hidden_config/config-sample.ini
[ Web Application Firewall]
; comments begin with ';'
; for details see the BitFire wiki: https://github.com/bitslip6/bitfire/wiki
; enable or disable all firewall features
bitfire_enabled = true
; allow the firewall to blacklist misbevaving IPs for 10, 60 or 1440 minutes
allow_ip_block = false
; send HTTP security headers
; https://securityheaders.com/
security_headers_enabled = true
; set an HSTS header for 1 year, will only allow browsers to connect via SSL.
; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
enforce_ssl_1year = false
# csp - PRO version only
csp_policy_enabled = false
csp_policy[default-src] = "'self' *.googleapis.com *.gstatic.com *.wp.com *.w.org data:"
csp_policy[img-src] = "'self' data: *.wp.com *.gravatar.com *.w.org"
;csp_policy[style-src-attr] = "'self' 'unsafe-inline'"
;csp_policy[style-src-elem] = "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com"
csp_policy[script-src] = "'self' www.google-analytics.com *.wp.com"
csp_policy[object-src] = "'none'"
csp_policy[connect-src] = "'self' *.google-analytics.com"
csp_uri = "/?bitfire_csp_report=log"
; internal debug
audit_sql = false
; 2 factor authentication - PRO version only
pro_mfa = false;
; see https://bitfire.co/pricing for license
pro_key = "unlicensed"
; pro feature, prevent server side request forgery
rasp_network = false
; site locking - PRO version only
rasp_filesystem = false
; db locking - PRO version only
rasp_db = false
; js locking - PRO version only
rasp_js = false
; auth verification - PRO version only
rasp_auth = false
; disable WordPress xmlrpc
block_xmlrpc = false;
bot_urls[] = "";
; experimental
; cache your homepage and serve it instantly, cache is refreshed after every request
; maximum age (seconds) to serve a cached page, 0 - disables caching
max_cache_age = 0
; BitFire public key for remote tech support
tech_public_key="b39a09eb3095c54fd346a2f3c8a13a8f143a1b3fe26b49c286389c55cec73c3e"
; Allow BitFire authenticated Tech Support to access the firewall config (NOT WORDPRESS)
remote_tech_allow = true
[Input Filtering]
; enable filtering for malicious input (server side includes, etc)
web_filter_enabled = true
; block any request with spammy content like "100% free" "free gift", etc
spam_filter_enabled = "report"
; block cross site scripting attempts
xss_block = block
; block sql injection
sql_block = true
; inspect uploaded $_FILES for php content
file_block = block
; set to true will replace profanity with !@#$!
block_profanity = false
; filter logging for all these names (don't log passwords or credit card numbers)
filtered_logging[_wpnonce] = true
filtered_logging[nonce] = true
filtered_logging[cc] = true
filtered_logging[card] = true
filtered_logging[cardnumber] = true
filtered_logging[exp] = true
filtered_logging[expiration] = true
filtered_logging[cvv] = true
filtered_logging[cvv1] = true
filtered_logging[cvv2] = true
filtered_logging[pass] = true
filtered_logging[pass1] = true
filtered_logging[pass2] = true
filtered_logging[pwd] = true
filtered_logging[pwd1] = true
filtered_logging[pwd2] = true
filtered_logging[passwd] = true
filtered_logging[passwd1] = true
filtered_logging[passwd2] = true
filtered_logging[password] = true
filtered_logging[password1] = true
filtered_logging[password2] = true
; list of urls to ignore 404 for
urls_not_found[] = "/favicon.ico"
urls_not_found[] = "/apple-touch-icon.png"
urls_not_found[] = "/browserconfig.xml"
; all allowed http verbs
allowed_methods[] = "GET"
allowed_methods[] = "OPTIONS"
allowed_methods[] = "POST"
allowed_methods[] = "PUT"
allowed_methods[] = "HEAD"
; block all unknown bots
whitelist_enable = false
; block only bots on the block list (set this to true will force whitelist_bots = false)
blacklist_enable = true
; if true, only browsers that accept cookies and run javascript will be allowed to connect
require_full_browser = false
; any requests to the honeypot will be IP blocked for 1 hours
honeypot_url = "/supreme/contact"
; require a valid host header
check_domain = false
valid_domains[] = "127.0.0.1"
valid_domains[] = "localhost"
valid_domains[] = "default"
; domain_fix_line
; list of urls that are ignored by BitFire, useful for low risk urls that are hit frequently
ignore_bot_urls[] = ""
; enforce rate limit
rate_limit = false
; verified request rate 5 minute : suggest 50
rr_5m = 50
[System Configuration]
; the cache system to use. preference order: (shmop, apcu, opcache, nop)
cache_type = "nop"
; the shmop memory id (randomly generated on configuration)
cache_token = 4455661
; if true, the path to the bitfire directory to remove (used for uninstall standalone)
rm_bitfire = ""
; cookies have higher fidelity than server side state. only disable cookies if your hosting provider disables them
cookies_enabled = true
; runs the auto loader by linking wordfence-waf.php to bitfire/startup.php
wordfence_emulation = false
; updated to true when the auto_start function runs
auto_start = false
; a name of a file to write web alerts to, relative to BitFire dir or absolute
; report_file = "cache/alerts.json"
; a name of a file to write web block to, relative to BitFire dir or absolute
; block_file = "cache/blocks.json"
; a name of a file to write support debug information to, relative to BitFire dir or absolute
debug_file = false
; include support debug info in http headers - support use only
debug_header = false
; show why request was blocked on block page
debug = false
; enable or disable sending error reports to the BitFire developers to fix in upcoming releases
send_errors = true
; track dashboard usage and usability
dashboard_usage = true
; name of the cookie used to verify real browser interactions
browser_cookie = "_bitf"
; dashboard url
dashboard_path = "/bitfire-admin"
; a system wide encryption key custom to this domain - randomly set on first page request
encryption_key = "default"
; custom site secret - randomly set on first page request
secret = "default"
; dashboard password. Supports plaintext and sha3-256 hashes: hash('sha3-256', "password")
password = "configure"
; wordpress root dir
cms_root = ""
cms_content_url = ""
cms_content_dir = ""
wp_version = ""
; if set to true, will block attempts at scanning for vulnerable plugins and themes
wp_block_scanners = false
; skip local requests (wordpress wp-cron, etc)
skip_local_bots = true
; block http response code
response_code = 403
; the HTTP header to read for the remote address. supported:
; default REMOTE_ADDR is the actual IP address.
; FORWARDED (suport for by=();for=();etc), X-FORWARDED-FOR, REMOTE_ADDR, CUSTOM (like x-forwarded-for)
ip_header = "remote_addr"
; dns_service can be cloudflair dns over https at 1.1.1.1 or localhost for local dns
dns_service = "localhost"
; short block time is 10 minutes
short_block_time = 600
; medium block time is 60 minutes
medium_block_time = 3600
; long block time is 24 hours
long_block_time = 86400
; if true, update ini files with php arrays that can be cached in the opcache
cache_ini_files = true
; set to true to prevent file access outside of web root directory.
; sets open_basedir and fixes realpath.cache
root_restrict = false;
; auto-set to true after initial system auto-configuration
configured = false
; unix timestamp to turn off dynamic exceptions
dynamic_exceptions = true
; ignore nag messages
nag_ignore = false
; set to true after the setup wizard runs
wizard = false