Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.
Paramètres de BitFire Core
La page des paramètres de BitFire vous permet d'activer et de désactiver chaque option de sécurité fournie par BitFire.
BitFire FREE comprend les fonctions de blocage de robots les plus complètes pour WordPress disponibles sur le marché..
Le blocage des robots est essentiel à la sécurité de votre site web. This free tool instantly stops brute force attacks,
credential stuffing attacks, SPAM, wpscan, nmap, nicko, nessus, python exploit scripts and any other hacking tool
targeting your website.
TL;DR: Enable all marked options and put an end to web attacks!
"BitFire Enable": Disabling this switch will turn off all Firewall, bot-blocking, logging, header, and RASP features. This is equivalent to disabling / uninstalling the WordPress plugin without disabling it.
"Always On Protection": Add BitFire to you user.ini auto_prepend startup. This is equivalent to WordFence "Optimize Mode". It can provide additional protection for your website. There is slight risk on some hosting providers do not support this feature well. Please ensure correct firewall functioning before enabling this feature. (5 min update time for PHP to see this change enabled or disabled)
"Log Everything": BitFire includes a binary access log capable of logging all HTTP requests to your server. By default it will log all browser checks and blocks. Enabling this feature will tell BitFire to log ALL requests, including allowed requests. The FREE binary log size is 512 events. PRO log size is 32,000
"Disable XMLRPC": Disabling XML RPC can increase the security of your website if you do not use it. Notable examples include JetPack integration, and the official WordPress mobile app. Notable security risks include automated login attacks. (NOTE, this are blocked with correct configuration of Bot Blocking)
En-têtes de sécurité BitFire
Contrairement à ce que disent de nombreux plugins de sécurité WordPress. Il y a pas de protection XSS avec les en-têtes HTTP . Les politiques de sécurité du contenu offrent toutefois une excellente protection contre les attaques XSS, les attaques par redirection et de nombreuses autres attaques par navigateur.. Il peut être frustrant de le configurer pour de nombreux sites, notre option PRO auto-configure est recommandée pour les configurations WordPress difficiles..
"Send HTTP Security Headers": Send the core HTTP security headers. These options instruct the web browser how to handle data in a more secure way. And are compatible with 99% of websites.
"Require SSL": Send and HSTS header instructing browsers to never connect to your site without using SSL. This feature is recommended for most sites, however if your SSL certificate expires, your website will not be accessible in any way until the certificate is updated.
"Send Content Security Policy": Send a global content-security policy to web browsers not accessing your front end web content. This requires adding every domain that your sites loads resources from to the included text area. After enabling this option load your site, find what breaks and add those domains to the editable list. If possible, remove any 'unsafe-inline' resources.
"Send Permission Policy": The permission policy controls which APIs are available on your website. This can be used to restrict access to the browser camera, microphone, geo location services, etc. Restricting this access will prevent any possibly malicious JavaScript from accessing those client mobile resources. The default option disables most additional features.
"Deny Cross Origin Resource Sharing": This option controls how your web site will handle external web sites making dynamic requests to this site. Enabling this feature explicitly denies these potentially dangerous client side requests. Compatible with >99% of sites.
Blocage des robots BitFire
Le blocage des robots est la fonction la plus importante à configurer correctement pour votre site web.. En identifiant correctement les vrais navigateurs des faux et les bons bots des mauvais bots, il sera impossible d'exécuter des attaques par force brute, de credential stuffing, d'analyser les vulnérabilités et même d'empêcher les exploits de se connecter à WordPress.. Il fonctionne en 2 étapes : identifier le navigateur ou le robot, puis bloquer ce qui ne l'est pas..
Étape 1, identifier les navigateurs. BitFire dispose d'informations d'identification pour plus de 100 navigateurs différents et peut instantanément prendre les empreintes digitales de 95 % des brasseurs en une seule demande.. Il est important de comprendre que chaque outil de spam, de piratage ou d'exploitation qui utilise le dernier User-Agent de Chrome ne correspond PAS à l'empreinte digitale correcte de Chrome.. 100% de ces outils de piratage ne pourront pas accéder à votre site web et ne recevront qu'un "Browser Verification JavaScript Challenge", similaire à cloudflair.. Les vrais navigateurs passent, 100% des bots sont stoppés.
Étape 2, identifier les bots. Il existe 2 types de bots, les bons bots comme googlebot, et les mauvais bots comme nmap ou zgrab.. BitFire tient à jour une liste de plus de 3 000 "bots" connus avec des informations d'authentification IP et DNS correspondantes.. Good bots are authenticated and allowed, "Unknown Bots" have reputation data checked and a decision made based on IP reputation.
Assurez-vous de vérifier votre panneau de contrôle Bot après avoir utilisé BitFire pendant quelques jours..
"Require Full Browser": This option will verify browsers are real humans by fingerprint or send a JavaScript challenge page. This option stops 99% of bot attacks which will show up in the dashboard as "Browser Check"
"Allow Only Approved Bots": This option will verify that anything not identified as a browser, will be verified against the site bot list configuration. By default only verified good bots and high IP reputation IP addresses are allowed. Be sure to review the Bot Control configuration to make sure you haven't blocked any plugin access.
"Block Hacking Tools": This option instantly block any bot connecting to your website with a User-Agent of a malicious tool like wpscan, nmap, etc.
"Block Plugin & Theme Scans": This option will confuse plugin and theme scanners by detecting these scans and replying with random data for each plugin scanned. This will confuse any scanner and return bogus data for all scans.
"Do Not Bot Check Ajax Requests": This option is only necessary for sites with page caching enabled and dynamic ajax requests on the user facing website. Page caching intercepts the normal browser verification step, sending an XMLHTTPRequest as the first seen request. For some sites also running behind a proxy, this can fool fingerprinting into thinking all requests are invalid. Enable this option if you have problems with AJAX requests for users.
"Block Web Scrapers": By default, BitFire will allow any browser, or bot to access your site to view any page. Enabling this option requires all browsers and bots to verify before accessing any page, even if just for viewing
"High Sensitivity Block Mode": This mode is restricted to users with Premium support. It changes the default block mode from reputation check (128 free reputation checks) / open, to always closed for unknown bots.
"Challenge Style": Select which JavaScript challenge to display for browsers with unknown fingerprints. You can select a simple white page, spinner, BitFire verification screen, or emulate the cloudflair light and dark themes pages.
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.