BitFire Server Settings Enable ( Settings Documentation )
Recommended settings for most sites are labeled .
Please read notes before enabling settings marked .
TLDR; Enable all settings marked - verify in the BitFire dashboard.
BitFire Enable
Enable / Disable all functionalityAlways On Protection
Run BitFire before WordPress with auto_prepend_file. Prevent Firewall bypass and save server resources by blocking bad traffic before WordPress loads. This may not be compatible with all server hosting configurations. * See display_errors setting in server configuration below.Log Everything
Log all traffic, default is to just log blocked traffic (add ~1-3ms time after each request)Disable XMLRPC
Disable WordPress XMLRPC functions. This will disable remote API for WordPress mobile app and remote scraping and login API.
BitFire Security Headers Enable (HTTP server configuration)
HTTP security headers are like safety instructions for your WordPress site. They're small pieces of code that your site sends to browsers, telling them how to behave securely. Enabling these headers adds an extra layer of protection, helping prevent attacks and ensuring a safer experience for your visitors.
Send HTTP Security Headers
Deny iframes, disable content sniffing, and remove detailed referer dataRequire SSL
Force SSL and disable browsers connecting without SSL. This will break your site if your SSL certificate expires.Send Content Security Policy (CSP)
CSP Policy defines which domains your site can connect to and load JavaScript, fonts, etc from. CSP DocumentationSend Permission Policy (Feature Policy)
Send a simple CSP header to disable any JavaScript from accessing the microphone, camera, geolocation, browser payment APIs.This will stop plugins, themes AND malware using these mobile specific features.
Deny Cross Origin Resource
Set CORS header to prevent cross origin requests. Prevents other sites making AJAX requests to your site.
BitFire Bot Blocking Enable (BitFire Fire Bot Blocking Documentation )
Bot blocking is like setting up a virtual bouncer for your WordPress site. Bots are automated programs that can do bad things like hacking, spamming, or stealing data. By blocking them, you protect your site from attacks like brute force login attempts, content scraping, and DDoS attacks, making your site safer and more reliable for your visitors.
Require Full Browser
Verify browsers are not actually bots by Fingerprint or passing a JavaScript challenge. Blocks brute-force attacks and automated complex web hacks.Allow only approved bots
Over 3,000 Search Engines and SEO tools included. All bots allowed when off. Configurable in BotControl Settings.Blocks brute-force attacks and automated complex web hacks.
Block Hacking Tools
Block bots using default malware, scanning or hacking tools (nmap, wpscan, nikto, etc)Block Plugin and Theme Scans
Prevent scanners from crawling your site to detect your plugins and themes. (WPScan, etc)Do Not Bot Check Ajax Requests
When you enable this option, your website will skip browser verification for AJAX (dynamic) requests. This can enhance compatibility with certain plugins and themes. On the other hand, turning off this option will activate browser verification for AJAX requests, thereby increasing your website's security.Challenge Style
The page to display for the browser challenge. This page will verify the browser and instantly redirect to the real page.Block Web Scrapers
Send JS challenge to any unknown browser fingerprint even if just viewing. This does not improve security, only stops automated web scraping content.High Sensitivity Block Mode
Block unknown bots by default. You can unblock any bot in Bot Control settings.
Web Application Firewall Features Enable (Traditional WAF configuration)
Block exploits common to all websites, XSS, SQLi, Malicious file uploads, etc. This runs after bot/browser verification and can block common web attacks and exploits that run against logged in users.
Generic Web Blocking
Block generic attacks, XXE, SSI, SSRF, CSRF, etcBlock XSS
Block Cross Site Scripting AttacksBlock SQLi
Block SQL injection attacksBlock Malicious Files
Inspect all file uploads for malicious code
BitFire PRO RASP Settings Enable (Runtime Application Self-Protection )
Runtime Application Self Protection integrates directly with PHP and WordPress, intercepting all file writes, network calls, and account creations. When any of these events happen, BitFire checks that the action is only performed by an authorized user. If not, the action is blocked and logged. This prevents hackers from uploading any PHP Script, or backdoor account.
RASP FileSystem Protection
Force RASP Access Control on all PHP files. Prevent PHP files from being modified or deleted unless logged in as Administrator.RASP Database Protection
Force RASP Checks on all database queries. Prevent altering sensitive DB tables unless logged in as Administrator.RASP Network Protection
Prevent connecting to bot command and control networks, stop man in the middle attacks.RASP Authentication Protection
Verify users have correctly authenticated and prevent privilege escalation vulnerabilities. This will stop plugins from bypassing wordpress authentication, but may break some plugins that provide authentication alternatives.
Server Configuration
These settings are auto-configured for your server. Only change if required.
BitFire PRO / PREMIUM Licensing
Uninstall BitFire This will uninstall BitFire from the startup script and remove all files.
BitFire Uninstalled BitFire has been removed from the startup script.
In 5 minutes the php ini cache will expire and the new settings will take effect. After that you can remove the script files from your server.