Free 5 minute guide to install BitFire website firewall.

BitFire is a best-in-class firewall for PHP websites. It eliminates automated hacking attempts and stops over 140 other security threats.

Cory Marsh
Cory Marsh
Share:
  • ...
  • ...
Cory Marsh has over 20 years internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming vidoes on BitFire's you tube channel.
TL;DR:

This guide walks you through the free install in about 5 minutes. To begin, you will need:

  • Website login username and password (FTP, SSH, sudo, etc.)
  • Edit access for your PHP files
  • Edit permission for php.ini or .htaccess file

Upload BitFire to your webserver

  1. Download the latest BitFire release at https://github.com/bitslip6/bitfire/releases, select zip if you use Windows, or tar.gz if you use macOS or Linux.
  2. If you have FTP access, extract the files on your desktop and upload the bitfire directory to your FTP server.
  3. If you have SSH access, you can download directly on the webserver to any directory you wish (usually a home directory) with this command (replace 1.8.1 with the latest version available at the time you download):
curl https://github.com/bitslip6/bitfire/archive/refs/tags/1.8.1.tar.gz -o bitfire.tar.gz; tar zxf bitfire.tar.gz
security can be complex

Locate - php.ini File

Next, locate your site's php.ini file. Apache servers can traditionally find this file at /etc/php/7.4/apache2/php.ini (replace 7.4 with your PHP version), NGINX servers usually located at /etc/php/7.4/fpm/php.ini.

If you are not sure where your php.ini file is, follow this procedure: Create a new file named: info.php in your webroot folder. If you are using ssh, you can create this file using nano or vim editors. Edit the file like so:

<?php phpinfo(); ?>
* Most FTP file managers can create and edit files directly, consult your FTP editor for details.

Now visit: https://www.your_domain.com/info.php
* replace your_domain.com with your actual domain name

"Loaded Configuration File" is the path of your php.ini file. If you do not have access to edit this file and use Apache webserver, you can still install BitFire by editing your .htaccess file, explained below.

Edit - php.ini File

Now that the files are on your web server, you need to tell PHP you want the firewall to run for every request. Before you do that, you need to know the full path of the BitFire startup.php file.

If you uploaded BitFire to your home directory (preferred method), the path would be something like "/home/username/bitfire/startup.php"

If you uploaded BitFire in your public HTML files (standard for FTP access), this path should be something like "/var/www/your_sitename/bitfire/startup.php". If you are unsure about the full path to your website root directory, look at the output of phpinfo in the previous step. Full path to your webroot directory is the value "DOCUMENT_ROOT" located near the bottom of the info.php page.

Now, add the following line to your php.ini file:

auto_prepend_file = "/path/to/bitfire/startup.php"
* replace /path/to with the actual path to your BitFire files on the server

Edit - .htaccess File (only if unable to edit php.ini)

If you can not edit php.ini, you can still enable the same setting by editing your site .htaccess file. Open your root .htaccess file, and add the following lines to the end of your .htaccess file.

<IfModule php7_module>
  php_value auto_prepend_file "/path/to/bitfire/startup.php"
</IfModule>
<IfModule lsapi_module>
  php_value auto_prepend_file "/path/to/bitfire/startup.php"
</IfModule>
* remember to replace /path/to with the path to your BitFire install


Congratulations, BitFire is now installed!

You can monitor your firewall at https://www.your_domain.com/bitfire

Please read the Setup Guide for instructions on how to get the most for your website security.

Web Security University

PHP focused web security tutorials. Each week we cover a new topic in-depth and provide code examples you can integrate today with your current app stack.

Access The University
Cory Marsh
Cory Marsh
Share:
  • ...
  • ...
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming vidoes on BitFire's you tube channel.

Get WebSite Security Notifications

From us to your inbox weekly.