BBQ Firewall (Free WordPress Plugin)
BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.
BBQ Firewall is available as a free or pro WordPress plugin. This post describes the free version of BBQ Firewall. Visit Plugin Planet to learn more about BBQ Pro.
BBQ is the lightest, fastest firewall plugin for WordPress.
Welcome to BBQ
BBQ adds a powerful firewall to your WordPress site. That’s it. No bells. No whistles. No bloat. Just a lean, mean bad-request blocking machine.
To use BBQ on any WordPress-powered site, install and activate the plugin via the WP Admin Area. Then sit back and enjoy the automatic, behind-the-scenes protection and a more secure website. No configuration required, just activate and done. BBQ is 100% plug-&-play, lightweight super fast, super strong WAF firewall.
BBQ adds powerful firewall protection with a few clicks.
Verify BBQ is working
Once BBQ is installed and active, you can verify that it’s working by requesting any of the following URLs (replace example.com with your own domain name).
http://example.com/proc/self/environhttp://example.com/path/?q=%2e%2ehttp://example.com/path/base64_
These are just examples of the type of garbage that’s blocked by BBQ. If your server returns a 403 “Forbidden” response for these examples, BBQ is working properly. Silently protecting your site behind the scenes.
Note that additional tests are possible using the patterns contained in the firewall rules, located in the main plugin file, block-bad-queries.php.
How BBQ works
BBQ basically is an adaptation of my Apache/.htaccess G-series firewalls ported to PHP/WordPress. The plugin works by defining a set of regular expressions to match and block malicious URL requests. The BBQ firewall rules have been refined and battle tested for years, with false positive rates near zero. It’s a simple, effective, lightweight solution that’s easy on server resources.
BBQ scans the following parts of each request:
- The Request URI
- The Query String
- The User Agent
- Referrer
Also for each request, BBQ checks all available request methods, GET, POST, PUT, DELETE, etc. Checking these variables against a strategically crafted set of known attack patterns is an effective way to protect your site against a wide range of threats.
If BBQ detects foul play in any part of the request, it is blocked immediately via 403 “Forbidden” response.
More information
Check the following articles for more information on the underlying functionality:
More infos on this and related topics in the security and .htaccess archives.
Download BBQ Firewall
Download BBQ from the WordPress Plugin Directory:
Need help? Contact anytime via my contact form.
118 responses to “BBQ Firewall (Free WordPress Plugin)”
Sounds great. Just wondering if there is likely to be any performance overhead if all incoming traffic is being checked by the script?
It’s a good question. BBQ is as bare-bones as possible, and should be fine unless you’re getting huge amounts of traffic. For each URI request, the script does a series of comparisons and that’s pretty much it. Not having to communicate with the database helps keep it light.
Thanks Jeff
Alerted to this one by John Hoff and use it on all my WordPress sites.
Just updated to latest version.
Appreciate you keeping the plugin updated.
Hi Jeff
Just updated BBQ plugin and can’t empty trash comments in WordPress dashboard.
Get the message…
“Access to the web page was denied
You are not authorised to access the web page…”
Easy to deactivate BBQ plugin, empty comments and reactivate plugin, but just letting you know.
It looks like WordPress is using some really long URL requests for comment/trash moderation.. I’d like to collect some examples of any URLs that are causing issues and then see what can be done. Will you post the next URL that leads to the error? (comment out any sensitive infos!) Thanks.
Will do Jeff.
Hi Jeff
Thanks a lot.
I get a bug when I try to delete all spam, the browser deny access. I was connected as admin. After desactivate the plugin, the delete button works fine.
Thanks
I think that may be due to the long URL requested for spam and trash deletes (anything over 255 characters is blocked). What is the URL and I can take a look..
Already using the 5g blacklist is there a reason to switch to bbq or not
Just a little bit, but the same protection will soon be available in the 6G final, so no need for BBQ if you’re rolling with 5G with plans to update.
Just wanted to add that the new update made it so you couldn’t delete spam comments giving you a 403 error.
Plugin update! I’ve went ahead and disabled the match for long strings, and for the term
scanner. This should resolve the errors reported by Danielle, Tom, Grégoire, and Keith. Thanks to those who are providing feedback regarding BBQ. I’ll continue to update the plugin as needed and hopefully find a workaround for protection against long-character strings.Thanks Jeff, it works now (delete spams with akismet)
Yep, all OK now.
Appreciate that Jeff.
Likewise, everything works fine. Thanks for the update!
Experiencing similar blocks as others commenting here, the first is another plugin I use, Exploit Scanner (page is blank):
Second, when trying to empty my spam comments:
Hope that helps you fix the issue, I definitely want to keep using BBQ, but this is a little inconvenient.
Today I did a test with this plugin and the 5G. Turns out with proc/self/environ the plugin gives me a 403 and the code in the root htaccess just a page not found.
Not using them together for testing. Is this right?
What is the URL(s) that result in the 403 errors and I’ll take a look..
I have only the 5G in the root htaccess, no BBQ, and I am trying to get a 403 with
http://example.com/hello?Permanent, but the result is 404.If have sent you my htaccess file by email, subject asdfg htaccess
I’m actually trying to block requests like this that I get a lot lately:
http://example.com/178.137.87.200/%24 and http://example.com/%5ehttp:/94.153.11.224/%24Hi Okoth, the 5G blocks the string “Permanent” only when it’s included in the request string (not the query string).
To block requests such as your examples that include an IP address, try adding this to .htaccess:
RedirectMatch 403 /([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/This is actually a good idea that may end up in the 6G Blacklist.
Thanks Jeff. Going to see if they stay out.
Does this update incorporate your WordPress Add-on for 5G Blacklist?
Yes for the most part. It includes the widest reaching protection from the 5G, 6G, and the WP addon, but it doesn’t include everything.
Thanks for the clarification.
You should check out this alternative plugin..
http://wordpress.org/extend/plugins/mute-screamer/
similar aim I guess – works really well
BBQ is awesome name, i’ll try this plugin, thanks jeff