BitFire 核心设置

BitFire 设置页面允许您启用或禁用 BitFire 提供的每个安全选项. BitFire 免费版包含适用于 WordPress 的最全面的僵尸拦截功能。.

阻止僵尸程序对网站安全至关重要. This free tool instantly stops brute force attacks, credential stuffing attacks, SPAM, wpscan, nmap, nicko, nessus, python exploit scripts and any other hacking tool targeting your website.

TL;DR: Enable all marked options and put an end to web attacks!

BitFire 服务器设置

• "BitFire Enable": Disabling this switch will turn off all Firewall, bot-blocking, logging, header, and RASP features. This is equivalent to disabling / uninstalling the WordPress plugin without disabling it.
• "Always On Protection": Add BitFire to you user.ini auto_prepend startup. This is equivalent to WordFence "Optimize Mode". It can provide additional protection for your website. There is slight risk on some hosting providers do not support this feature well. Please ensure correct firewall functioning before enabling this feature. (5 min update time for PHP to see this change enabled or disabled)
• "Log Everything": BitFire includes a binary access log capable of logging all HTTP requests to your server. By default it will log all browser checks and blocks. Enabling this feature will tell BitFire to log ALL requests, including allowed requests. The FREE binary log size is 512 events. PRO log size is 32,000
• "Disable XMLRPC": Disabling XML RPC can increase the security of your website if you do not use it. Notable examples include JetPack integration, and the official WordPress mobile app. Notable security risks include automated login attacks. (NOTE, this are blocked with correct configuration of Bot Blocking)

BitFire 安全标头

与许多 WordPress 安全插件告诉您的相反. 有 HTTP 标头无 XSS 保护 . 不过，内容安全策略可提供出色的保护，防止 XSS、重定向攻击和许多其他浏览器攻击. 对于许多网站而言，配置工作可能会令人沮丧，因此建议在配置 WordPress 时使用我们的专业版自动配置选项。.

• "Send HTTP Security Headers": Send the core HTTP security headers. These options instruct the web browser how to handle data in a more secure way. And are compatible with 99% of websites.
• "Require SSL": Send and HSTS header instructing browsers to never connect to your site without using SSL. This feature is recommended for most sites, however if your SSL certificate expires, your website will not be accessible in any way until the certificate is updated.
• "Send Content Security Policy": Send a global content-security policy to web browsers not accessing your front end web content. This requires adding every domain that your sites loads resources from to the included text area. After enabling this option load your site, find what breaks and add those domains to the editable list. If possible, remove any 'unsafe-inline' resources.
• "Send Permission Policy": The permission policy controls which APIs are available on your website. This can be used to restrict access to the browser camera, microphone, geo location services, etc. Restricting this access will prevent any possibly malicious JavaScript from accessing those client mobile resources. The default option disables most additional features.
• "Deny Cross Origin Resource Sharing": This option controls how your web site will handle external web sites making dynamic requests to this site. Enabling this feature explicitly denies these potentially dangerous client side requests. Compatible with >99% of sites.

阻止 BitFire 僵尸程序

僵尸阻止是为网站正确配置的最重要功能. 正确识别真假浏览器和好坏机器人，将使暴力攻击、凭据填充、漏洞扫描无法实施，甚至防止漏洞利用程序连接到 WordPress。. 它的工作分为两个步骤：识别浏览器或机器人，然后阻止不属于它们的内容。.

第 1 步，确定浏览器. BitFire 拥有 100 多种不同浏览器的识别信息，只需一次请求就能立即对 95% 的酿酒商进行指纹识别。. 重要的是要明白，所有使用最新 Chrome 浏览器用户代理的垃圾邮件、黑客攻击或漏洞利用工具都不符合 Chrome 浏览器的正确指纹。. 这些黑客工具 100％ 无法访问您的网站，只能收到类似 cloudflair 的 "浏览器验证 JavaScript 挑战"。. 真实浏览器通过，100% 的机器人被阻止.

第 2 步，识别机器人. 有两类机器人，一类是像 googlebot 这样的好机器人，另一类是像 nmap 或 zgrab 这样的坏机器人. BitFire 维护着一份超过 3,000 个已知良好机器人的列表，其中包含匹配的 IP 和 DNS 验证信息. Good bots are authenticated and allowed, "Unknown Bots" have reputation data checked and a decision made based on IP reputation.

确保在运行 BitFire 数天后验证您的僵尸控制面板.

• "Require Full Browser": This option will verify browsers are real humans by fingerprint or send a JavaScript challenge page. This option stops 99% of bot attacks which will show up in the dashboard as "Browser Check"
• "Allow Only Approved Bots": This option will verify that anything not identified as a browser, will be verified against the site bot list configuration. By default only verified good bots and high IP reputation IP addresses are allowed. Be sure to review the Bot Control configuration to make sure you haven't blocked any plugin access.
• "Block Hacking Tools": This option instantly block any bot connecting to your website with a User-Agent of a malicious tool like wpscan, nmap, etc.
• "Block Plugin & Theme Scans": This option will confuse plugin and theme scanners by detecting these scans and replying with random data for each plugin scanned. This will confuse any scanner and return bogus data for all scans.
• "Do Not Bot Check Ajax Requests": This option is only necessary for sites with page caching enabled and dynamic ajax requests on the user facing website. Page caching intercepts the normal browser verification step, sending an XMLHTTPRequest as the first seen request. For some sites also running behind a proxy, this can fool fingerprinting into thinking all requests are invalid. Enable this option if you have problems with AJAX requests for users.
• "Block Web Scrapers": By default, BitFire will allow any browser, or bot to access your site to view any page. Enabling this option requires all browsers and bots to verify before accessing any page, even if just for viewing
• "High Sensitivity Block Mode": This mode is restricted to users with Premium support. It changes the default block mode from reputation check (128 free reputation checks) / open, to always closed for unknown bots.
• "Challenge Style": Select which JavaScript challenge to display for browsers with unknown fingerprints. You can select a simple white page, spinner, BitFire verification screen, or emulate the cloudflair light and dark themes pages.