Save 15% on our Pro WordPress plugins with discount code: LAUNCH2021
Web Dev + WordPress + Security

BBQ: Customize Firewall Rules

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ is as lightweight as possible, so there are no options to configure the firewall rules. The default rules are context-neutral and work great on any WordPress setup. But there may be cases where you want to add or remove patterns from the firewall rules. So to give the plugin more flexibility, here are a couple of free addons that enable you to customize the BBQ firewall rules.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

Remove patterns from BBQ firewall rules

If you’re running BBQ and discover that it’s blocking some legitimate URL, you can “whitelist” the offending pattern to restore access. Let’s look at an example.

Let’s say that BBQ is blocking a page located at the following URL:

http://example.com/page/?referer=http://example.org/

This URL is blocked by BBQ because of the colon :, which is a reserved character.

To resolve the issue, we can install the BBQ whitelist plugin and remove the matching pattern from $request_uri_array. To do so, open the plugin file and edit the “whitelist items” like so:

$bbq_whitelist_request_uri_items  = array('\/http\:', '\:\/\/');

Here we have added two items to the whitelist array, \/http\: and \:\/\/. Save, upload, and done. BBQ now will ignore the specified patterns and thus restore access to the URL. This solution can be used to resolve any false positive.

Add patterns to BBQ firewall rules

On the other side of the coin, let’s say that you have some string that you would like BBQ to block. For example, the infamous fckeditor seems to be a perpetual target for malicious scanning and wannabe exploits. So let’s block once and for all by adding it to BBQ.

To do it, first install the BBQ blacklist plugin. Then open the plugin file and edit the “blacklist items” like so:

$bbq_blacklist_request_uri_items  = array('fckeditor');
$bbq_blacklist_query_string_items = array('fckeditor');
$bbq_blacklist_user_agent_items   = array('fckeditor');
$bbq_blacklist_referrer_items     = array('fckeditor');

Here we have added the offending string to each of the four blacklist arrays, so we’re covered if the string appears in the request URL, query string, user agent, and/or referrer. Then save, upload, and done. BBQ now will block the pesky fckeditor pattern whenever and wherever it’s found.

Download

Download the free BBQ addons:

WP Plugin - BBQ Blacklist Version 20201130 (751B zip)
WP Plugin - BBQ Whitelist Version 20201204 (820B zip)
Note: the whitelist/blacklist plugins require BBQ version 20150314 or better.

BBQ GUI

Here is a simple settings page for the BBQ blacklist & whitelist plugins, for those who would like a GUI. Thanks to LyntServices for sharing :)

BBQ Customize

New! As of BBQ version 20201123, you can can customize long-request handling, pattern-match logging, and blocked response headers. Learn more and download the free BBQ customize plugin.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Banhammer: Protect your WordPress site against threats.

5 responses to “BBQ: Customize Firewall Rules”

  1. Steve and Sally Wharton 2015/03/27 9:03 am

    Hi Jeff,

    So to block buttons-for-website.com traffic/bots/whatever-they-are from my WordPress site (Linux/WP hosting on MediaTemple if that matters) I would add:

    (1) to BBQ Blacklist:

    $bbq_blacklist_request_uri_items  = array('buttons-for-website');
    $bbq_blacklist_query_string_items = array('buttons-for-website');
    $bbq_blacklist_user_agent_items   = array('buttons-for-website');

    Is it really that easy, or am I missing something? Or,

    (2) I would add this to my .htaccess file:

    # Block all http and https referrals from "buttons-for-website.com" and all subdomains of "buttons-for-website.com"
    RewriteCond %{HTTP_REFERER} ^https?://([^.]+.)*buttons-for-website.com [NC,OR]

    with no RewriteRule needed (like the RewriteRule ^(.*)$ http://semalt.com/ [L] seen in .htaccess) ????

    Thanks for clarifying for me. Awesome plugin/s; much appreciated!

    Cheers, Steve

  2. Hey Jeff,

    I found an infoo.php file in the root of my website. Inside the file it has the following code: <?phpinfo();?>

    Do you think this is malicious script? Or maybe it was placed in my root directory by a plugin perhaps?

    I’ve got your 5G firewall in place, do you have an updated version? I can only see a 6G Beta from a while ago.

    Many thanks

    • Jeff Starr

      That PHP function displays information about your server, PHP, Apache, etc. Whether or not it’s malicious depends on who put it there and for what reason. If you or maybe one of your associates put the file, then it’s probably nothing to worry about. Otherwise, if you are sure it was placed there by some unauthorized person/script, then yeah I would investigate asap. Bottom line is that it should not be there, or it should be locked down to prevent anyone else from accessing it.

  3. VladimĂ­r Smitka 2015/05/28 6:37 am

    Hi, I made a simple plugin to manage custom rules for BBQ.

    I prefer the original way – edit files by hand (plugin uses DB, so there is a little impact in the performance), but it may be useful for somebody.

    https://github.com/LyntServices/bbq-gui

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Thoughts
WP 5.8 Gutenberg/Block Widgets is breaking many sites. Fortunately Disable Gutenberg makes it easy to restore Classic Widgets with a click.
Easily the most common exploit scan for WordPress is /{path}/wp-login.php.
Pushing 110+ ℉ for several days now, expected for at least another week or so.
After 12 intense weeks the Plugin Planet redesign is now live. Much work still happening behind the scenes.
June, July, August historically are slow months on the Web. Perfect time to get some real work done (think projects).
Redesigning Plugin Planet is one the most challenging things I’ve done online. Almost there, about another two weeks ’til launch.
I could listen to Mouse Rat all day.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.