DON’T JUST SCAN FOR MALWARE. PREVENT IT INFECTING YOUR SITE.
Protect yourself from 0-day threats with security processes, not just signatures.
BitFire integrates WordPress directly with your operating system to add native security checks for security sensitive operations across all plugins and themes. BitFire makes it impossible for non-administrators to alter your PHP files no matter how bad the security flaws on your website. BitFire also monitors database access preventing unauthorized account take over and permission exploitation.
BitFire RASP also monitors which plugin actions are correctly doing permission checks to dynamically add the correct permission checks and patch plugin vulnerabilities that are currently unknown.
Armed with the fastest malware scanner available today and the most complete bad bot blocking available for WordPress, BitFire is the next generation security plugin that actually prevents your site from falling victim to the next WordPress hack.
Comparison with WordFence
WordFence is the most popular choice for WordPress security. How does BitFire compare to the market leader?
Read a point by point comparison
Privacy / Monitoring / Data Collection
Privacy. We take privacy very seriously. BitFire inspects all traffic going to the webserver and takes care to filter out any potentially sensitive information by replacing it with redacted. The config.ini file includes a list of common sensitive field names under the “filtered_logging” section. You can add additional fields to filter in the config file by adding a line “filtered_logging[field_name] = true” and replacing “field_name” with the name of the desired parameter to filter.
BitFire includes an error handler which monitors it’s operation. In the event an error is detected only in the BitFire software; including during install, an alert can be sent to BitFire’s developer team. The development team monitors these errors in real time and includes fixes for any detected errors in each new release.
Updates. Four times a day BitFire will request the latest signatures from the BitFire signature API. These signatures are sent over SSL(TLS) and encrypted specifically for each client site. In addition bitFire also sends a list of installed plugins and version numbers to compare against recently posted security vulnerabilities.
- Install this plugin via WordPress plugin installer.
- In your Plugin Dashboard, click “Activate Plugin.”
- Open the BitFire Settings from your WordPress admin dashboard. Complete the setup wizard.
- Run a malware scan from the BitFire malware menu and verify your site files are 100% clean.
- Run a database malware scan to ensure your content does not have any links to over 2.5 million malware sites.
- Monitor your firewall blocking on the BitFire Dashboard page
If other security plugins live up to their hype, why do they scan my site for malware daily?
That’s an excellent question. The majority of popular security plugins create custom signatures for each WordPress plugin vulnerability as they are publicly disclosed. With over 10,000 known WordPress security vulnerabilities and less than 200 signatures, they miss blocking a lot of hacks. They are also unable to block the most common security flaws (access control errors) for anything they do not have a pre-built signature for. To make the situation more difficult, they delay these rules by up to a month for non-paying customers.
Can BitFire block bots and automated attacks?
Do I have to buy it?
BitFire includes a complete standard firewall, malware scanning, vulnerability detection offsite database backup and unbreakable bot blocking for free. Our patented RASP technology and SMS based 2FA is only available to our paying PRO and PREMIUM clients. https://bitfire.co/pricing
How does Redirection Protection work?
Does BitFire prevent Cross-Site Scripting (XSS)?
BitFire includes outstanding XSS protection, including HTTP headers and content filtering for persistent, reflected, and DOM-based XSS attacks.
Does BitFire block SQL Injection attacks (SQLi)?
Yes. BitFire has advanced SQL parsing similar to MySQL syntax parsing and can understand SQL queries regardless of encoding, injected comments, and other evasion techniques.
Why shouldn’t I use WordFence?
If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don’t leave your site at risk.
Why is BitFire better than WordFence?
“Better” can be subjective. Our generic attack detection is on-par, if not better. WordFence does not have browser or bot network authentication and can not block many automated attacks. BitFire is the only WordPress plugin offing operating system integrated file-locking and browser enforced redirect protection.
We are also definitely FASTER. WordFence typically doubles page load time, adding 100-200ms to every request on typical dedicated T4 small/medium AWS servers, more for shared environments. BitFire runs under 5ms on similar AWS hardware and near 10ms on shared environments.
We believe BitFire is the only plugin that can effectively protect WordPress sites – and is the only one with a 100% money-back guarantee for paid customers (up to 12 months effective).
Contributors & Developers
“BitFire Security – RASP Firewall & Malware Cleaner” is open source software. The following people have contributed to this plugin.Contributors
Interested in development?
- Added support for user messages on block page review request, now viewable in dashboard
- improved malware detection
- improved malware detection
- improved support for some smaller hosting providers
- improved bot authentication during learning
- various PHP warning fixes
- Improve support for WordPress installs in path sub directory
- Performance improvent for user capability check
- Small warning fixes for PHP 8.1
- New bot control management page
- Improved settings and RASP configuration
- Improved upgraede process to keep all config data between upgrades, re-installs
- New hidden (secret) file support for nginx without modifiying file permissions
(configuration data is now stored in a random hashed directory)
- Small bug fixes on malware scanning for files in root directory
- Improved support for PHP 7.2
- Added over 600 known bots with network identification
- Improved malware scanning support for unknown files
- Added additional scan locations
- Database Malware Scanner Support
- Offsite database backups
- Fixes for some apache server installs
- Support for malware scanning plugins off the WordPress repository
- Added support and small fixes for PHP 8.1
- Improved malicious file upload scanning
- Improved basic settings and advanced settings page
- Minor bug fixes for corner cases
- Added database malware scanning support for over 2.5 million domains
- improved configuration wizard and css styles
- Malware Scanner Support
- Fixed a bug in browser verification on mobile safari.
- Added CSS styles to the blocking page
- Added plugin vulnerability notifications. These will check over 3500 active CVE advisories
for any known security issues in your plugins or themes
- Improved upgrade process which could forget some settings on upgrade
- Fixed a possible rare false positive on base64 encoded data
- Improved learning mode to find more false positives
- Fixed a warning on PHP 8.x with undefined variable for alerts from IPs with no associated country
- Fixed a bug which incorrectly reported the currently viewed alert page number range on the dashboard screen
- Several bug fixes
- Improvements to malware scanning, added additional files to scan list
- Fixed bug adding additional allowed domains on settings page
- Implemented setup wizards and online help functions.
- Added auto-learning exceptions for new installs to prevent possibility of false-positives..
- Workflow and usability improvements
- fixed an issue that could cause false positive when non administrators
were editing posts. This check has been expanded to authors as well.
- fixed an issue that was causing extra padding in config.ini files
- added support for auto-discovering bots to whitelist
- reduced the maximum size of saved blocked data
- fix for WordPress source code path resolution
- use CMS default script inclusion system for admin pages
- added initial support templates for custom CMS
- refactored escaping on MFA page
- fixed an issue which could allow admin requests to be rate limited
- refactored malware scanner to support custom CMS
- added support for redirect url on MFA login page
- fixed issue with MFA login submission
- added support for Content Security Policy WordPress integration
- WordPress MFA login support complete
- PHP file write blocks are now logged in the dashboard
- improved support for alternate content management systems
- removed direct $_SERVER, $_GET, $_POST access and replace with filter_input
- fixed issue that could cause malware download to fail with expired access token
- improved install logging
- additional tests for installation procedure
- added SQL auditing feature. Currently this is an advanced toggle only available
by editing the config.ini. Planned features: SQL Injection Detection, CC data
access, replay log for DB restores
- namespaced all defines to prevent any possible name collisions
- added WordPress plugin and theme enumeration blocking
- refactored several echo lines to remove dead code and xss encode on the same line
- added fix for a bug in php >=8.0 <= 8.1 where splat operator on variables containing :
would be incorrectly interpreted by PHP 8.0 as a named operator.
- added support for cloudflare real connecting IP
- plugins not registered at wordpress.org are now rolled into a single malware line
- upgraded bootstrap and chart.js to latest stable releases
- refactored all API methods to be pure and testable
- refactored malware detection to allow detecting malware on non-WordPress installs
- updated all WordPress path resolutions
- added code to ensure config.ini is not web readable even when .htaccess is disabled
- INI settings: reset realpath.cache_size to system size when used with openbase_dir
- special handling of DOCUMENT_ROOT for WordPress
- improvements to installing always on protection on Nginx systems
- make config.ini unreadable even on systems that do not support .htaccess
- added additional WordPress abstractions as requested by WordPress team
- upgraded bootstrap css files
- abstracted wordpress plugin with pure implementations and additional unit tests
- refactored several functions with pure implementations and added unit tests
- refactored views to use new template system
- refactored wordpress integration to use standard plugin architecture
- removed dead code
- removed a warning for php 8.1
- Added support to enable always-on from settings page
- Added support for WordPress Engine
- Fixed bug where rotating encryption keys would prevent new signatures from downloading for up to a day
- Improved support for PHP 8.0
- improved settings page
- improved malware scanner
- additional whitelist SEO bots
- improved auto-detection of server support
- First public release of BitFire WordPress security plugin