Block bots: URL captcha

Estimated reading time: 1 min

In case bots are creating spam accounts on your website or trying to brute force an access page. You can just use BitNinja’s Browser Integrity Check to block the bots.
If the bots fail the Browser integrity check their IP will be greylisted on your account so they will not bother you anymore.

This feature is currently in the BETA phase.

If you experience any issue with this module please let us know.
You can contact us at or via live chat from 9 AM to 5 PM CET.
Or send us a ticket here.

What is Browser Integrity Check (BIC)

The BIC has the same functionality as the CAPTCHA module. It blocks bots and lets through normal users. BIC does this without requiring the users to type or click anything. Users just need to wait for 5 seconds to pass the Browser integrity check and ONLY at the begging of their session.

In summary:

  • Blocks bots
  • Lets through valid users and whitelisted bots
  • No need to do anything (besides waiting for 5s)
  • Users get the BIC page once per session

This is how it looks like:

How to use BIC

From the Dashboard (New)

At the moment this Dashboard feature only accepts only a “PATH” parameter therefore the URL captcha rule will take effect on the matching URI all domains and on all servers under your BitNinja account.
In the future, the feature will accept a “DOMAIN” parameter too so the rule will take effect on the matching domain only.

If you wish to set up the URL captcha feature for a specific domain only or for one specific server only, you can do that from the terminal via the bitninjacli.
You can find the instructions for that further below.
  1. Navigate to the Firewall menu point and select the URL captcha menu point at the top.
  2. Click on the “+ ADD new custom rule” button
  3. Add a name for the rule for identification at “Rule name”
  4. At the “PATH” text field add the URI you wish to protect on all domains and on all servers under your account
    You can also use regular expressions e.g.: myform*
  5. Add a description (Optional but useful in some cases)
  6. Click on the Add rule button

You can later edit the rule from the Dashboard by clicking on the pen icon on the rule.

From CLI (for a specific domain or server)

You can enable this feature for a specific domain’s specific URI on a specific server by issuing this command:

bitninjacli --module=SslTerminating --add-domainuri --domain=<domain> --uri=<uri>

For example on’s wp-login page:

bitninjacli --module=SslTerminating --add-domainuri --uri=wp-login.php
If there are subdomains, like, the command should be
bitninjacli --module=SslTerminating --add-domainuri --domain=* --uri=wp-login.php

In this case however the URL captcha challenge will not take effect on
In this example everyone who tries to access the page will get the BIC page. And if they are legitimate users they will be allowed to access the page. If the incoming request was from a bot they will get blocked and grey listed.

You can also set BIC to be presented on every domain’s wp-login.php URI:

bitninjacli --module=SslTerminating --add-domainuri --domain=* --uri=wp-login.php
BETA phase

The CAPTCHA module can handle 20 000-30 000 requests/sec. If the number of requests processed is higher than this, the CAPTCHA module might break meaning legitimate users will be unable to delist their IP address and also bots will not be blocked.

If this happens Turn off the BIC module from the URI and restart BitNinja to fix the issue.
You can restart BitNinaj with the service bitninja restart command

How to disable

From the Dashboard

Click on the trash bin icon on the rule.

From the terminal

To revert the changes a specific domain on a specific URI issue the command below:

bitninjacli --module=SslTerminating --del-domainuri --domain=<domain> --uri=<uri>

For example:

bitninjacli --module=SslTerminating --del-domainuri --uri=wp-login.php

To revert the changes on all domains for a specific URI:

bitninjacli --module=SslTerminating --del-domainuri --domain=* --uri=wp-login.php
Views: 1387