Install Guide
Part 2 - Setup

BitFire is a best-in-class firewall for PHP websites. It eliminates automated hacking attempts and stops over 140 other security threats.

Cory Marsh
Cory Marsh
Share:
Cory Marsh has over 20 years internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.
TL;DR:
  • After install, visit https://www.your_domain.com/bitfire
  • Enable browser verification. - verify your site still loads as expected
  • If your site has difficulty loading, disable browser verification in the dashboard

This guide walks you through the post install configuration. You will learn how to configure the firewall and what each setting in the GUI does.

Read Setup Guide (part 1)

Most websites can operate with all blocking settings enabled and not have any problems with BitFire blocking valid traffic. Occationaly something will be blocked that should be allowed. This is expected occationally.

If you notice good traffic being blocked in the dashboard, or you see a page or feature being blocked that should be allowed. Find the request in the block list on the dashboard. Click on the Magic Wand. This will tell BitFire to allow this specific traffic in the future.

Enable Browser Verification

security can be complex

BitFire comes with a list of over 100 identifiable hacking tools that will be blocked by default. To fully block all automated requests, we must validate web browsers.

Web Browser Verification sends down a JavaScript challenge to verify the client is an actual web browser. The browser recieves the challenge and sends the response back in about 50ms. Once BitFire verifies the request, it will store an encrypted cookie on the browser and will not require verification again for 1 hour.

To enable Browser Verification, go to your dashboard, select "require browser" and set this to "block". BitFire can only validate web browsers if cookies or server_cache is enabled. Verify that the website continues to work as expected. In rare some cases this can cause problems with some server cache configurations. If you notice any issues, disable "Require Browser" and contact support for personalized setup assistance.

Force SSL For All Requests

HSTS is a web browser standard that forces clients to only connect over SSL (https) connections. If you have an SSL certificate for your website, and no need for non-encrypted traffic, you should enable "force_ssl_1year&qupt;. BitFire recommneds you enable this setting unless you have a compelling reason to not.

This setting will prevent any client from accidentally connecting to your website with un-encrypted communication

If your SSL certificate expires, you will be able to access your site until you update your SSL certificate.

Enable Spam Filter

Enabling browser verification will stop over 90% of spam. To block obviously spammy content, content like "meet single", "100% free", "click here", etc will all be blocked when the spam filter is enabled.

Enable Profanity Block

The profanity block will replace common profanity words with the string &#$!%. The content is not blocked, only filtered and this happens tranparently before the content is sent to your web application.

Security Guide

Find out the best tricks and tips to secure your website.

Cory Marsh
Cory Marsh
Share:
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.

Get WebSite Security Notifications

From us to your inbox weekly.