1C-Bitrix
Prefer .htaccess auto_prepend_file for 1C-Bitrix when Apache/PHP supports it. AWAF then starts before every PHP request in scope, not only through one entry point.
Preferred method
On Apache with mod_php and allowed php_value, place the directive in the Bitrix site root .htaccess and use the absolute AWAF path.
php_value auto_prepend_file "<path_to_directory>/antibot/index.php"Why it matters for Bitrix
auto_prepend_file loads AWAF before each PHP file in scope: public index.php, /bitrix/admin/, AJAX handlers, legacy scripts, exchanges, and direct PHP endpoints.
This is broader than adding an include only to one template or front index.php, because admin, service, and legacy PHP files may bypass the normal public route.
Fallback
For PHP-FPM, CGI, Nginx-only setups, or locked php_value, use .user.ini, vhost/pool config, or a hosting panel equivalent. If those are unavailable, add require_once to an early common entry point, usually index.php, before HTML output and heavy CMS logic.
Entry-point fallback is less universal, so verify /bitrix/admin/, AJAX, form components, exchanges, cron, service URLs, and direct PHP endpoints.
Verify
- Back up the project and AWAF config.
- Place AWAF in /antibot/ and open /antibot/ in a browser.
- Test public pages, /bitrix/admin/, login, AJAX, forms, payments, exchanges, cron, and sitemap/XML.
- For endpoints where captcha is not acceptable, add narrow whitelist_url/captcha_uri rules after checking RayID.