config-sample.ini

[ Web Application Firewall]
; comments begin with ';'
; for details see the BitFire wiki: https://github.com/bitslip6/bitfire/wiki

; enable or disable all firewall features
bitfire_enabled = true

; allow the firewall to blacklist misbevaving IPs for 10, 60 or 1440 minutes
allow_ip_block = false

; send HTTP security headers
; https://securityheaders.com/
security_headers_enabled = true


; set an HSTS header for 1 year, will only allow browsers to connect via SSL.
; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
enforce_ssl_1year = false

# csp - PRO version only
csp_policy_enabled = false
csp_policy[default-src] = "'self' *.googleapis.com *.gstatic.com *.wp.com *.w.org data:"
csp_policy[img-src] = "'self' data: *.wp.com *.gravatar.com *.w.org"
;csp_policy[style-src-attr] = "'self' 'unsafe-inline'"
;csp_policy[style-src-elem] = "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com"
csp_policy[script-src] = "'self' www.google-analytics.com *.wp.com"
csp_policy[object-src] = "'none'"
csp_policy[connect-src] = "'self' *.google-analytics.com"
csp_uri = "/?bitfire_csp_report=log"

; internal debug
audit_sql = false

; 2 factor authentication - PRO version only
pro_mfa = false;

; see https://bitfire.co/pricing for license
pro_key = "unlicensed"

; pro feature, prevent server side request forgery
rasp_network = false
; site locking - PRO version only
rasp_filesystem = false
; db locking - PRO version only
rasp_db = false
; js locking - PRO version only
rasp_js = false

; disable WordPress xmlrpc
block_xmlrpc = false;
bot_urls[] = "";

; experimental
; cache your homepage and serve it instantly, cache is refreshed after every request
; maximum age (seconds) to serve a cached page, 0 - disables caching
max_cache_age = 0

; BitFire public key for remote tech support
tech_public_key="8ea00fa19cf92a72532c9a5bb61f8750c504ecd25a9b1b73de35dfa8c9638e1d"
; Allow BitFire authenticated Tech Support to access the firewall config (NOT WORDPRESS)
remote_tech_allow = true



[Input Filtering]
; enable filtering for malicious input (server side includes, etc) 
web_filter_enabled = true

; block any request with spammy content like "100% free" "free gift", etc
spam_filter_enabled = "report"

; block cross site scripting attempts
xss_block = block

; block sql injection
sql_block = true

; inspect uploaded $_FILES for php content
file_block = block

; set to true will replace profanity with !@#$!
block_profanity = false

; filter logging for all these names (don't log passwords or credit card numbers) 
filtered_logging[_wpnonce] = true
filtered_logging[nonce] = true
filtered_logging[cc] = true
filtered_logging[card] = true
filtered_logging[cardnumber] = true
filtered_logging[exp] = true
filtered_logging[expiration] = true
filtered_logging[cvv] = true
filtered_logging[cvv1] = true
filtered_logging[cvv2] = true
filtered_logging[pass] = true
filtered_logging[pass1] = true
filtered_logging[pass2] = true
filtered_logging[pwd] = true
filtered_logging[pwd1] = true
filtered_logging[pwd2] = true
filtered_logging[passwd] = true
filtered_logging[passwd1] = true
filtered_logging[passwd2] = true
filtered_logging[password] = true
filtered_logging[password1] = true
filtered_logging[password2] = true


; list of urls to ignore 404 for
urls_not_found[] = "/favicon.ico"
urls_not_found[] = "/apple-touch-icon.png"
urls_not_found[] = "/browserconfig.xml"

; all allowed http verbs
allowed_methods[] = "GET"
allowed_methods[] = "OPTIONS"
allowed_methods[] = "POST"
allowed_methods[] = "PUT"
allowed_methods[] = "HEAD"


; block all unknown bots
whitelist_enable = false

; block only bots on the block list (set this to true will force whitelist_bots = false)
blacklist_enable = true

; if true, only browsers that accept cookies and run javascript will be allowed to connect
require_full_browser = false

; any requests to the honeypot will be IP blocked for 1 hours
honeypot_url = "/supreme/contact"

; require a valid host header
check_domain = false
valid_domains[] = "127.0.0.1"
valid_domains[] = "localhost"
valid_domains[] = "default"
; domain_fix_line

; list of urls that are ignored by BitFire, useful for low risk urls that are hit frequently
ignore_bot_urls[] = ""

; enforce rate limit
rate_limit = false

; verified request rate 5 minute : suggest 50
rr_5m = 50



[System Configuration]
; the cache system to use. preference order: (shmop, apcu, opcache, nop)
cache_type = "nop"
; the shmop memory id (randomly generated on configuration)
cache_token = 4455661
; if true, the path to the bitfire directory to remove (used for uninstall standalone)
rm_bitfire = ""

; cookies have higher fidelity than server side state.  only disable cookies if your hosting provider disables them
cookies_enabled = true

; runs the auto loader by linking wordfence-waf.php to bitfire/startup.php
wordfence_emulation = false

; updated to true when the auto_start function runs
auto_start = false

; a name of a file to write web alerts to, relative to BitFire dir or absolute 
report_file = "cache/alerts.json"
; a name of a file to write web block to, relative to BitFire dir or absolute 
block_file = "cache/blocks.json"
; a name of a file to write support debug information to, relative to BitFire dir or absolute 
debug_file = ""
; include support debug info in http headers - support use only
debug_header = false
; show why request was blocked on block page
debug = false
; enable or disable sending error reports to the BitFire developers to fix in upcoming releases
send_errors = true
; track dashboard usage and usability
dashboard_usage = true
; name of the cookie used to verify real browser interactions
browser_cookie = "_bitf"
; dashboard url
dashboard_path = "/bitfire-admin"
; a system wide encryption key custom to this domain - randomly set on first page request
encryption_key = "default"
; custom site secret - randomly set on first page request
secret = "default"
; dashboard password.  Supports plaintext and sha3-256 hashes: hash('sha3-256', "password")
password = "configure"

; wordpress root dir
cms_root = ""
cms_content_url = ""
cms_content_dir = ""
wp_version = ""

; if set to true, will block attempts at scanning for vulnerable plugins and themes
wp_block_scanners = false

; skip local requests (wordpress wp-cron, etc)
skip_local_bots = true

; block http response code
response_code = 403

; the HTTP header to read for the remote address.  supported: 
; default REMOTE_ADDR is the actual IP address.
; FORWARDED (suport for by=();for=();etc), X-FORWARDED-FOR, REMOTE_ADDR, CUSTOM (like x-forwarded-for)
ip_header = "remote_addr"

; dns_service can be cloudflair dns over https at 1.1.1.1 or localhost for local dns
dns_service = "localhost"

; short block time is 10 minutes
short_block_time = 600

; medium block time is 60 minutes
medium_block_time = 3600

; long block time is 24 hours
long_block_time = 86400

; if true, update ini files with php arrays that can be cached in the opcache
cache_ini_files = true

; set to true to prevent file access outside of web root directory. 
; sets open_basedir and fixes realpath.cache
root_restrict = false;

; auto-set to true after initial system auto-configuration
configured = false

; unix timestamp to turn off dynamic exceptions
dynamic_exceptions = true

; ignore nag messages
nag_ignore = false

; set to true after the setup wizard runs
wizard = false