The GhostGuard PHP client file is your server-side enforcement layer. Upload it once, protect any page in three lines.
Download your pre-keyed PHP client from the Install guide tab in your dashboard. The file has your API key already embedded — no manual configuration required.
Upload the PHP client file to your website root, for example:
The file makes outbound HTTPS calls to ghostguard.privacyhash.com. Ensure your server can make outbound cURL requests on port 443. PHP curl extension must be enabled (standard on all shared hosts).
Add these three lines to the very top of any PHP page you want to protect, before any output:
That's it. The protect() method checks the visitor's session score and silently exits with HTTP 403 if they are classified as a bot. Real users never notice anything.
To score inbound email or contact form submissions, use the MailSensor integration. This requires a Pro or Enterprise plan.
If GhostGuard is unreachable (network issue, timeout), protect() allows the request through automatically. The client has a 2-second timeout. Your site never goes offline because of GhostGuard.
Protect a login page:
Protect a contact form POST: