WP-Safety

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Security & Risk Analysis

wordpress.org/plugins/bitfire

Real-time firewall that stops bots, malware, and hackers with real AI, file protection, and traffic analytics without slowing down your site

300 active installs v4.8.2 PHP 7.4+ WP 6.1+ Updated Sep 21, 2025
activity-logfirewallmalware-scannersecuritywaf
99
A · Safe
CVEs total1
Unpatched0
Last CVEAug 1, 2025
Plugin page Download
Safety Verdict

Is BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Safe to Use in 2026?

Generally Safe

Score 99/100

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 1, 2025Updated 6mo ago
Risk Assessment

The "bitfire" plugin v4.8.2 exhibits a mixed security posture. While it demonstrates good practices in handling SQL queries with prepared statements and a high percentage of properly escaped output, several areas raise significant concern. The presence of dangerous functions like 'assert' and 'unserialize' is a red flag, especially when coupled with a lack of nonce checks on any entry points, suggesting potential for arbitrary code execution or deserialization vulnerabilities if malicious data is introduced. The taint analysis revealing all analyzed flows with unsanitized paths is particularly alarming, even without critical or high severity classifications, as it indicates a high likelihood of data being mishandled. The plugin's vulnerability history, while showing no currently unpatched CVEs, does include a past medium-severity vulnerability related to information exposure. This, combined with the static analysis findings, suggests that while the developers are addressing past issues, underlying coding practices may still harbor risks.

Key Concerns

  • Dangerous functions found (assert, unserialize)
  • No nonce checks found on any entry points
  • All analyzed taint flows have unsanitized paths
  • Bundled outdated library (jQuery v3.6.1)
  • Past medium severity vulnerability (Exposure of Sensitive Information)
Vulnerabilities
1

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-6722medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

BitFire <= 4.5 - Unauthenticated Information Exposure

Aug 1, 2025 Patched in 4.6 (25d)
Code Analysis
Analyzed Mar 16, 2026

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Code Analysis

Dangerous Functions
52
Raw SQL Queries
0
1 prepared
Unescaped Output
27
97 escaped
Nonce Checks
0
Capability Checks
1
File Operations
199
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

assertassert(!empty($script_tag), "cant add nonce to empty script tag");bitfire-plugin.php:485
assertassert(isset($r->post['uuid']) || isset($r->post['agent']), "uuid or agent is required");src\api.php:235
assertassert(isset($r->get["filename"]), "filename is required");src\api.php:444
unserialize$bot = unserialize(file_get_contents($file));src\api.php:590
assertassert(count($hash_slice) < 24, "curl multi can only handle 24 at a time");src\api.php:919
assertassert($api_effect instanceof Effect, "api method did not return valid Effect");src\api.php:1497
unserialize$plugin_act = (!empty($plugin_ser)) ? count(unserialize($plugin_ser)) : 0;src\api.php:2560
unserialize$cron_events = (!empty($plugin_ser)) ? count(unserialize($cron_ser)) : 0;src\api.php:2564
assertassert(!empty($code), "empty code in code_class");src\bitfire_pure.php:49
assertassert($code < 100000, "invalid code class >10000");src\bitfire_pure.php:50
assertassert($code > 0, "invalid code class <1");src\bitfire_pure.php:51
assertassert(count($headers) <= 16, "too many headers");src\bitfire_pure.php:1062
assertassert(count($headers) > 4, "missing some headers");src\bitfire_pure.php:1063
unserializereturn unserialize($file->raw());src\botfilter.php:1474
assertassert($malware instanceof Malware, "Malware_List can only contain Malware objects");src\cms.php:466
assertassert(strlen($from) >= ($from_offset + $from_len), "from_offset + from_len is greater than the lengsrc\cms.php:1887
assertassert(in_array($opcode, ['i', 'd', 'c', 'r', 'z']), "invalid opcode");src\cms.php:1888
assertassert(strlen($from) >= ($from_offset + $from_len), "from_offset + from_len is greater than the lengsrc\cms.php:1912
assertassert(in_array($opcode, ['i', 'd', 'c', 'r', 'z']), "invalid opcode");src\cms.php:1913
assertassert($offset >= 0 && !empty($data), "invalid write offset/data");src\cuckoo.php:85
assertassert(($offset + strlen($data)) <= $this->mem_end + CUCKOO_MEM_EXTRA, "write offset past end of memsrc\cuckoo.php:86
assertassert(strlen($data) <= CUCKOO_MEM_CHUNK, "data too large to write to cache: " . strlen($data) . " /src\cuckoo.php:87
assertassert($offset >= 0 && $len > 0, "invalid read offset/len ($offset / $len)");src\cuckoo.php:105
assertassert($offset <= $this->mem_end, "read past end of memory: $offset, {$this->mem_end}");src\cuckoo.php:106
unserialize$x = unserialize($data);src\cuckoo.php:213
assertassert($num_items <= 65535, "max 64K items in cache");src\cuckoo.php:449
assertassert($chunk_size <= 1024, "max base chunk_size 1K");src\cuckoo.php:450
assertassert(file_exists($custom_css_file), "missing core file $custom_css_file");src\dashboard.php:214
assertassert(is_readable($custom_css_file), "core file $custom_css_file is not readable");src\dashboard.php:215
assertassert(!empty($this->_db), "database: {$this->database} is not connected [".gettype($this->_db)."]")src\db.php:260
assertassert(!empty($this->_db), "database: {$this->database} is not connected [".gettype($this->_db)."]")src\db.php:334
assertassert(is_resource($this->_db), "database not connected");src\db.php:475
assertassert(is_resource($stream), "stream must be a resource");src\db.php:751
unserialize$data = unserialize($file->raw());src\server.php:1268
unserialize$bot_info = unserialize(file_get_contents($file));src\server.php:1521
assertassert(file_exists($path), "can't update character frequency if the file doesn't exist: $path");src\server.php:1744
unserializereturn unserialize($raw);src\storage.php:61
assertassert(in_array(self::$_type, ['nop', 'shmop', 'opcache']), "must call set_type before using cache")src\storage.php:131
assertassert(self::$_type !== null, "must call set_type before using cache");src\storage.php:187
assertassert(is_array($data) || is_string($data), "$key_name generator returned invalid data (" . gettype(src\storage.php:405
assertpublic static function create() : Effect { assert(func_num_args() == 0, "incorrect call of Effect::csrc\util.php:918
assertassert(is_numeric($status), "exit status must be numeric [$status]");src\util.php:955
assertassert(!empty($mod->filename), "file problem %s");src\util.php:965
assertassert(!empty($file->filename), "can't write to null file: " . en_json($file));src\util.php:1071
assertassert(class_exists('\BitFire\Config'), "programmer error, call debug() before config is loaded");src\util.php:1650
assertassert(format_chk($fmt, count($args)), "programmer error, format string does not match number of argsrc\util.php:1651
unserializereturn unserialize($compress);src\util.php:2247
assertassert(is_int($config->trim_len) && $config->trim_len > 0 && $config->trim_len < 128, "invalid trim src\util.php:2382
assertassert(is_int($config->valid_seconds) && $config->valid_seconds > 0, "invalid valid_seconds value");src\util.php:2383
assertassert(! empty($needle), "generic block list error: needle:[$needle] - code[$key]");src\webfilter.php:616
assertassert(! ctype_digit($needle), "generic block list error: needle code swap");src\webfilter.php:617
assertassert($needle[0] === "/", "generic block list error: no regex_identifier");src\webfilter.php:618

Bundled Libraries

jQuery3.6.1

SQL Query Safety

100% prepared1 total queries

Output Escaping

78% escaped124 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

7 flows7 with unsanitized paths
do_ip_block (ip_blocking.php:82)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 24
actionactivated_pluginbitfire-admin.php:615
actiondeleted_pluginbitfire-admin.php:618
actionadmin_menubitfire-admin.php:621
actionadmin_noticesbitfire-admin.php:622
actionadmin_enqueue_scriptsbitfire-admin.php:638
actionwp_enqueue_scriptsbitfire-plugin.php:153
filtercron_schedulesbitfire-plugin.php:160
actionbitfire_scan_actionbitfire-plugin.php:171
actionshutdownbitfire-plugin.php:197
actiontemplate_redirectbitfire-plugin.php:205
actiontemplate_redirectbitfire-plugin.php:207
actionlogin_headerbitfire-plugin.php:229
actionadmin_headbitfire-plugin.php:242
actionwp_headbitfire-plugin.php:246
actionauth_cookie_validbitfire-plugin.php:521
filterdetermine_current_userbitfire-plugin.php:522
actionapplication_password_did_authenticatebitfire-plugin.php:523
filterstatus_headerbitfire-plugin.php:544
filterwp_script_attributesbitfire-plugin.php:596
filterwp_inline_script_attributesbitfire-plugin.php:597
actionauth_cookie_validbitfire-plugin.php:642
filterdetermine_current_userbitfire-plugin.php:643
actionapplication_password_did_authenticatebitfire-plugin.php:644
actionshutdownsrc\botfilter.php:1728

Scheduled Events 1

bitfire_scan_action
Maintenance & Trust

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 21, 2025
PHP min version7.4
Downloads14K

Community Trust

Rating100/100
Number of ratings7
Active installs300
Alternatives

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Alternatives

Atomic Edge Security

Atomic Edge Security

atomic-edge-security

A
100

Connect your WordPress site to Atomic Edge for enterprise-grade WAF protection, real-time analytics, and advanced security tools.

0 No CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

A
100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs
Defender Security – Malware Scanner, Login Security & Firewall

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

A
96

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

wp-simple-firewall

B
83

Shield stops bot attacks before they hack your site. Bots CAN be stopped. Shield stops them.

40K 11 CVEs
Developer Profile

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security Developer Profile

Cory Marsh

1 plugin · 300 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
25 days
View full developer profile
Detection Fingerprints

How We Detect BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bitfire/public/bitfire_core.js
Version Parameters
bitfire_core.js?ver=

HTML / DOM Fingerprints

JS Globals
BITFIRE_VER
FAQ

Frequently Asked Questions about BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security