[ Web Application Firewall] ; comments begin with ';' ; for details see the BitFire wiki: https://github.com/bitslip6/bitfire/wiki ; enable or disable all firewall features bitfire_enabled = true ; allow the firewall to blacklist misbevaving IPs for 10, 60 or 1440 minutes allow_ip_block = false ; send HTTP security headers ; https://securityheaders.com/ security_headers_enabled = true ; set an HSTS header for 1 year, will only allow browsers to connect via SSL. ; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security enforce_ssl_1year = false # csp - PRO version only csp_policy_enabled = false csp_policy[default-src] = "'self' *.googleapis.com *.gstatic.com *.wp.com *.w.org data:" csp_policy[img-src] = "'self' data: *.wp.com *.gravatar.com *.w.org" ;csp_policy[style-src-attr] = "'self' 'unsafe-inline'" ;csp_policy[style-src-elem] = "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com" csp_policy[script-src] = "'self' www.google-analytics.com *.wp.com" csp_policy[object-src] = "'none'" csp_policy[connect-src] = "'self' *.google-analytics.com" csp_uri = "/?bitfire_csp_report=log" ; internal debug audit_sql = false ; 2 factor authentication - PRO version only pro_mfa = false; ; see https://bitfire.co/pricing for license pro_key = "unlicensed" ; pro feature, prevent server side request forgery rasp_network = false ; site locking - PRO version only rasp_filesystem = false ; db locking - PRO version only rasp_db = false ; js locking - PRO version only rasp_js = false ; disable WordPress xmlrpc block_xmlrpc = false; bot_urls[] = ""; ; experimental ; cache your homepage and serve it instantly, cache is refreshed after every request ; maximum age (seconds) to serve a cached page, 0 - disables caching max_cache_age = 0 ; BitFire public key for remote tech support tech_public_key="b39a09eb3095c54fd346a2f3c8a13a8f143a1b3fe26b49c286389c55cec73c3e" ; Allow BitFire authenticated Tech Support to access the firewall config (NOT WORDPRESS) remote_tech_allow = false [Input Filtering] ; enable filtering for malicious input (server side includes, etc) web_filter_enabled = true ; block any request with spammy content like "100% free" "free gift", etc spam_filter_enabled = "report" ; block cross site scripting attempts xss_block = block ; block sql injection sql_block = true ; inspect uploaded $_FILES for php content file_block = block ; set to true will replace profanity with !@#$! block_profanity = false ; filter logging for all these names (don't log passwords or credit card numbers) filtered_logging[_wpnonce] = true filtered_logging[nonce] = true filtered_logging[cc] = true filtered_logging[card] = true filtered_logging[cardnumber] = true filtered_logging[exp] = true filtered_logging[expiration] = true filtered_logging[cvv] = true filtered_logging[cvv1] = true filtered_logging[cvv2] = true filtered_logging[pass] = true filtered_logging[pass1] = true filtered_logging[pass2] = true filtered_logging[pwd] = true filtered_logging[pwd1] = true filtered_logging[pwd2] = true filtered_logging[passwd] = true filtered_logging[passwd1] = true filtered_logging[passwd2] = true filtered_logging[password] = true filtered_logging[password1] = true filtered_logging[password2] = true ; list of urls to ignore 404 for urls_not_found[] = "/favicon.ico" urls_not_found[] = "/apple-touch-icon.png" urls_not_found[] = "/browserconfig.xml" ; all allowed http verbs allowed_methods[] = "GET" allowed_methods[] = "OPTIONS" allowed_methods[] = "POST" allowed_methods[] = "PUT" allowed_methods[] = "HEAD" ; block all unknown bots whitelist_enable = false ; block only bots on the block list (set this to true will force whitelist_bots = false) blacklist_enable = true ; if true, only browsers that accept cookies and run javascript will be allowed to connect require_full_browser = false ; any requests to the honeypot will be IP blocked for 1 hours honeypot_url = "/supreme/contact" ; require a valid host header check_domain = false valid_domains[] = "127.0.0.1" valid_domains[] = "localhost" valid_domains[] = "default" ; domain_fix_line ; list of urls that are ignored by BitFire, useful for low risk urls that are hit frequently ignore_bot_urls[] = "" ; enforce rate limit rate_limit = false ; verified request rate 5 minute : suggest 50 rr_5m = 50 [System Configuration] ; the cache system to use. preference order: (shmop, apcu, opcache, nop) cache_type = "nop" ; the shmop memory id (randomly generated on configuration) cache_token = 4455661 ; if true, the path to the bitfire directory to remove (used for uninstall standalone) rm_bitfire = "" ; cookies have higher fidelity than server side state. only disable cookies if your hosting provider disables them cookies_enabled = true ; runs the auto loader by linking wordfence-waf.php to bitfire/startup.php wordfence_emulation = false ; updated to true when the auto_start function runs auto_start = false ; a name of a file to write web alerts to, relative to BitFire dir or absolute report_file = "cache/alerts.json" ; a name of a file to write web block to, relative to BitFire dir or absolute block_file = "cache/blocks.json" ; a name of a file to write support debug information to, relative to BitFire dir or absolute debug_file = false ; include support debug info in http headers - support use only debug_header = false ; show why request was blocked on block page debug = false ; enable or disable sending error reports to the BitFire developers to fix in upcoming releases send_errors = true ; track dashboard usage and usability dashboard_usage = true ; name of the cookie used to verify real browser interactions browser_cookie = "_bitf" ; dashboard url dashboard_path = "/bitfire-admin" ; a system wide encryption key custom to this domain - randomly set on first page request encryption_key = "default" ; custom site secret - randomly set on first page request secret = "default" ; dashboard password. Supports plaintext and sha3-256 hashes: hash('sha3-256', "password") password = "configure" ; wordpress root dir cms_root = "" cms_content_url = "" cms_content_dir = "" wp_version = "" ; if set to true, will block attempts at scanning for vulnerable plugins and themes wp_block_scanners = false ; skip local requests (wordpress wp-cron, etc) skip_local_bots = true ; block http response code response_code = 403 ; the HTTP header to read for the remote address. supported: ; default REMOTE_ADDR is the actual IP address. ; FORWARDED (suport for by=();for=();etc), X-FORWARDED-FOR, REMOTE_ADDR, CUSTOM (like x-forwarded-for) ip_header = "remote_addr" ; dns_service can be cloudflair dns over https at 1.1.1.1 or localhost for local dns dns_service = "localhost" ; short block time is 10 minutes short_block_time = 600 ; medium block time is 60 minutes medium_block_time = 3600 ; long block time is 24 hours long_block_time = 86400 ; if true, update ini files with php arrays that can be cached in the opcache cache_ini_files = true ; set to true to prevent file access outside of web root directory. ; sets open_basedir and fixes realpath.cache root_restrict = false; ; auto-set to true after initial system auto-configuration configured = false ; unix timestamp to turn off dynamic exceptions dynamic_exceptions = true ; ignore nag messages nag_ignore = false ; set to true after the setup wizard runs wizard = false