Let’s fix your install issue.

Install Guides

Install Quick Start - For non-WordPress websites or repairing non accessible WordPress site

WordPress Issues

Issues related to installing and running BitFire on WordPress

6 answers

BitFire is compatible with other security plugins and can run in always on mode with other WordPress security plugins. This is NOT a recommended operating mode but is supported. To run both plugins in always-on mode (Optimized mode for WordFence) you must add the additional plugin startup script to BitFire config.ini "auto_prepend_file". For WordFence this would be adding the line auto_prepend_file = '/wordfence-waf.php' to your wp-content/plugins/bitfire/config.ini file.

Did this help solve your issue?

Some hosting providers implement restrictions on that prevent enabling Always-On

Some hosting providers (WPEngine as an example) will not allow normal admin pages to edit the bootstrap process. To bypass this restriction, BitFire will enable "always-on" protection if the plugin is disabled and then re-enabled within 60 seconds. The plugin deactivate and reactive process will tell BitFire to enable Always-On functionality during the activation step which these hosting providers do allow.

Did this help solve your issue?

BitFire standalone is an excellent choice if you are unable to access your WordPress admin panel or if you are Installing outside of a WordPress environment. For normal WordPress users, installing from the WordPress Plugin Repo is best.

Did this help solve your issue?

If you are running as a wordpress plugin this can happen if the config file becomes corrupted. Edit the /wp-content/plugins/bitfire_/config.ini file and set password = "disabled". Make sure the encryption key and secret are set to 32 character random strings.

If you are unable to login the standalone BitFire dashboard, you can reset the admin password by editing the config.ini file in your BitFire directory and setting the password="" entry to the clear text password you would like to use. BitFire will encrypt this password for you on first use and save it back to the config.ini file.

Did this help solve your issue?

This can happen for many reasons, but if BitFire is involved, the issue is typically a .user.ini config file with auto_prepend_file pointing to a non-existing file. This can happen on system restores or when manually moving wordpress installs between servers. Make sure the ini setting auto_prepend_file is set to the valid path to /plugins/bitfire/startup.php in the .user.ini file in your website's web root directory (WordPress root directory).

Did this help solve your issue?

For non-WordPress users, If you are still unable to edit the config.ini file and unable to login, you can force a password reset of the BitFire settings / dashboard for standalone mode. Create a new file with a single line of your new password in your root web server directory (WordPress root directory) named "BitFire.recovery." (replace with a unique non-guessable random number). If BitFire is unable to authenticate a password, it will look for any file in the root directory with this name format and set the password to whatever is in the file.

Did this help solve your issue?

Bot Blocking

Issues related to bot blocking.

2 answers

There are 2 cases where a bot you want to allow may be blocked. The first is when the bot is claiming to be a real web browser (chrome, Firefox, etc). Any request claiming to be a browser that doesn't match the correct fingerprint, will be sent a JavaScript challenge to validate itself. Since the bot doesn't know how to handle that response, the bot fails. This behavior is what blocks 99% of hacks.

#1, You can allow these bots by finding them in the BitFire dashboard. You can usually identify them as making direct calls to an /wp-admin/admin-ajax.php request, /wp-json/ or a direct call to a php file in /wp-content/plugins/<plugin_name>. This request will be marked as "Browser Check". Verify that it is not a malicious IP by doing a reputation check in the dashboard. (click the 3 ... icon on the right side of the request)

Once you are sure you have found the correct blocked request, use the action menu to select "allow IP" or "allow user-agent". This will tell BitFire that the particular IP or User-Agent should be allowed access to the website without doing fingerprint or JavaScript validation.

#2, The second type are bots that advertise themselves as a robot. These bots can be configured directly from the Bot Control page. Find the bot that is being blocked and selected "Authentication" from the action menu. This will add DNS authentication from this bot and allow it to connect to your site. Some bots may not have reverse DNS configured and you will have to select "allow from ANY IP" to allow this particular bot.

Did this help solve your issue?

Effective bot blocking is the single most important thing you can do to keep your site secure. Effective bot blocking identifies real human operated browsers and approved bots. All other connections to the website are blocked. This includes: login attacks, web scraping, plugin / theme enumeration, vulnerability scanning and even exploit execution. All of these attacks are executed by automated tools and bots which are stoped with effective bot control.

Did this help solve your issue?

Related Help Center Categories

If you didn’t find what you needed, these could help!


Connecting with 3rd party apps to exchange data.

0 entries

Security Issues

Solutions for specific security problems.

1 entry


Improving your website speed and reliability.

0 entries