Master switches that govern whether BitFire runs at all, how it boots, and how it tells you about what it's doing. Settings documentation
Master switch, turn off to disable all blocking, headers, RASP, and bot rules at once.
Capture errors and warnings across all plugins and themes for 24 hours, viewable in the BitFire error log.
Server health, uptime monitor, security stats, and notifications about active plugin vulnerabilities.
Run the malware scanner automatically on the selected cadence. Results are included in the daily email report.
BitFire cannot protect direct PHP script access unless loaded via the PRO version auto-prepend loader
Tell browsers how to behave around your site, deny iframes, block content sniffing, control where JavaScript and CSS may load from, and require SSL. These headers add defence-in-depth on top of the WAF without touching your application code.
Deny iframes, disable content sniffing, and trim the referer to its origin.
Block scripts - including malware - from accessing the microphone, camera, geolocation, and browser payment APIs. Most plugins and themes don't require these anyway.
Prevent other sites from embedding your pages in an iframe or making AJAX requests against your origin.
Force HTTPS and disable plain-HTTP connections. This will break your site if your SSL certificate expires.
Set the bouncer at the door. Verify real browsers, restrict what bots can touch, block known hacking tools, and rate-limit aggressive clients. Bot control documentation
New visitors must pass a hidden, lightweight JavaScript challenge before they can submit forms or interact with the site.
Direct hits to /wp-admin/ may briefly show a verification page.
Bots may only fetch web pages plus the scripts, actions, parameters, and APIs you whitelist below. Grant individual bots more access from the Bot Control page.
Block bots running default malware, scanning, or hacking tools - nmap, wpscan, nikto, sqlmap, and similar.
Return fake data to corrupt plugin and theme scanner results - WPScan and simila-- so attackers can't enumerate vulnerabilities.
Fast-block IPs over a per-minute request rate. Does not affect Google or browsers running JavaScript. High-confidence abuse also auto-converts into IP blocks to conserve server resources.
Manage anonymous GET parameters, PHP scripts, AJAX actions, and REST endpoints on the Rule Exceptions page.
Block exploits common to all websites - XSS, SQLi, malicious file uploads, and generic web attacks. The WAF runs after bot/browser verification and protects logged-in users too.
Block generic web attacks: XXE, SSI, SSRF, CSRF, path traversal, and similar.
Block reflected and stored cross-site-scripting attacks.
Block SQL injection attacks across query strings, POST bodies, and cookies.
Inspect every file upload for embedded malicious code or shell payloads before it lands on disk.
A guard inside WordPress, not just at the door. RASP watches what your code is actually doing - creating accounts, writing files, opening sockets - and stops anything an authorized user did not authorize. Hackers can't quietly drop in a backdoor admin or rewrite a PHP file. RASP overview
Add Access Control checks to all file modification preventing malware infections
Monitors database queries and block unauthorized account changes or privilege escalation in real time.
Block outbound connections to bot command-and-control networks. Stops EVILGINX-style man-in-the-middle attacks initiated from the server.
Verifies that any administrator action is actually authenticated by password, blocking authentication-bypass exploits. May affect plugins that use alternative login methods.
{{-row.message}}
Issues from the most recent system check ({{-server_status_at}}). {{+server_status_critical}} critical · {{+server_status_warn}} warning · Re-run the check below to refresh.
Auto-configured for your server. Only change these if you know exactly why, most sites run fine on the defaults.
Server-side cache backend. SHMOP is preferred when available; JSON fallback uses a bounded 2048-bucket file cache for IPData + STAT counters
How BitFire serializes concurrent writes to bot data, learning buffers, and counters. Auto-detected by system check. Change only if your filesystem or cluster topology requires a specific primitive (e.g. fopen(x) for NFS-shared wp-content).
Recursive DNS used for bot verification. 1.1.1.1 (Cloudflare) or localhost.
HTTP status sent to blocked clients. Recommend 401 or 403.
Where to read the client's real IP. Behind a CDN, choose the matching forwarded header.
HTTP status sent with the JS verification page. 401 or 428 recommended to prevent caching proxies from caching the challenge page.
Log BitFire-internal PHP errors and forward them to BitFire developers. Disable to keep developers in the dark about issues.
Allow BitFire support to review and fix BitFire configuration errors. No WordPress access is granted.
Delete all BitFire caches, server counters, and saved IP state. Rarely necessaery.
BitFire has been removed from the startup script. In ~5 minutes the PHP .user.ini
cache expires and the new settings take effect. After that, you can safely delete the script
files from your server.
When the timer reaches zero, the Remove files button will activate.