[ Web Application Firewall] ; comments begin with ';' ; for details see the BitFire wiki: https://github.com/bitslip6/bitfire/wiki ; enable or disable all firewall features bitfire_enabled = true ; allow the firewall to blacklist misbevaving IPs for 10, 60 or 1440 minutes allow_ip_block = false ; the email address to send notifiations to notification_email = "" ; send HTTP security headers ; https://securityheaders.com/ security_headers_enabled = true ; restrict external sites from loading resources cor_policy = "same-site" ; log all requests, not just blocked requests log_everything = true ; set an HSTS header for 1 year, will only allow browsers to connect via SSL. ; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security enforce_ssl_1year = false ; 2 factor authentication - PRO version only pro_mfa = false ; see https://bitfire.co/pricing for license pro_key = "unlicensed" # content security policy - PRO version only csp_policy_enabled = false csp_policy[default-src] = "'self' 'unsafe-inline' data: blob: www.google-analytics.com *.wp.com *.cloudflare.com *.googleapis.com *.gstatic.com *.cdnjs.com *.youtube.com *.doubleclick.net unpkg.com" csp_policy[img-src] = "" csp_policy[style-src-attr] = "'self' 'unsafe-inline'" csp_policy[style-src-elem] = "'self' 'unsafe-inline'" csp_policy[script-src] = "" csp_policy[object-src] = "'none'" csp_policy[connect-src] = "'self' *.google-analytics.com bitfire.co" ; time to flip from report only to block csp_enable_time = 0 ; a simple permission policy to disable mic, camera and geolocation permission_policy = true ; 2 factor authentication - PRO version only ; mfa_user_auth is a list of usernames to phone number or email address ; mfa_user_auth[wheel] = "1234567890" ; mfa_login_paths[/foobar] = true ; pro feature, prevent server side request forgery rasp_network = true ; pro feature, prevent changing any php files for non-admins rasp_filesystem = true ; pro feature, prevent unauthorized DB changes rasp_db = true ; pro feature, prevent unauthorized User changes via JavaScript rasp_js = true ; pro feature, prevent unauthorized privledge escalation rasp_auth = true ; disable WordPress xmlrpc block_xmlrpc = false; bot_urls[] = ""; ; BitFire public key for remote tech support tech_public_key="b39a09eb3095c54fd346a2f3c8a13a8f143a1b3fe26b49c286389c55cec73c3e" ; Allow BitFire authenticated Tech Support to access the firewall config (NOT WORDPRESS) remote_tech_allow = true [Input Filtering] ; enable filtering for malicious input (server side includes, etc) web_filter_enabled = true ; block cross site scripting attempts xss_block = true ; block sql injection sql_block = true ; inspect uploaded $_FILES for php content file_block = true ; set to true will replace profanity with !@#$! block_profanity = true ; filter logging for all these names (don't log passwords or credit card numbers) filtered_logging[_wpnonce] = true filtered_logging[nonce] = true filtered_logging[cc] = true filtered_logging[card] = true filtered_logging[cardnumber] = true filtered_logging[exp] = true filtered_logging[expiration] = true filtered_logging[cvv] = true filtered_logging[cvv1] = true filtered_logging[cvv2] = true filtered_logging[pass] = true filtered_logging[pass1] = true filtered_logging[pass2] = true filtered_logging[pwd] = true filtered_logging[pwd1] = true filtered_logging[pwd2] = true filtered_logging[passwd] = true filtered_logging[passwd1] = true filtered_logging[passwd2] = true filtered_logging[password] = true filtered_logging[password1] = true filtered_logging[password2] = true ; list of urls to ignore 404 for urls_not_found[] = "/favicon.ico" urls_not_found[] = "/apple-touch-icon.png" urls_not_found[] = "/browserconfig.xml" ; nuber of ip lookups ip_lookups = 0 ; block all unknown bots whitelist_enable = true ; block only bots on the block list (set this to true will force whitelist_bots = false) blacklist_enable = true ; if true, only browsers that accept cookies and run javascript will be allowed to connect require_full_browser = true ; high sensitivity blocking will default block unknown bots high_sensitivity = false ; never browser challenge ajax requests safe_ajax = true; ; list of urls that are ignored by BitFire, useful for low risk urls that are hit frequently ignore_bot_urls[] = "" [System Configuration] ; the cache system to use. preference order: (shmop, apcu, opcache, nop) cache_type = "nop" ; the shmop memory id (randomly generated on configuration) cache_token = 4455661 ; the shared memory segment size cache_size = 2470000 ; if true, the path to the bitfire directory to remove (used for uninstall standalone) rm_bitfire = "" ; cookies have higher fidelity than server side state. only disable cookies if your hosting provider disables them cookies_enabled = true ; runs the auto loader by linking wordfence-waf.php to bitfire/startup.php wordfence_emulation = false ; updated to true when the auto_start function runs auto_start = false ;report_file = "data/alerts.json" ; a name of a file to write web block to, relative to BitFire dir or absolute ;block_file = "data/blocks.json" ; a name of a file to write support debug information to, relative to BitFire dir or absolute ;debug_file = "data/debug.log" debug_file = false ; include support debug info in http headers - support use only debug_header = false ; show why request was blocked on block page debug = false ; enable or disable sending error reports to the BitFire developers to fix in upcoming releases send_errors = true ; track dashboard usage and usability dashboard_usage = true ; name of the cookie used to verify real browser interactions browser_cookie = "_bitf" ; unique server name server_id = "default" ; dashboard url dashboard_path = "/bitfire-admin" ; a system wide encryption key custom to this domain - randomly set on first page request encryption_key = "default" ; custom site secret - randomly set on first page request secret = "default" ; dashboard password password = "disabled" ; wordpress root dir cms_root = "" cms_content_dir = "" cms_content_url = "" wp_version = "" ; if set to true, will block attempts at scanning for vulnerable plugins and themes wp_block_scanners = true ; skip local requests (wordpress wp-cron, etc) skip_local_bots = true ; block http response code response_code = 403 ; the http response code to use when verifying browsers verify_http_code = 428 ; the HTTP header to read for the remote address. supported: ; default REMOTE_ADDR is the actual IP address. ; FORWARDED (suport for by=();for=();etc), X-FORWARDED-FOR, REMOTE_ADDR, CUSTOM (like x-forwarded-for) ip_header = "remote_addr" ; dns_service can be cloudflair dns over https at 1.1.1.1 or localhost for local dns dns_service = "localhost" lock_type = "flock" ; short block time is 10 minutes short_block_time = 600 ; medium block time is 60 minutes medium_block_time = 3600 ; long block time is 24 hours long_block_time = 86400 ; if true, update ini files with php arrays that can be cached in the opcache cache_ini_files = true ; auto-set to true after initial system auto-configuration configured = false ; unix timestamp to turn off dynamic exceptions dynamic_exceptions = true ; ignore nag messages nag_ignore = true ; set to true after the setup wizard runs wizard = false ; set to true to true if website is hacked hacked = false ; false will not challenge simple page views block_scrapers = false ; the verificataion page format verify_css = 'blank' ; page title for browser verification title_tag = 'Verifying Browser' malware_config[] = "quick_scan:0" malware_config[] = "standard_scan:1" malware_config[] = "unknown_core:1" malware_config[] = "unknown_plugin:1" malware_config[] = "non_php:1" malware_config[] = "line_limit:8192" malware_config[] = "freq_limit:256" malware_config[] = "random_name_per:50" malware_config[] = "extra_regex:0" malware_config[] = "fn_random_name_per:40" malware_config[] = "fn_line_limit:2048" malware_config[] = "fn_freq_limit:128" ; list of anonymous allowed scripts ok_scripts = "" ; list of anonymous allowed ajax actions ok_actions = "" ; list of anonymous allowed get parameters ok_params = "" ; allowed files that can write php files ok_files = "autoptimize_404_handler.php" ; reserved mem_refactor = true