WordPress.org
Get WordPress
WordPress.org

Plugin Directory

BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection

BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection

By Cory Marsh
Download

Description

BitFire protects WordPress sites from malicious bots, login attacks, malware, and unauthorized changes to files and database records.

Free Protection

Malware Scanner

Scan WordPress core, plugin, and theme files for malware, unexpected changes, and suspicious code.

Real-Time Traffic Monitoring

Review every request to your site, including who visited, what they accessed, and whether the request was blocked.

30 Days of Traffic History

Look back through a full month of traffic data to investigate issues, identify patterns, or better understand how your site is being used.

Login Protection

Browser verification stops automated login attempts, brute-force attacks, password stuffing, and other suspicious authentication activity.

A+ Rated Web Application Firewall

Independent third-party testing by Cloudbric rated BitFire’s WAF at 94% (A+). See how it compares:

  • BitFire: 94% (A+)
  • Ninja Firewall [PRO]: 67% (D)
  • Wordfence [PRO]: 41% (D)
  • MalCare [PRO]: 34% (F)
  • iThemes Security: 2% (F)
  • Shield Security [PRO]: 2% (F)
  • SiteGround Security: 2% (F)

View the full independent test results at Cloudbric Labs

WP-CLI

Use BitFire’s WP-CLI integration to start malware scans, review scan results, inspect blocking data, and review web requests to your site. CSV, JSON, and table output formats are supported.

BitFire Pro

Built for Faster AI-Driven Attacks

AI-assisted exploit generation is reducing the time between vulnerability discovery and active attacks. Traditional defenses must wait for patches, signatures, or firewall rules.

Runtime Application Self-Protection

BitFire’s patented RASP technology monitors sensitive file, database, and network operations during every request.

It can prevent:

  • Unauthorized PHP file changes.
  • Unexpected administrator creation.
  • Malicious database modifications.
  • Outbound connections to malicious servers.
  • Redirect and JavaScript injection.

Automated Malware Scans

Run malware scans up to twice per day, with results emailed to you when a threat is confirmed.

Threat Hunter

Search traffic, files, database content, processes, and scheduled jobs for signs of compromise or reinfection.

360-Degree Coverage

Load BitFire before the WordPress boot process to stop attacks that target plugin and theme files directly.

Human Support

This is what makes BitFire different from the big-name security plugins: when you need help, you talk to a real person.

Our US-based support team is available 12 hours a day. No ticket queues that take days. No chatbots. No copy-and-paste answers. Just experienced people who will help make sure your site is secure.

Whether you need help with setup, have a question about a blocked request, or want someone to examine a suspicious file, we are here.

Pricing

Free

$0 forever. Bot blocking, malware scanning, login protection, and real-time traffic monitoring. Everything you need to stop the vast majority of automated attacks.

Pro – Single Site

$60/year. Full RASP protection, an A+ rated WAF, AI malware analysis, 30-day traffic logs, and priority human support.

Pro – Multi-Site Volume Pricing

Managing multiple sites? The more you protect, the less you pay:

  • 2-4 sites: $50/site per year
  • 5-9 sites: $45/site per year
  • 10-24 sites: $35/site per year
  • 25-49 sites: $25/site per year

Volume pricing is ideal for freelancers, agencies, and anyone managing WordPress sites for clients. Contact us for volume licensing.

How BitFire Compares

BitFire vs Wordfence

Wordfence is a solid product with a large team writing custom rules for known vulnerabilities. One important difference is how BitFire handles automated traffic:

  1. Bot blocking – WordPress cannot reliably distinguish human traffic from automated traffic on its own. BitFire is designed to identify and block malicious bots before they can exploit or infect your site.

If you use Wordfence, we strongly recommend using the paid version.

Read the detailed BitFire vs Wordfence comparison

Why Do Other Plugins Focus So Much on Cleaning Up Malware?

Good question. Have you noticed how much other security plugins charge for malware removal and how much of their marketing focuses on finding infections?

BitFire focuses on keeping malware off your site so you do not need to pay someone to remove it.

Privacy / Monitoring / Data Collection

We take your privacy seriously. Here is exactly what BitFire does with your data:

  1. Traffic inspection. BitFire inspects web traffic to your site to identify threats. Sensitive data, such as passwords and credit card numbers, is automatically replaced with redacted in logs. You can add additional fields to filter in the settings.

  2. Error reporting. If BitFire encounters a software error, it can send a report to our development team so we can fix it in a future release. No visitor data is included in these reports.

  3. Malware hash checking. BitFire sends small numeric fingerprints, known as 64-bit hashes, of your files to our hash server to compare them against our database of known-good files. For example, a file might hash to the number 812612388126487. We never receive your actual file contents, and file hashes are not stored on our servers.

  4. Local data storage. All log data and configuration files are stored locally on your server in a hidden, randomly named directory under wp-content/uploads/. This directory is protected by an .htaccess file and is not accessible from the web.

Screenshots

Installation

  1. Install BitFire from the WordPress plugin directory, or upload the plugin files to /wp-content/plugins/bitfire/.
  2. Activate BitFire from the WordPress Plugins page.
  3. Open the BitFire dashboard to review your protection settings.
  4. That is it. BitFire works out of the box with sensible defaults.

Need help getting set up? Our support team is happy to walk you through it.

Note: BitFire is not compatible with Windows-based hosting. It works on Linux, FreeBSD, and macOS hosting environments.

BitFire works with most WordPress hosting providers. Here is what you need to know:

  • PHP version: PHP 7.4 or newer is required. PHP 8.x is fully supported.

Additional Features

  1. Real-Time Traffic Monitor: See every request to your site, including who visited, where they came from, what they accessed, and whether they were blocked.
  2. Simple Settings: Turn features on or off with simple toggles, without touching any code.
  3. Process Hunter: Identify background PHP scripts that may be reinfecting your site and preventing successful cleanup.
  4. Database Scanner: Find malicious scripts hidden in database content that may reinfect your site after cleanup.
  5. Cron Job Scanner: Find malware hidden in system cron jobs, WordPress scheduled events, or database triggers.
  6. Traffic Search: Search for any traffic type using dropdown filters, time-range selections, and free-form text searches.

FAQ

Will BitFire slow down my site?

No. BitFire adds less than 2 milliseconds to a typical page load. It uses an optimized binary logging engine designed to remain extremely lightweight.

Can I use BitFire with Cloudflare or another CDN?

Yes. BitFire works well alongside CDNs such as Cloudflare. Avoid running two WordPress firewall plugins at the same time, as overlapping security controls can conflict with each other.

What is the difference between Free and Pro?

Free includes bot blocking, malware scanning, login protection, and real-time traffic monitoring. These features stop many common automated attacks.

Pro adds runtime application self-protection, automated malware scans, AI-assisted malware analysis, extended traffic history, and priority human support.

What is RASP and why does it matter?

Runtime Application Self-Protection, or RASP, monitors sensitive operations while WordPress and PHP are running. It can block unauthorized file, database, and network activity at the point where it occurs.

This is how BitFire has blocked 100% of critical WordPress zero-day vulnerabilities tested since 2022, without requiring new firewall rules.

Can BitFire protect against zero-day attacks?

Yes. BitFire’s RASP technology can block many zero-day attacks by preventing unauthorized behavior, even when a vulnerability does not yet have a patch or firewall signature.

How does the AI malware scanner work?

BitFire combines file hashes, malware signatures, code analysis, and AI-assisted review to identify suspicious files. AI analysis helps evaluate files that cannot be confidently classified using traditional signatures alone.

Does BitFire block SQL injection and XSS attacks?

Yes. BitFire’s web application firewall detects and blocks SQL injection, cross-site scripting, and other malicious request patterns. Pro protection also monitors sensitive database and file operations during runtime.

How do I get support?

Support is available through the BitFire website and WordPress support channels. Pro customers receive priority access to our US-based human support team.

How much does Pro cost?

BitFire Pro costs $60 per year for a single site. Discounted volume pricing is available for customers protecting multiple WordPress sites.

Reviews

This is a total game-changer

January 22, 2025
I don’t know where to start. A friend’s website had been hacked, was spewing spam and after hours of tech support with his host we were pressured to get into contracts to be able to remove the bots that got him locked out of his own email. Then, I searched for alternatives and found BitFire. What a difference! As it turns out, BitFire is highly advanced technology and far beyond what this little website needed, but I didn’t fully realize this until I contacted Cory Marsh, the developer of this genius product, and talked it out. AND, instead of turning me away with apologies and legitimate reasons why the typical BitFire install would be complete overkill, he talked me through how to use it, explained all the details and inner workings very patiently, cheerfully waiting on the line while I tried to grasp and respond to what was clearly over my pay grade, and then went ahead and removed the existing bots for me in the process. He used hours of his time trying to help me, and I am overwhelmingly grateful for his patience and incredible talent in developing this product. Cory is the real deal. I still can’t believe the help I received.

Thank you!

September 5, 2024
This is an excellent plugin. Given that most recent attacks are from bots, focusing on bot protection makes perfect sense. We have been able to eliminate most malicious bots with it. We are deeply grateful to the plugin developer.

Absolute Best Plugin and Support

November 3, 2023
Cory has gone above and beyond any plugin creator I have ever dealt with. He walked me through my own website and showed me things that I was not even aware of. We had a zoom meeting and he spent over an hour helping me. If I could give more than 5 stars I would. You will not be disappointed with this plugin. The Full Protection option is the way to go. Thank you so much Cory!

WAF and RASP are Pro features

August 3, 2023 1 reply
Updated Review: BitFire Pro is the best I know for WordPress – no doubt. In my earlier tests, it (the free version) defeated WordFence Pro and all the other WAF plugins. With the 4.0 version update, the WAF which was present in the free version just disappeared and became part of the Pro version. As for the RASP, it is again a Pro feature and that was the case earlier too – RASP is a great Pro feature that a serious person would upgrade to. I tested the latest free version(4.0) and found it to be not qualified to be on my WP stack anymore as it doesn’t have WAF as it did before. I do know that BitFire “Pro” is good and much better than the WordFence Pro, so I don’t want to take away the 5-star rating from my review – this is my gratitude for your hard work, you absolutely deserve it. Any day I would suggest anybody use the BitFire Pro version in any of their serious web projects – it really works great! Anyways, BitFire free version isn’t for me. Good wishes.

Review

February 1, 2023
I don’t know much about security but the creator of this plugin Cory does. He personally gave me tips and he configured my settings and actually taught me about hacks and bots and stuff and he showed me how Bitfire protects me from hacks.
Read all 7 reviews

Contributors & Developers

“BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection” is open source software. The following people have contributed to this plugin.

Contributors

“BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

5.0.7

  • Added AI-powered malware analysis for suspicious files.
  • Reduced Pro pricing to $60/year with volume discounts.
  • Improved malware scanner performance and accuracy.
  • Updated bot and browser fingerprint databases.
  • Added geolocation blocking.
  • Added automated malware scanning.
  • Added WP-CLI integration.
  • Added email alert support.
  • Improved the dashboard and settings interface.

4.8.3

  • Fixed an issue that could reset the configuration during an upgrade.

4.8.2

  • Improved the malware scanning interface.
  • Fixed issues when downloading non-PHP files.
  • Added safeguards for additional edge cases.

4.8.0

  • Improved malware detection and reduced false positives
  • Added 3 new file hash servers in US, DE, and KR
  • Added support for checking for backups and files that could contain sensitive data
  • New daily/weekly status emails
  • Added daily malware scan scheduling
  • Various stability and configuration improvements

4.7.4

  • Improved dashboard messaging for IP and user-agent blocking
  • Fixed toggle behavior on the exceptions page
  • Fixed deprecation warnings
  • Fixed an issue that could prevent uploading plugins when bot blocking was enabled

4.7.3

  • Initial WP-CLI support: review logs, check metrics, manage blocks
  • Configuration file reliability improvements
  • PHP 8.3 compatibility fix

4.7.2

  • Improved traffic monitoring and logging
  • Added “Fake Browser” detection badges
  • Added DoS protection for rate-limited IPs
  • New traffic filter keywords: BLOCKED, RESTRICTED, ADMIN, LOGINS, and more
  • Added email notifications for server health
  • Performance improvements across the board

4.7.0

  • Added AI verification framework for block accuracy
  • Reduced server communication timeout for faster responses
  • Additional blocking class types for exclusions
  • PHP 8.4 compatibility
  • Updated Google, Bing, and Cloudflare IP lists

4.6.1

  • Improved dashboard log searching
  • Fixed a rare memory issue with log writing

4.6

  • Moved configuration and log storage to a more secure location
  • Added .htaccess protection for data directories
  • Resolved several minor PHP warnings

4.5

  • Fixed filtering on blocked requests
  • Fixed handling of malformed file uploads
  • Added additional browser support

4.4.9

  • Major quality and performance improvements
  • Daily report emails
  • Complete rewrite of caching and statistics
  • Full support for cached websites (Cloudflare, etc.)
  • Log up to 30 days and 2 million requests per month

4.0.1

  • Major overhaul of browser and bot detection
  • Added 180+ browsers and 300+ browser icons
  • Switched to high-performance binary log format
  • Added commercial IP reputation database with 300K+ abusive IPs
  • Simplified user interface

Meta

Ratings

5 out of 5 stars.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum