403 before content is served.

Verify it's working

  1. Open your site in a browser
  2. Open DevTools → Network tab → filter by signal
  3. You should see a POST to https://api.botfighter.dev/signal returning {"ok":true}
  4. Within a few seconds, the visit appears in your dashboard

Platform guides

Pick your platform for step-by-step instructions:

E-commerce:


Need help? Check the dashboard for your live signal feed.