=== BitFire Security - Firewall, WAF, Bot/Spam Blocker, Login Security === Contributors: BitSlip6 Donate link: http://bitfire.co/pricing Tags: security, firewall, malware scanner, waf, activity log Requires at least: 6.1 Tested up to: 6.8.2 Stable tag: 4.7.4 Requires PHP: 7.4 License: AGPLv3 or later License URI: https://www.gnu.org/licenses/agpl-3.0.en.html Real-time firewall that stops bots, malware, and hackers with real AI, file protection, and traffic analytics without slowing down your site == Description == ### Real-Time Security for WordPress BitFire protects your website from bots, hackers, malware, and critical vulnerabilities - before they can cause damage. This plugin brings advanced security technology used by large enterprises to your WordPress site, now available in a free version. Whether you manage a business website, blog, or WooCommerce store, BitFire gives you powerful protection and visibility into your traffic. ### Smarter Protection with AI Most security plugins wait for updates to detect new threats. BitFire takes a different approach: it uses artificial intelligence and real-time request analysis to **stop zero-day attacks**, bots, and malicious users **before** they get access to your site. Our AI learns what normal traffic looks like for your site and blocks anything suspicious - without you needing to configure endless rules. > β€œUnlike traditional firewalls that allow everything by default and react to known threats, BitFire only allows verified traffic - stopping new and unknown attacks instantly.” == Key Features == #### πŸ” Security Highlights (Free & Pro) - **Stop Bots Automatically** – Block fake users, spam bots, and scanners (no captchas needed). - **Malware Scanner** – Scan your site for infected or unknown files using a fast hash-based scanner. - **Real-Time Traffic Monitor** – See who’s visiting your site, including IP, city, browser, request rate, and referrer. - **Login Protection** – Block bots from abusing your login page, detect phishing attacks, and stop brute-force attempts. - **Human / Bot Detection** – BitFire can tell the difference between real users and fake browsers with 99.7% accuracy. - **IP Reputation** – Block over 300,000 known malicious IPs with real-time threat intelligence. #### πŸš€ Built for Speed - BitFire logs traffic in **under 2ms per request**, thanks to a high-performance binary logging engine. - Unlike bulky WAFs that rely on large rule sets, BitFire looks at the **intent** behind every request - giving you **faster speeds** and fewer false positives. #### πŸ” Live Traffic Monitoring - Track every visitor request in real time - Remove blind spots and gain confidence in your site security - Filter traffic by IP, URL, response code, or user-agent - View bot fingerprints from over 3,000 known bots and 180 real browsers - See what was blocked and why #### πŸ›‘ Runtime Protection (PRO) BitFire includes WordPress's first Runtime Application Self Protection (RASP) firewall. This means BitFire watches what your plugins and code are doing in real time and blocks anything suspicious - including: - Unauthorized file modifications (File RASP) - Suspicious database queries (Database RASP) - Unauthorized account creation or privilege escalation (Authentication RASP) - Dangerous outbound network requests (Network RASP) > β€œIt’s like a bodyguard inside your WordPress server - watching every move and stopping threats before they execute.” --- ### What's Included in the Free Version? - Traffic logger (current day only) - Real-time bot and malware detection - File scanner with fast hash matching - Block plugin and theme enumeration tools - Live IP and user-agent request viewer - Block hacking tools like WPScan, Nmap, Nikto, etc. --- ### What's in BitFire Pro? - Web Firewall rated A+ by cloudbric with real-time updates - Full Runtime Self Protection engine (File, Database, Account, and Network protection) - Advanced login protection and phishing detection - Malware scanner with 14 million+ clean file hashes - Automatic browser fingerprinting and allowlists - Auto-configured CSP and security headers (A+ rating) - Increased traffic logging and historical view to 30 days ** Independent WAF testing by Cloudbric https://labs.cloudbric.com/wafer ** * BitFire [PRO] - πŸ‡¦ (94%) * MalCare [PRO] - πŸ‡« (34%) * WordFence [PRO] - πŸ‡© (41%) * iThemes Security - πŸ‡« (2%) * Ninja Firewall [PRO] - πŸ‡© (67%) * Site Ground Security - πŸ‡« (2%) * Shield Security [PRO] - πŸ‡« (2%) --- ### Trusted by Enterprises, Now Available to You BitFire is used by major organizations on our managed enterprise platform and developed by a veteran security architect with over 20 years of experience defending Fortune 500s and critical infrastructure. > This free release brings our best bot detection and traffic logging features to the WordPress community - at no cost. --- ### Learn More Visit [https://bitfire.co](https://bitfire.co) for: - Full product comparison - Malware removal services - Pro pricing - Support == Installation == After installing, you can configure the plugin by clicking the "BitFire" -> "Settings" menu item in the WordPress admin dashboard. *Note, not compatible with Windows Operating systems.* ### Hosting Requirements * BitFire works best on modern PHP hosting environments. Some advanced features (like file locking and shared memory logging) may not be supported on low-end shared hosting plans (under $8/month). If you're unsure, test the plugin in free mode first. * BitFire can consume significant disk space for cache if shared memory is not available. You can check this by looking at the settings and scrolling down to "Cache Type". If cache is set to "opcache" assume 100MB of storage for caching files. * BitFire will download the IP database from the bitfire servers. This file is about 30MB of data. * BitFire will keep server logs that will consume disk space. These files are 5-20MB per day depending on your traffic. [Visit our website to access our official documentation, which includes in-depth descriptions of security features, common solutions, and comprehensive help.](https://bitfire.co/support-center) == Screenshots == 1. BitFire shows the source location, time and response for every web request to your site. See good and bad actors in real-time. 2. Bot Control page allows instant authentication of over 3,000 known bots and 300,000 malicious IPs. 3. Detailed malware scanner contains over 20 million data-points and scans 10,000 PHP files per minute. 4. Search for any web traffic by time, user-agent, url, IP or response. Identify correct web blocking and website functionality. 5. Database malware scanner with backup and restore points can identify malware comments and posts from over 2.5 million domains. 6. Plugin monitoring alerts you within the hour when new plugin vulnerabilities effecting your site are released so you can stay on top of important security updates. 7. Simple on/off configuration with granular rules can be set to alert to test new rules before actually blocking. ### WHY HAVEN'T I HEARD OF YOU BEFORE? ### The BitFire firewall was started as a custom security solution in 2018 for a small group of WordPress sites by founder Cory Marsh. Bringing his 20 years of enterprise security knowledge and software architecture experience to create the first RASP for WordPress. We had a vision of bringing real enterprise grade security solutions to the millions of websites running WordPress. After almost 4 years of development and countless late nights we are finally ready to offer the highest quality security product available to the WordPress community at large. We receiving initial funding in late 2022 and have been going strong since. == Frequently Asked Questions == = Will this slow down my site? = No β€” BitFire is built for speed. It adds less than 2ms of overhead per request and uses optimized binary logging. = Do I need to configure anything? = BitFire works out of the box with default settings. Advanced users can fine-tune rules and view deep request logs. = Can I use this with a CDN or other firewall? = Yes β€” BitFire recommends running alongside CDNs like Cloudflare. It is not recommended to run multiple firewall products at the same time, but they should be compatible. Do not use always-on-mode if running with another firewall as this can create conflicts. = Is there a free version? = Yes! The plugin on WordPress.org includes bot protection features and traffic analysis. = How do I upgrade to Pro? = Visit [bitfire.io](https://bitfire.co)/pricing to compare features and purchase a license. Pro unlocks RASP, WAF, and advanced traffic logging. = What is the difference between FREE and PRO versions? = BitFire free includes our real-time event log, A+ rated security headers, malware scanner, and complete bot blocking which blocks 99% of all Internet threats. PRO includes our Runtime Application Self Protection (RASP) firewall to prevent vulnerable plugins and themes from executing on your site along with our A+ rated WAF. = Can BitFire RASP protect my website against zero-day vulnerabilities? = BitFire has a 100% track record for protecting against every critical 0-day WordPress security vulnerability since 2022 with 0 new signatures required. = Why do other plugins focus so much for Malware Scanning and Cleaning? = Great question. Notice how much extra other plugins charge you to clean up malware and how much of their product is focused on finding malware on your system? They don't do a great job of keeping malware off your site, and then charge you extra when their security fails. = How much is PRO Version? = [complete WAF & RASP protection](https://bitfire.co/pricing) is $99.00 / year. = If other security plugins live up to their hype, why do they scan my site for malware daily? = That's an excellent question. The majority of popular security plugins create custom signatures for each WordPress plugin vulnerability as they are publicly disclosed. With over 10,000 known WordPress security vulnerabilities and less than 200 signatures, they miss blocking a lot of hacks. They are also unable to block the most common security flaws (access control errors) for anything they do not have a pre-built signature for. To make the situation more difficult, they delay these rules by up to a month for non-paying customers. = How does Redirection Protection work? = Our unique software keeps track of every 3rd party domain your web page uses (Facebook, Google, JavaScript APIS, themes, etc.). After several weeks of learning, CSP security headers are sent to visitors instructing their browsers to only use or redirect to your approved domain list. = Does BitFire prevent Cross-Site Scripting (XSS)? = BitFire includes outstanding XSS protection, including HTTP headers and content filtering for persistent, reflected, and DOM-based XSS attacks. = Does BitFire block SQL Injection attacks (SQLi)? = Yes. BitFire has advanced SQL parsing similar to MySQL syntax parsing and can understand SQL queries regardless of encoding, injected comments, and other evasion techniques. = What are some examples of RASP blocks? = * **Adding a new administrator account?** BitFire checks that the current user has the administrator privilege before allowing the account creation. * **Making a network connection?** BitFire checks the remote system against a list of over 2.5 million malware domains before allowing the connection. * **Adding or editing a file?** BitFire inspects the filename and content to ensure that it does not edit a PHP file or inject backdoor code. * **Redirecting the visitor to another website?** First check the malware domain list before sending the redirect. * **Is a plugin eval() dynamic PHP Code?** Inspect the code being passed to eval() and block malicious code before executing it. = Why shouldn't I use WordFence? = If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don't leave your site at risk. = Is BitFire RASP easy to install? = Yes, BitFire RASP offers a seamless integration process tailored for WordPress. The setup is user-friendly, and our support team is always ready to assist. = How is BitFire RASP different from other security plugins? = BitFire RASP is the only RASP firewall available for WordPress. It's crafted to provide real-time protection by deeply inspecting your site's activity, ensuring comprehensive security without compromising performance. = Can BitFire block bots and automated attacks? = BitFire's primary feature is bot blocking which is 100% functional in the free version. 99% of WordPress attacks are from automated tools scanning every domain and IP address for known vulnerabilities. BitFire verifies human web browsers with a JavaScript challenge similar to Cloudflare but over 50 times faster (1/10 second VS 6 seconds). BitFire also includes a list of over 80 search engines and SEO tools that are network verified to ensure only valid bot traffic reaches your site. = How do I get support if I encounter issues with BitFire RASP? = You can use [the WordPress support form](https://wordpress.org/support/plugin/bitfire/) or visit our website to access our official documentation, which includes in-depth descriptions of security features, common solutions, and comprehensive help. Our dedicated support team is also available to assist you. You can reach out through our support channels, and we'll promptly address any questions or concerns you have. = Why is BitFire better than WordFence? = [Read the detailed comparison with WordFence](https://bitfire.co/en/wordfence-vs-bitfire) == Privacy / Monitoring / Data Collection == 1. Privacy. We take privacy very seriously. BitFire inspects all traffic going to the webserver and takes care to filter out any potentially sensitive information by replacing it with ***redacted***. The config.ini file includes a list of common sensitive field names under the "filtered_logging" section. You can add additional fields to filter in the config file by adding a line "filtered_logging[field_name] = true" and replacing "field_name" with the name of the desired parameter to filter. 2. BitFire includes an error handler which monitors it's operation. In the event an error is detected in the BitFire software; including during install, an alert can be sent to BitFire's developer team. The development team monitors these errors in real time and includes fixes for any detected errors in each new release. 3. Malware scanner. BitFire sends tiny 64bit hashes (signatures, or fingerprints) of every file to our hash database. For instance, index.php may hash to the number: 812612388126487. The database is many gigabytes and centrally located on our servers. BitFire uses that information to determine if a file has been modified or is a known good file and sends the results back to your site. Client hashes are never stored off your server. 4. Log data and configuration data is stored locally on the filesystem in the wp-content/uploads/bitfire_RANDOM directory. This directory is unique and hidden from the Internet and protected by an .htaccess file. Web servers that are configured to allow directory listings will want to ensure that the file wp-content/uploads/index.php is present to prevent directory listings. The random directory name is 12 characters long and is generated on install. The directory is not accessible from the Internet and is protected by a .htaccess file. == Changelog == = 4.7.4 = * blocking and upblocking IP and UA from the dashboard page now presents a user message * fixed an issue that could cause users to cylce through block / unblock toggle on the exception page * fixed 2 deprecation warnings * fixed an issue that could prevent uploading new plugins when bot blocking was enabled * uninstall now removed all old log and configuration data * fixed a type conversion notice on the bot list display page for certain bots = 4.7.3 = * Initial WPCLI implementation. review logs, get server metrics check IP and user agent blocks. * Fix an error on some systems that misreported an error when uptaing the configuration file when no error occured. * Fix a deprecation warning on PHP 8.3 = 4.7.2 = * Improved traffic monitor logging. * Added "Fake Browser" badge to identify fake / impersonated browsers. * Identify more un-found file types as malicious scans. * Improved request rate determination and request rate moved to 1 minute. * Request Rate modeling now accurately rolls over on the 1 minute boundary * Added DoS protection when IPs exceed a rate limited threshold * Added new filter keywords BLOCKED, RESTRICTED, EVIL, ADMIN, LOGINS, SCAN, DIRECT, UNCOMMON * Improved CPU performance monitoring to get real CPU% for linux systems running cgroup (/sys/fs/) * Several bug fixes for odd user interface uses * Preventing adding the same filter 2x, prevented adding the save exclusion 2x * Added Email Support! Please add notice@bitfire.co to your contact list to receive email notifications about your server health! * Fixed adding and removing IP / User agent corner cases * Added support for logging all site warnings and errors to a file for 24 hours * Added list of IP blocks to the Rule Tune / IP Block page * Standardize many names across the UI * Improve UI names and descriptions across the plugin * Performance improvements for PRO users for file protection * Special thanks to Tarlan Mustafazda = 4.7.0 = * Implement AI false positive / false negative confirmation. AI can check it's performance for false positives and false negatives thounsands of times faster than humans. This change adds the framework to add AI verification of block performance. * Improve handling of odd $_FILES structure. * Remove dead code. * Simplify some utility functions. * Reduce timeout for server communication with BitFire servers from 1.5 seconds to 500 milliseconds. * Reduce tech support access time to 1 hour when enabled * Additional blocking "class" types for exclusions (not just specific block ids) * Clean up code for hosts lacking shmop support and low disk quotas * Added additional log filtering to HTTP referrers * Added caching to bot list to prevent file system scans and improve performance on bot configuration * Updated the list of google, bing and cloudflair IPS (minor changes) * Fix deprecated syntax for PHP 8.4 * Fixed an issue that could reset configuration when removing always on protection... * Updated support emails = 4.6.1 = * improved log searching on dashboard. Use the start time selection box to search forward from that time point onward. * Fix for an edge case where a failure to write log data could result in memory exhaustion as the server retried the write. Very rare case. = 4.6 = * Address a potential information disclosure issue on miss-configured web servers with WordPress core file changes. Early July WordFence issued CVE-2025-6722 for BitFire. The WordFence team expressed concern that web servers with directory listings enabled (a miss-configuration present on <1% of servers globally) AND had also deleted the WordPress core file wp-content/plugins/index.php could expose a hidden directory containing filtered web log data for BitFire and firewall configuration settings. While this exact setup requires multiple security misconfigurations to be present on an affected system - WordPress requested the plugin be removed from the official WordPress plugin repository. After several weeks of discussion about possible resolutions the following changes were accepted as mitigation. The upgrade will apply these changes automatically: 1. The configuration and log data was moved from /wp-content/plugins/bitfire_RANDOM to /wp-content/uploads/bitfire_RANDOM per the WordPress team 2. The length of the random directory name was increased from 10 characters to 12 characters. 3. A third method of protection was added with a .htaccess file to restrict access for web servers that support .htaccess files. 4. A new check was added to ensure that the file wp-content/uploads/index.php is always present to prevent directory listings that could expose the path to this hidden directory. * Resolve several minor PHP warnings. = 4.5 = * fix issue with filtering on blocked requests * fix an issue that could lead to fatal errors on malformed file uploads * added additional browser support = 4.4.19 = * fix setup issue * browser icon efficiency * fix settings Free/PRO setup enable buttons * improve case sensitivity for traffic filtering = 4.4.18 = * Improved handling for systems missing shmop cache * Removed a feature that could automatically disable some functionality if a fatal error was encountered * Improved daily system counters * Improved handling for systems which fail to download the IP location database * Added quark, rrdocuments, ccleaner, norton, x-middleton to supported browsers/bots client side collection * Changed log message from error to debug level if IP location database is not downloaded * Fixed rare bug which prevented some systems from connecting to the local cache property * Improved handling for malformed $_FILES posts. In some rare conditions malware bots could create a FATAL error by uploading malconfigured _FILES * Fixed a bug which would case an error when client javascript validation failed * Additional checks to ensure writeability of Threat Intel data before fetching = 4.4.17 = * Fixed a bug that showed some free versions as PRO versions in the settings page * Add additional bots to the block list = 4.4.16 = * Fix minor warnings on PHP 8.3.x * Fix error that could cause repeated download of blocking rules * Check for free disk space before making cacheable network calls for bot and IP data * Write config file changes to temp file and verify contents written correctly, then swap with actual config. This can correct errors on hosts where the disk or disk quota is full * Performance improvements = 4.4.14 = * Fix const name resolution for bots generating 500 error on some PHP installs = 4.4.12 = * Fixes some warnings produced in corner cases * Fixes some warnings produced on lower end servers = 4.4.11 = * Small bug fixes for some lower end hosting services * Fix for error on hosts missing mb_string extension * Added additional browser identification * Improved support for default csp policy = 4.4.10 = * bugfix for upgrading cache cache = 4.4.9 = * Major improvements in quality and performance * Daily report emails * Complete rewrite of caching and statistics * Offline log analysis mode only * Existing clients receive 80% discount early adopters code via email * Bug fixes * Improved browser and bot detection * FULL SUPPORT FOR CACHED WEBSITES - vastly improved support for websites with front end caching like cloudflair, etc * Log analysis search improvements * Log up to 30 days of data up to 2million requests / month! = 4.1.15 = * Resolved issue with saving bot control data = 4.1.14 = * Resolved issue with malware scanner = 4.1.13 = * Improved trash bot detection * Improved and de-cluttered bot control interface = 4.1.12 = * Improved support for older iphones, ipads and macs * Removed dead code * Added feature toggle code for server uptime metrics * Added server metric logging (blocks, etc) * Fixed cloudflair compatibility with change in how cloudflair forwards SSL status (infinite redirect loop) * Improved support for downloading large IP database on limited hosting accounts * Don't report unknown empty index.php files in malware report * Added new browser support ios text messaging, ztunnel, nettype, browserng * Save fewer junk bots in bot control page = 4.1.11 = * Improved verification of ajax requests from cached pages. * Added support for editing CSP policy from settings page! * Verbiage changes * Fix a PHP warning for double submitted headers * Additional fingerprints * BitFire encrypted cookies accessible from JS to support page caching JS verification * Add support for client side ray verification under feature toggle * Renamed cache directory to fix wp-optimize deleting rogue /cache/ directories... * Several small fixes for rare corner cases * Fix infinite redirect when SSL un unwrapped and HTTP headers are set incorrectly by upstream proxy or web server * Fix rare case for detecting PHPSPloit with null or empty header values = 4.1.9 = * Fix for ajax authentication of cached pages = 4.1.8 = * Improved malware scanner server communication * Improved support for auto-healing syntax errors in the config.ini file * Improved WAF inspection for some special cases for admin which reduces false-positives * Removed always-on from startup wizard, added security headers to wizard * Improved labeling of request types on the traffic view * Added new mode to never check Ajax Requests for bots. This mode is useful for sites with page caching enabled. * Reordered the settings page, and added new settings for some old features * Nicer error page for Windows users (Windows is not supported) * Removed dead code * Added additional file locked to remove some race conditions on busy servers * Auto-Healing config.ini files with syntax errors * Content Security headers are now in FREE! * Block plugin enumeration is now in FREE! * Fix link to purchase page * Fix adding some malware files to the allow list = 4.1.7 = * Add Content Security Policy and Feature Policy to the free version of BitFire * Additional file locking to remove possible write conflict * Fixes for websites with page caching. New mode to skip browser checking on ajax requests. if the initial page is served from cache, the browser will not be verified on initial ajax requests. This mode will allow those ajax requests to skip browser verification. * Improved browser fingerprints = 4.1.5 = * Fix for WP_CLI lockfile permissions web/user * Added 2 new bot control options to settings * Fixed a case where some requests were flagged as "View Only:428" they now correctly show as "Browser Check:428" * Added check for wordpress /jetpack to not be blocked from the home network * Added new forced block to prevent bots from login to the human login page = 4.1.4 = * Fix for removing some manual exceptions * Added hard exceptions for google, bing and wordpress * Added additional results for cases where bot and/or browser checking is off * Added malware exclusions for old updraft backups * Fix for image dashboard icons * Fix for settings page scrapper blocking * Added new setting to change http response code for verification page = 4.1.3 = * Bugfix for some rare cases that skipped last few files during malware scanning * Fix for case where BitFire could not identify some WordPress content URLS for icons * Reclassify unknown files in /wp-content as plugins not core files = 4.1.2 = * Bugfix for broken config.ini files * Added blocking xmlrpc calls * Fix some malware false positives = 4.1.0 = * Added new fingerprints for Facebook web browsers * Added new styles of browser verification pages * Added option to not require browser verification for page views to reduce friction * Added configurable title tag on browser verification page * Re-enabled malware scanner! = 4.0.10 = * fixed issue with adding exceptions on the new dashboard * added space-bar short cut to update dashboard data * fixed small double activate bug that would create new cookie names on double activation * = 4.0.9 = * move ip location database to alternate location to prevent re-download on upgrade * improve proxy cache support for browser verification * UI fixes * improved bing detection, added some additional browser icons * added code to detect cached browser verification page and redirect out * changed default browser verification http code to 428 to prevent some proxies from caching it * added code to prevent infinite looping when browser verification page is incorrectly cached * bug fix for some cases when firewall did not correctly identify logged in administrators = 4.0.8 = * hotfix for admin check when headers previously sent = 4.0.7 = * improved upgrade process * add ip reputation check from abuseipdb.com to dashboard and bot pages * add support for wp-cli * added cache prevention headers for browser verification for cloud flair enterprise * fix for dashboard icon css * fix for adding user-agent exceptions on the dashboard page * improved bingbot detection * purge binary log if corrupted data is detected * reduce false positive for sql injection * improved bitfire dashboard rendering * added backup learning for browser fingerprints * added self healing for damaged binary web logs = 4.0.6 = * bug fixes * performance improvements = 4.0.1 = * GREATLY improved browser and bot detection * Added over 180 browsers and over 300 unique browser icons * Hard coded Google detection for flawless google verification * Switched from json log to binary log files to save space and improve performance * Ability to log all web requests * Search for any web request by user-agent, ip, url, response code and time * Added commercial IP reputation DB with over 300K abusive IPS * Free support for 128 unknown bot IP checks * Simplified User Interface * Auto bot blocking for unknown bots with IP reputation DB * Added device fingerprints for over 3,000 device and browser combinations * Ability to detect valid browser requests with device fingerprints using no JavaScript * Reduced the server and browser load for unknown browser verification with JavaScript * Added IP address and User-Agent white listing * Improved IP Geo location performance and accuracy to City level * Removed WordPress dashboard widget until 4.1 transaction * Removed malware detection while 4.0 database updates... Will return in 4.1 = 3.9.12 = * reduced batch size of malware check based on available memory * fixed malware false-negative for some uses of 'passthru' * Added support for auto decoding base64 encoded data * improved support for XMLRPC checks * fixed some false positives for unknown core files (backup files, etc) * added new icon for "unknown" file type different from "malware" type * fixed warning on PHP versions > 8.1 * improved directory traversal for some directory symlinks * fixed bug on standalone installs not resolving css files correctly * reduced complexity of malware scan dashboard page = 3.9.10 = * fixed issue mixed type issue for older PHP versions (<= 7.4) * begin internationalization work * remove dependency on debug = 3.9.9 = * Improved malware detection and removed most false positives * Improved performance of quick scan mode * Reduced filesystem impact of both standard and quick scans * Improved Bot auto learning and dynamic domain resolution = 3.9.6 = * DIVI builder theme support (support self included iframes) * deactivation effect * bug fix for some older versions of curl = 3.9.5 = * Improved logging for download errors * Fixed missing blog-header.php hash codes * Added Support for command line malware scan * Improved support for WPEngine * Improved order of operations to increase performance * Support for XML and text data in Post Data * Bypass some DNS lookups to dashboard page * Improved include file malware scanning * Fix stand-alone password install problem * Added command line malware scanner = 3.9.4 = * fixed compatibility problem with WPEngine * improved bot blocking compatibility = 3.9.3 = * improved bot detection and handling * remove old bot exceptions from exception list * fixed a bug on tagging and allowing unknown bots on the bot control screen * removed inline svg images from malware frequency scanning = 3.9.2 = * revamped malware scanning. reduces false positives for PRO and 3rd party plugins * new advanced malware scanning mode with configurable scan settings * async http requests on malware scanning = 3.7.1 = * reduce malware false positives * added detection for image include malware * improved machine learning dataset * added __wakeup() handlers for all classes with magic methods to prevent inclusion in POP chain * improved bot listing formatting to support longer data formats * better handling of some server temporary failures (filesystem, network, etc) = 3.6.4 = * improved malware detection * improved support for some smaller hosting providers * improved bot authentication during learning = 3.6.3 = * various PHP warning fixes = 3.6.2 = * Improve support for WordPress installs in path sub directory * Performance improvement for user capability check * Small warning fixes for PHP 8.1 = 3.6.1 = * New bot control management page * Improved settings and RASP configuration * Improved upgrade process to keep all config data between upgrades, re-installs * New hidden (secret) file support for nginx without modifying file permissions (configuration data is now stored in a random hashed directory) * Small bug fixes on malware scanning for files in root directory * Improved support for PHP 7.2 = 3.5.3 = * Added over 600 known bots with network identification * Improved malware scanning support for unknown files * Added additional scan locations * Added JavaScript malware scanning = 3.0.8 = * Database Malware Scanner Support * Offsite database backups * Fixes for some apache server installs * Support for malware scanning plugins off the WordPress repository * Added support and small fixes for PHP 8.1 * Improved malicious file upload scanning * Improved basic settings and advanced settings page = 3.0.6 = * Added a pretty error page for browsers that do not support JavaScript when JavaScript verification is enabled. = 3.0.4 = * Minor bug fixes for corner cases = 3.0.1 = * Added database malware scanning support for over 2.5 million domains = 2.3.5 = * improved configuration wizard and css styles = 2.3.4 = * Malware Scanner Support * Fixed a bug in browser verification on mobile safari. = 2.3.3 = * Added CSS styles to the blocking page = 2.1.2 = * Added plugin vulnerability notifications. These will check over 3500 active CVE advisories for any known security issues in your plugins or themes * Improved upgrade process which could forget some settings on upgrade * Fixed a possible rare false positive on base64 encoded data * Improved learning mode to find more false positives * Fixed a warning on PHP 8.x with undefined variable for alerts from IPs with no associated country (localhost) * Fixed a bug which incorrectly reported the currently viewed alert page number range on the dashboard screen = 2.1.0 = * Several bug fixes * Improvements to malware scanning, added additional files to scan list * Fixed bug adding additional allowed domains on settings page = 2.0.1 = * Implemented setup wizards and online help functions. * Added auto-learning exceptions for new installs to prevent possibility of false-positives.. * Workflow and usability improvements = 1.9.7 = * fixed an issue that could cause false positive when non administrators were editing posts. This check has been expanded to authors as well. * fixed an issue that was causing extra padding in config.ini files * added support for auto-discovering bots to whitelist * reduced the maximum size of saved blocked data = 1.9.6 = * fix for WordPress source code path resolution * use CMS default script inclusion system for admin pages = 1.9.5 = * added initial support templates for custom CMS * refactored escaping on MFA page = 1.9.4 = * fixed an issue which could allow admin requests to be rate limited * refactored malware scanner to support custom CMS = 1.9.3 = * added support for redirect url on MFA login page * fixed issue with MFA login submission * added support for Content Security Policy WordPress integration * Wordpress MFA login support complete * PHP file write blocks are now logged in the dashboard = 1.9.2 = * improved support for alternate content management systems * removed direct $_SERVER, $_GET, $_POST access and replace with filter_input * fixed issue that could cause malware download to fail with expired access token = 1.9.1 = * improved install logging * additional tests for installation procedure = 1.9.0 = * added SQL auditing feature. Currently this is an advanced toggle only available by editing the config.ini. Planned features: SQL Injection Detection, CC data access, replay log for DB restores * namespaced all defines to prevent any possible name collisions * added WordPress plugin and theme enumeration blocking * refactored several echo lines to remove dead code and xss encode on the same line * added fix for a bug in php >=8.0 <= 8.1 where splat operator on variables containing : would be incorrectly interpreted by PHP 8.0 as a named operator. * added support for cloudflare real connecting IP * plugins not registered at wordpress.org are now rolled into a single malware line = 1.8.9 = * upgraded bootstrap and chart.js to latest stable releases * refactored all API methods to be pure and testable * refactored malware detection to allow detecting malware on non-WordPress installs * updated all WordPress path resolutions * added code to ensure config.ini is not web readable even when .htaccess is disabled * INI settings: reset realpath.cache_size to system size when used with openbase_dir * special handling of DOCUMENT_ROOT for WordPress * improvements to installing always on protection on Nginx systems * make config.ini unreadable even on systems that do not support .htaccess = 1.8.6 = * added additional WordPress abstractions as requested by WordPress team * upgraded bootstrap css files * abstracted wordpress plugin with pure implementations and additional unit tests = 1.8.5 = * refactored several functions with pure implementations and added unit tests * refactored views to use new template system * refactored wordpress integration to use standard plugin architecture * moved all dashboard javascript, image, css files into the distribution * removed dead code * removed a warning for php 8.1 = 1.8.3 = * Added support to enable always-on from settings page * Added support for WordPress Engine * Fixed bug where rotating encryption keys would prevent new signatures from downloading for up to a day = 1.8.0 = * Improved support for PHP 8.0 * improved settings page * improved malware scanner * additional whitelist SEO bots * improved auto-detection of server support = 1.7.3 = * First public release of BitFire WordPress security plugin == Upgrade Notice == = 4.4.9 = Tested on over a dozen sites from new installs to upgrades. All issues resolved in testing prior to release. Release 4.4.9 is the end of our Free firewall. All releases after 4.4.9 will allow site administrators to view OFFLINE what the pro firewall would block REALTIME. All existing Free clients will receive an 80% discount for early adoption. If you did not receive a discount email, contact BitFire directly on our website https://bitfire.co to receive discount codes. = 3.0.8 = No incompatibilities