BitFire Server Settings Enable ( Settings Documentation )
Recommended settings for most sites are labeled .
Please read notes before enabling settings marked .
BitFire Enable
Enable / Disable all functionalityAlways On Protection
Run BitFire before WordPress with auto_prepend_file. Prevent Firewall bypass and save server resources by blocking bad traffic before WordPress loads. Enable this last - after you are sure that all other settings are compatible with your website.Log Everything
Log all traffic, default is to just log blocked traffic (add ~1-3ms time after each request)
BitFire Security Headers Enable (HTTP server configuration)
HTTP security headers are like safety instructions for your WordPress site. They're small pieces of code that your site sends to browsers, telling them how to behave securely. Enabling these headers adds an extra layer of protection, helping prevent attacks and ensuring a safer experience for your visitors.
Send HTTP Security Headers
Deny iframes, disable content sniffing, and remove detailed referer dataRequire SSL
Force SSL and disable browsers connecting without SSL. This will break your site if your SSL certificate expires.Send Permission Policy (Feature Policy)
Send a simple CSP header to disable any JavaScript from accessing the microphone, camera, geolocation, browser payment APIs.This will stop plugins, themes AND malware using these mobile specific features.
Deny Cross Origin Resource
Set CORS header to prevent cross origin requests. Prevents other sites making AJAX requests to your site.Send Content Security Policy (CSP)
CSP Policy defines which domains your site can connect to and load JavaScript, fonts, etc from. CSP Documentation
BitFire Bot Blocking Enable (BitFire Fire Bot Blocking Documentation )
Bot blocking is like setting up a virtual bouncer for your WordPress site. Bots are automated programs that can do bad things like hacking, spamming, or stealing data. By blocking them, you protect your site from attacks like brute force login attempts, content scraping, and DDoS attacks, making your site safer and more reliable for your visitors.
Require Full Browser
Verify browsers are not actually bots by only allowing them only restricted, anonymous website access until they pass a hidden JavaScript challenge embedded in your site.Restrict bot access
Restrict bots to only view web pages and access the scripts, actions and parameters listed under: Anonymous Restrictions below. You can grant any bot unrestricted access from the Bot Control page.Block Hacking Tools
Block bots using default malware, scanning or hacking tools (nmap, wpscan, nikto, etc)Block Plugin and Theme Scanners
Report fake data to prevent scanners from crawling your site to detect your plugins and themes. (WPScan, etc)Anonymous GET Parameters
additional get parameters unverified users & bots can access, comma separated. ({{learning}})Anonymous PHP Scripts
additional direct access php scripts unverified users & bots, comma separated. ({{learning}})Anonymous Ajax Actions
additional admin-ajax.php "actions" unverified users & bots may access, comma separated. ({{learning}})Anonymous Rest API Endpoints
additional wp-json endpoints unverified users & bots may access, comma separated. ({{learning}})
Web Application Firewall Features Enable (Traditional WAF configuration)
Block exploits common to all websites, XSS, SQLi, Malicious file uploads, etc. This runs after bot/browser verification and can block common web attacks and exploits that run against logged in users.
Generic Web Blocking
Block generic attacks, XXE, SSI, SSRF, CSRF, etcBlock XSS
Block Cross Site Scripting AttacksBlock SQLi
Block SQL injection attacksBlock Malicious Files
Inspect all file uploads for malicious code
BitFire PRO RASP Settings Enable (Runtime Application Self-Protection )
Runtime Application Self Protection integrates directly with PHP and WordPress, intercepting all file writes, network calls, and account creations. When any of these events happen, BitFire checks that the action is only performed by an authorized user. If not, the action is blocked and logged. This prevents hackers from uploading any PHP Script, or backdoor account.
RASP FileSystem Protection
Force RASP Access Control on all PHP files. Prevent PHP files from being modified or deleted unless logged in as Administrator.RASP Database Protection
Force RASP Checks on all database queries. Prevent altering sensitive DB tables unless logged in as Administrator.RASP Network Protection
Prevent connecting to bot command and control networks, stop man in the middle attacks.RASP Authentication Protection
Verify users have correctly authenticated and prevent privilege escalation vulnerabilities. This will stop plugins from bypassing wordpress authentication, but may break some plugins that provide authentication alternatives.
Server Configuration
These settings are auto-configured for your server. Only change them if necessary.
BitFire PRO / PREMIUM Licensing
Uninstall BitFire This will uninstall BitFire from the startup script and remove all files.
BitFire Uninstalled BitFire has been removed from the startup script.
In 5 minutes the php ini cache will expire and the new settings will take effect. After that you can remove the script files from your server.