{{header}}

Server Settings Enable ( Settings Documentation )

Recommended settings for most sites are green . Please read notes before enabling settings marked with warning. Join us on Discord! https://discord.gg/BitFire

BitFire Enable

Enable / Disable all functionality

Record All Traffic

A highly detailed traffic recorder you can search for any traffic to your website in the dashboard

Detailed Metrics

Count pages served, errors, blocked requests, blocks by country, PHP errors and more - included on the summary Emails.{{metrics_notice}}

Always On Protection

Run BitFire BEFORE WordPress with auto_prepend_file. Prevent malicious traffic from even starting WordPress. Adds bitfire-waf.php to your .user.ini file. PHP updates this setting only every 5 minutes. support@bitfire.co for help.

Log Site Warnings and Errors

Log errors from any plugin or theme on the website. This will allow you to collect errors and warnings from your entire site to help debug other issues. 24hr only file: {{error_log_file}}

Email Reporting

Server health emails, uptime monitor, security statistics & notifications about active plugin vulnerabilities
  • Daily
  • Weekly
  • Never

Security Headers Enable (HTTP server configuration)

HTTP security headers are like safety instructions for your WordPress site. They're small pieces of code that your site sends to browsers, telling them how to behave securely. Enabling these headers adds an extra layer of protection, helping prevent attacks and ensuring a safer experience for your visitors.

Send HTTP Security Headers

Deny iframes, disable content sniffing, and remove detailed referer data

Send Permission Policy (Feature Policy)

Include Feature-Policy header to disable any JavaScript from accessing the microphone, camera, geolocation, browser payment APIs. This will stop plugins, themes AND malware using these mobile specific features.

Deny Cross Origin Resource

Prevent other sites from loading your site in an iframe, and prevent external sites from making AJAX requests to your site.

Require SSL

Force SSL and disable browsers connecting without SSL. This will break your site if your SSL certificate expires.

Send Content Security Policy (CSP)

Advanced XSS protection that restricts external JavaScript from running. Enabling this feature will prevent JavaScript from running from remote sites and can break some plugins if not configured correctly using the Edit button below. Recommended to leave this setting off for most sites.CSP Documentation
Edit

Bot Blocking Enable (BitFire Fire Bot Blocking Documentation )

Bot blocking is like setting up a virtual bouncer for your WordPress site. Bots are automated programs that can do bad things like hacking, spamming, or stealing data. By blocking them, you protect your site from attacks like brute force login attempts, content scraping, and DDoS attacks, making your site safer and more reliable for your visitors.

Require Full Browser

New/anonymous visitors must pass a lightweight, hidden JavaScript test before full access is granted. Until then, they remain in a restricted state. Direct access to protected areas (e.g., /wp-admin/) may briefly display a verification page while the test completes.
  • Blank Page
  • Simple Spinner
  • BitFire Security Page
  • CloudFlair Light Emulated
  • CloudFlair Dark Emulated
  • Don't Verify Browsers

Restrict bot access

Restrict bots to only view web pages and access the scripts, actions and parameters listed under: Anonymous Restrictions below. You can grant any bot more access from the Bot Control page.

Block Hacking Tools

Block bots using default malware, scanning or hacking tools (nmap, wpscan, nikto, etc)

Block Plugin and Theme Scanners

Report fake data to corrupt plugin and theme scanner results. (WPScan, etc)

Denial of Service Protection

FAST Block IP addresses over request rate per minute. * Does not effect Google or browsers running JavaScript, will also create IP blocks for high confidence abuse automatically to conserve server resources.
  • 10 per min
  • 20 per min
  • 30 per min
  • 40 per min
  • 50 per min
  • 60 per min
  • disable
Edit Allowed Anonymous Restrictions
BitFire automatically learns and adds safe parameters, scripts, and endpoints for your site. Sometimes, when new plugins are installed or updated, additional items may need to be added here. You can update this list yourself by “unblocking” requests in the Dashboard, or by turning on “Learning Mode” again from the Rule Exceptions page.

Anonymous GET Parameters

Tracking or other harmless URL parameters that visitors and bots can use without verification, comma-separated. ({{learning}})

Anonymous PHP Scripts

Specific PHP files that can be accessed directly without browser or bot validation, comma separated. ({{learning}})

Anonymous Ajax Actions

Extra admin-ajax.php actions that anyone can run without browser or bot validation, comma separated. ({{learning}})

Anonymous Rest API Endpoints

Extra wp-json API endpoints that anyone can access without browser or bot validation, comma separated. ({{learning}})

Web Application Firewall Features Enable (Traditional WAF configuration)

Block exploits common to all websites, XSS, SQLi, Malicious file uploads, etc. This runs after bot/browser verification and can block common web attacks and exploits that run against logged in users.

Generic Web Blocking

Block generic attacks, XXE, SSI, SSRF, CSRF, etc

Block XSS

Block Cross Site Scripting Attacks

Block SQLi

Block SQL injection attacks

Block Malicious Files

Inspect all file uploads for malicious code

Runtime Application Self Protection (RASP) Enable (Runtime Application Self-Protection )

RASP is like having a security guard inside your WordPress site. Instead of just watching traffic at the door, it watches what's actually happening inside the site. Whenever something important happens: like creating a new account, saving a file, or making a connection to another server, RASP double-checks that it's being done by a real, authorized user. If it's not, the action is stopped immediately and recorded. This means hackers can't secretly upload harmful files or slip in a hidden backdoor account.

File Protection

Prevent hacker exploits from adding, changing, or deleting PHP files unless they are logged in as an Administrator.

Database Protection

Monitors all database queries and changes to prevent unauthorized access or privilege escalation.

Network Protection

Prevent your server connecting to bot command and control networks, stop EVILGINX, etc. man in the middle attacks.

Login & Account Protection

Adds an additional check to ensure any actions performed as Administrator have authenticated with a password. Prevents authentication bypass attacks and exploits. (Note: may affect plugins that use alternative login methods.)

Server Configuration
These settings are auto-configured for your server. Only change them if you are certain of the settings.

Server Side Cache ({{shmop_notice}})
  • SHMOP
  • OPCACHE
  • none
CloudFlair (1.1.1.1) or localhost
  • 1.1.1.1
  • localhost
HTTP response code for block page (recommend 401 or 403)
  • 200 OK
  • 203 NON AUTHORITATIVE
  • 204 NO CONTENT
  • 400 BAD REQUEST
  • 401 NOT AUTHORIZED
  • 403 FORBIDDEN
  • 406 NOT ACCEPTABLE
  • 500 SERVER ERROR
  • 503 UNAVAILABLE
IP Address, X-Forwarded, Forward
  • REMOTE_ADDR
  • X-FORWARDED
  • FORWARD
  • CloudFlair
HTTP code for the JS verification page (recommend, 303 or 428)
  • 300 Multiple Choices
  • 303 See Other
  • 404 Not Found
  • 406 Not Acceptable
  • 407 Proxy Auth Required
  • 412 Precondition Failed
  • 428 Precondition Required
  • 500 Server Error
  • 503 Unavailable
Log BitFire PHP errors and send to developers
Allow BitFire support team to review and fix server errors
Delete all BitFire caches. Server Counters and saved IP state. Developer use.

BitFire PRO / PREMIUM Licensing

Check your email for license code after purchase

Uninstall BitFire This will uninstall BitFire from the startup script and remove all files.

The script files can be removed after the php cache expires in 5 minutes