BitFire is a best-in-class firewall for PHP websites. It eliminates automated hacking attempts and stops over 140 other security threats.
This guide walks you through the post install configuration. You will learn how to configure the firewall and what each setting in the GUI does.
Most websites can operate with all blocking settings enabled and not have any problems with BitFire blocking valid traffic. Occationaly something will be blocked that should be allowed. This is expected occationally.
If you notice good traffic being blocked in the dashboard, or you see a page or feature being blocked that should be allowed. Find the request in the block list on the dashboard. Click on the Magic Wand. This will tell BitFire to allow this specific traffic in the future.
BitFire comes with a list of over 100 identifiable hacking tools that will be blocked by default. To fully block all automated requests, we must validate web browsers.
Web Browser Verification sends down a JavaScript challenge to verify the client is an actual web browser. The browser recieves the challenge and sends the response back in about 50ms. Once BitFire verifies the request, it will store an encrypted cookie on the browser and will not require verification again for 1 hour.
To enable Browser Verification, go to your dashboard, select "require browser" and set this to "block". BitFire can only validate web browsers if cookies or server_cache is enabled. Verify that the website continues to work as expected. In rare some cases this can cause problems with some server cache configurations. If you notice any issues, disable "Require Browser" and contact support for personalized setup assistance.
HSTS is a web browser standard that forces clients to only connect over SSL (https) connections. If you have an SSL certificate for your website, and no need for non-encrypted traffic, you should enable "force_ssl_1year&qupt;. BitFire recommneds you enable this setting unless you have a compelling reason to not.
This setting will prevent any client from accidentally connecting to your website with un-encrypted communication
If your SSL certificate expires, you will be able to access your site until you update your SSL certificate.
Enabling browser verification will stop over 90% of spam. To block obviously spammy content, content like "meet single", "100% free", "click here", etc will all be blocked when the spam filter is enabled.
The profanity block will replace common profanity words with the string &#$!%. The content is not blocked, only filtered and this happens tranparently before the content is sent to your web application.
Find out the best tricks and tips to secure your website.
From us to your inbox weekly.