Install the snippet
After signup, your dashboard gives you a one-line snippet. Paste it into your website's <head> or before </body> — it works with any site builder (WordPress, Shopify, Wix, Squarespace, plain HTML, and any framework).
The tracker is roughly 2.9KB minified, loads asynchronously, and never blocks page rendering.
Every visit is checked for fraudulent behaviour
As soon as someone lands on your site, the snippet watches for the tell-tale signs of click fraud — unnaturally fast repeated clicks on the same ad, clicks with no mouse movement (a classic bot pattern), visits coming from hosting providers or datacentres where real customers don't live, and IP addresses that have already been reported for abuse across the wider internet.
Every signal is streamed to our API over HTTPS, where it passes through seven behavioural detection rules plus three external threat-intelligence sources (Spamhaus DROP, Tor exit-node list, and AbuseIPDB). Anything that matches a rule is flagged in your dashboard the moment it happens.
Fraudulent visitors are blocked on-site instantly
The moment a visitor is flagged, the tracker hides your ad units from them on subsequent page views — using CSS display:none plus a MutationObserver so dynamically-inserted ads are caught too. This on-site block is platform-agnostic: it works for Google Ads, Microsoft Ads, Meta Ads, or any ad network, with no integration required.
The blocked visitor's IP is logged in your dashboard with the full audit trail: which rule fired, the velocity of their clicks, the exact timing, their mouse-movement pattern. Full transparency.
Connect your ad platform (one-click OAuth)
In your dashboard, click Connect Google Ads or Connect Microsoft Ads. You're redirected to Google's or Microsoft's standard OAuth consent screen, where you grant ClickClickBlock permission to manage only your IP exclusion lists — never campaigns, bids, or budgets.
We store an encrypted refresh token in your tenant record (AES-256-GCM). You can disconnect at any time from the dashboard; we immediately revoke the token upstream and delete it from our database.
Every API method we call, the full OAuth flow with CSRF-signed state, exactly what we store and don't store, the do/don't checklist, compliance commitments.
Read the Google Ads integration page →Blocked IPs auto-sync every 2 minutes
A background job pushes every newly-blocked IP to your connected ad platforms. For Google Ads, IPs are added as negative IP criteria at the campaign or account (customer) level — the ad still runs, Google just stops showing it to those specific IPs. For Microsoft Ads, we use the equivalent IP exclusion endpoint.
We respect platform limits (Google's 500-IPs-per-campaign cap, oldest rotated out), and every sync operation is logged in your dashboard with a timestamp and sync status.
Review, tune, and report
Your dashboard shows the live stream of blocked visitors with device, browser, location, velocity, and the exact rule that caught them. You can:
- Unblock any visitor with one click (removes from ad platforms too)
- Tune detection thresholds per rule (max clicks per session, min interval, and more)
- Set per-rule block durations — permanent for bot user-agents, 24h for borderline behavioural rules
- Check your Protection Health Score (0-100 with ranked next actions)
- Receive Smart Alerts in-dashboard and by email when fraud rates spike
- Compare our catches to your Google Analytics coverage (proves the tracker is working correctly)
The full detection stack
Every visitor passes through ten evaluation layers in priority order. The first rule to trigger at a high enough severity results in a block.
0a Public threat feeds
Spamhaus DROP list (bulletproof hosting IP ranges) plus the Tor exit-node list. Refreshed hourly. Permanent block on match.
0 Threat intelligence
Every unique IP checked against AbuseIPDB's community reputation database. Confidence 75+ triggers a block; 90+ is permanent.
0b Fraud-score feed
Optional IPQualityScore integration for commercial-grade ad-fraud detection (VPNs, residential proxies, bot networks).
0.5 Community blocklist
A cross-customer shared list — every block contributes (with opt-out). IPs flagged by 5+ independent customers get permanent bans.
1 Bot user-agent
Detects bots that identify themselves as known crawlers, scrapers, or automation tools in their User-Agent header. Permanent block.
2 Datacenter IP
Identifies AWS, Google Cloud, Azure, DigitalOcean, Linode, and other hosting provider ranges. Servers aren't real customers.
3 Session click limit
Too many ad clicks in one session — default max 3. Benefit-of-the-doubt 24h block (adjustable).
4 Daily click limit
Repeat visitor clicking ads across multiple sessions. Default 5/day threshold; 7-day block default.
5 Rapid-fire click velocity
Clicks faster than a human can physically click. High-confidence bot signal, 72h block default.
6 Zero mouse movement
Clicked an ad without moving the mouse. Automated browser behaviour.
7 Instant first click
First click within 2s of landing — too fast for a real person to read and react. Bot-like.
8 Behavioural score gate
Catches "death by a thousand paper cuts" — visitors who don't cross any single rule's threshold but accumulate enough weak signals (default 60/100).
Data flow at a glance
From your visitor's browser to their IP being excluded on Google Ads — every step.
Total latency from visitor event to on-site block: typically <200ms. Ad-platform sync adds a 2-minute window but only for future clicks — same-session clicks are already blocked on-site.