Website firewall · installs in one line

Stand a watchtower
over your PHP site.

PHProtect blocks SQL injection, XSS, scrapers, and brute-force attacks before they reach your code — and streams every block to a live dashboard you actually want to watch.

◇ No framework ◇ No Composer ◇ Fail-open safe
SQLI 41.79.x.x /product?id=1 UNION SELECT BLOCKED BAD_BOT 185.220.x.x HTTrack/3.49 BLOCKED XSS 103.51.x.x /search?q=<script> BLOCKED RATE_LIMIT 91.238.x.x 412 req/min BLOCKED TRAVERSAL 45.146.x.x /../../etc/passwd BLOCKED BRUTE_FORCE 23.106.x.x /login ×6 BLOCKED SQLI 41.79.x.x /product?id=1 UNION SELECT BLOCKED BAD_BOT 185.220.x.x HTTrack/3.49 BLOCKED XSS 103.51.x.x /search?q=<script> BLOCKED RATE_LIMIT 91.238.x.x 412 req/min BLOCKED TRAVERSAL 45.146.x.x /../../etc/passwd BLOCKED BRUTE_FORCE 23.106.x.x /login ×6 BLOCKED
Coverage

What it stops at the gate

6 threat classes · always on
sqli HIGH

SQL injection

Parameterized-query bypass attempts, UNION probes, blind timing

xss HIGH

Cross-site scripting

Injected <script>, event-handler and javascript: payloads

bad_bot MEDIUM

Scrapers & mirrors

HTTrack, wget, Scrapy, headless clients cloning your site

rate_limit MEDIUM

Floods & abuse

Per-IP request ceilings that throttle hammering clients

brute_force MEDIUM

Credential stuffing

Login lockouts after repeated failed attempts

traversal HIGH

Path traversal / LFI

../ climbs, /etc/passwd reads, php:// wrapper abuse

Setup · about 2 minutes

Three steps to a guarded site

01

Create your site

Sign up and add your domain. We hand you a unique site key and secret.

02

Drop in the agent

Upload one PHP file and add a single line — or one .htaccess directive for the whole site.

03

Watch it work

Blocked attacks stream to your dashboard live, with IPs, payloads, and severity.

One line. Whole site.

.htaccess
# Protect every PHP request automatically
php_value auto_prepend_file "/home/you/phprotect-agent.php"

Prefer per-page? Add require '/path/phprotect-agent.php'; to the top of your files. The agent fails open — if PHProtect is ever unreachable, your site keeps serving.

Your site is being probed right now.

Every public site gets scanned within hours of going live. Put a watchtower up before the next sweep.

Start protecting — free