How to Protect Your PHP Site in 5 Minutes with Guardian Web

Web security is often seen as something complex, reserved for experts. The truth is that the most common attacks — brute force, vulnerability scans, malicious bots — can be blocked with very little effort if you have the right tools.

In this guide we show you how to protect any PHP site, including WordPress, with Guardian Web in under 5 minutes.

What do you need?

• A Guardian Web account (free)
• FTP access or your hosting file manager
• 5 minutes of your time

Step 1 — Create your account and add your site

Register at app.guardianweb.es. Once inside, go to My Sites → Add site and enter the domain you want to protect. The system will generate a unique API key for that domain.

Step 2 — Download the shield

From your site dashboard, download the gw-shield.php file. It is a single PHP file containing all the protection logic. No external dependencies, no installation required.

Step 3 — Upload the file to your server

Connect via FTP (or use your hosting file manager) and upload gw-shield.php to the root of your project, next to your index.php.

Step 4 — Add one line of code

Open your index.php (or wp-config.php for WordPress) and add this line at the very top, before any other instruction:

<?php
// Add this line at the top of index.php
require_once __DIR__ . '/gw-shield.php';

// The rest of your code continues here...

For WordPress, the line goes in wp-config.php:

<?php
// In wp-config.php, as the very first line
require_once ABSPATH . 'gw-shield.php';

// define('DB_NAME', ...

Step 5 — Verify it works

Go back to the Guardian Web panel and open the Logs section for your site. If the shield is active, you will see the first requests appearing in real time. The site status indicator will turn green.

What does the shield protect from the start?

• Cached block list: the shield downloads and stores banned IPs locally, working autonomously even if the panel is temporarily unavailable.
• Malicious bot detection: known user-agents from scrapers, hacking tools and spam bots are blocked automatically.
• WordPress-specific attacks: brute-force attempts on xmlrpc.php and wp-login.php, and user enumeration.
• Activity log: every visit is recorded with IP, country, user-agent and result (allowed / blocked).

Next steps

With the shield installed, you can explore the advanced features of the panel:

• GeoIP blocking — restrict access by country with a single click.
• Telegram alerts — receive an instant notification on your phone when an attack is detected.
• AbuseIPDB integration — cross-check each IP against the world's largest public database of malicious IPs.
• Maintenance mode — activate a maintenance page on your site without modifying any server files.

If you have any questions during installation, open a ticket from the panel and we will help you.