BBQ Firewall (Free WordPress Plugin)
BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.
BBQ Firewall is available as a free or pro WordPress plugin. This post describes the free version of BBQ Firewall. Visit Plugin Planet to learn more about BBQ Pro.
BBQ is the lightest, fastest firewall plugin for WordPress.
Welcome to BBQ
BBQ adds a powerful firewall to your WordPress site. That’s it. No bells. No whistles. No bloat. Just a lean, mean bad-request blocking machine.
To use BBQ on any WordPress-powered site, install and activate the plugin via the WP Admin Area. Then sit back and enjoy the automatic, behind-the-scenes protection and a more secure website. No configuration required, just activate and done. BBQ is 100% plug-&-play, lightweight super fast, super strong WAF firewall.
BBQ adds powerful firewall protection with a few clicks.
Verify BBQ is working
Once BBQ is installed and active, you can verify that it’s working by requesting any of the following URLs (replace example.com with your own domain name).
http://example.com/proc/self/environhttp://example.com/path/?q=%2e%2ehttp://example.com/path/base64_
These are just examples of the type of garbage that’s blocked by BBQ. If your server returns a 403 “Forbidden” response for these examples, BBQ is working properly. Silently protecting your site behind the scenes.
Note that additional tests are possible using the patterns contained in the firewall rules, located in the main plugin file, block-bad-queries.php.
How BBQ works
BBQ basically is an adaptation of my Apache/.htaccess G-series firewalls ported to PHP/WordPress. The plugin works by defining a set of regular expressions to match and block malicious URL requests. The BBQ firewall rules have been refined and battle tested for years, with false positive rates near zero. It’s a simple, effective, lightweight solution that’s easy on server resources.
BBQ scans the following parts of each request:
- The Request URI
- The Query String
- The User Agent
- Referrer
Also for each request, BBQ checks all available request methods, GET, POST, PUT, DELETE, etc. Checking these variables against a strategically crafted set of known attack patterns is an effective way to protect your site against a wide range of threats.
If BBQ detects foul play in any part of the request, it is blocked immediately via 403 “Forbidden” response.
More information
Check the following articles for more information on the underlying functionality:
More infos on this and related topics in the security and .htaccess archives.
Download BBQ Firewall
Download BBQ from the WordPress Plugin Directory:
Need help? Contact anytime via my contact form.
118 responses to “BBQ Firewall (Free WordPress Plugin)”
Im also having a problem with 403 errors:
http://blog.sergeys.us/beer?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SergeySus+(Sergey+Sus+Photography+%C2%BB+Blog)&utm_content=Google+ReaderIt’s the “:” in the query string that’s causing the issue.. Google should know better that “:” is a special-use character and must be encoded for literal use. It’s blocked by the plugin because it’s commonly seen (unencoded) in malicious attacks. Do you think I should remove the block and allow it?
Jeff,
I do not you see the
*.*in the URL?I cant turn on the plugin as it gets 403 on all the posts from RSS feeds. What are the negatives of removing the block?
I don’t see
*.*in the URL you posted, but I do see “:” (without the quotes), which is blocked by BBQ.I’m updating the plugin soon and think I will remove “
:” from the list. Stay tuned!Hey Jeff,
Commenting to let you know that my site also got the 403, but it’s because of Chrome that I see this happened after reading the comments. It’s a tough call to keep or remove the recent update but until this issue is resolved I sadly have to disable BBQ. I work in the Chrome browser for a reason and therefore can’t have BBQ activated.
Thanks for the feedback, Honor90 — will get it fixed up in the next version.
Jeff, I get an other “denied access” when I try to publish article with code inside (here is the html file. I get the problem after opy and paste this in the HTML WordPress part.
Hope it helps.
Hi Grégoire, Thanks for this, it will help to further improve the plugin. Will be updating soon :)
Cool. Thanks so much for your great support (as always!!)
I can’t get Socrates 3.04 WP theme to work properly on my site if either the 5G Firewall code is included in my .htaccess file or if the BBQ plugin is installed. Any Idea which part of the code is affecting the setup of this theme? I found if I removed the word menu from the query string I could set up the menus but as far as the header and layout setup, no such luck. I would like to be able to use the plugin or firewall or both. Socrates is the only theme that seems to not work with your script but it is perfect for my new site. Any help would be appreciated.
Hi Janel, what are some of the URLs that aren’t loading/working and I’ll be glad to take a look. Please wrap the URLs with
<code>tags. Thanks!I’m not sure if this is what you’re asking. If for instance I go to the Socrates header setup page without the plugin activated, I can see all the options and set up the header. If I activate the plugin and bring up the same page
wp-admin/admin.php?page=functions.php?option=headerall I get is a blank page. Same with the layout option page and the settings page. As soon as I deactivate the BBQ plugin, they all appear and work properly.Yes, that’s what we’re after.. it looks like the plugin is blocking the URL because it contains an invalid character, the literal question mark, which should only appear once in the URL (unless encoded). Instead of using a question mark to append query strings, the ampersand “&” should be used.
That said, it’s a tough call whether or not to remove the block for “?” from the BBQ firewall.. it protects against a lot of malicious requests. What are your thoughts?
I am thinking that rather than change anything I might just go ahead and completely customize the site the way I want and then reactivate the plugin.
using BBQ http://wordpress.org/extend/plugins/block-bad-queries/ in conjunction with http://wordpress.org/extend/plugins/add-from-server/ (Add From Server Plugin) seems to generate a 403. Admittedly Add From Server Plugin is outdated; I am not code-savvy enough to debug it – it is a shame because the purpose of Add From Server Plugin is to allow for adding images (that may already be in the /uploads folder…) to the WP Media Library.
What happenned is I added about one dozen images from my server ok to test if the Add From Server Plugin would work – and it did ok :) – when I went back to add the rest my site gave me ol’ “you do not have permission….” page and it generally firewalled off ALL ? the backend – none of the css would work – the site would load but without any of its styling. Also I tried to upload an image from computer to the media library and although the image uploaded, the site would not allow access to the new image via browser.
I deactivated and deleted Add From Server Plugin and BBQ, removed the db options for Add From Server Plugin and the site went back to “normal” and the uploaded image was once again accessible via browsing.
One another note is I also had your 5G rules in my htaccess (while running BBQ) – I deleted the 5G rules, cleared the caches (using W3TC for that is worth informationally….) and reinstalled BBQ. Things seem to be remaining normal for the moment. I havent reinstalled Add From Server Plugin, but it sure would be useful! I have a number of images on my server that are in the in the /uploads folder that are not in the media library – would love to get them in there somehow!
One other note is the BBQ Plugin does indeed seem to work – in spite of using the 5G rules, Bad Behavior and Akismet, I had been spending WAY too much time tweaking 404’s from bad bots and a lot of those seem to have gone away :) – I am looking forward to the next update as I am sure you must be tweaking BBQ constantly toward better functionality. Thanks
One last note is my site is running WP 3.42 in a shared hosting environment. It is CPanel based and my host allows what are probly pretty general server permissions for a shared hosting account.
Yes, very true :)
Also, I’m glad to look at any specific URLs/errors that aren’t loading or working with BBQ (or 5G) installed. That’s the best way to help with the next update, just be sure to wrap each of them with
<code>tags.Thanks for the feedback!
Still having trouble with the latest and a link from twitter, because the URL includes %27.
I’ve edited BBQ on my client’s sites to remove the %27 match from. Could you include removing %27 from the match list for the next update?
Hugs,
Nathan
Yes, will do for the next update. Can you post an example of the twitter URL for reference?
http://heidistable.com/coming-off-sugar-on-election-day-2012/?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+HeidisTable+%28Heidi%27s+Table%29(it 404s, because this client removed the post, doesn’t affect the BBQ problem, I checked)
And thanks!
Perfect! Thanks Nathan.
You should really reconsider your blockage of %27. True it’s the root of all evil XSS attacks but those usually use more than one of those. Blocking that may also block users searching for something with it being once in the string. You should right a bypass for if there is only one occurrence of %27 and that more than one will trigger the block. I’ve created my own Block Bad Queries based from _ck_’s original plugin and I’ve been able to do so.
It also seems that you may have to whitelist the admin for certain things again. In my opinion, if an attacker already has admin privileges, there’s so much damage they can do that most plugins can’t really help against anyways.
Thanks for the tips, we’re working on an update to address some of these issues.
Hello,
I am having a problem where I started losing traffic from Facebook after installing this plugin. I had to disable it!
The URL FB was passing it as follows:
http://website.com/something.html?fb_action_ids=470231656363161&fb_action_types=og.likes&fb_source=other_multiline&action_object_map=%7B%22470231656363161%22%3A289507891167454%7D&action_type_map=%7B%22470231656363161%22%3A%22og.likes%22%7D&action_ref_map=%5B%5DCould you please fix the plugin so at least FB traffic is not blocked.
Thank you.
Thanks for the feedback, Adam – we’re currently updating the plugin and will try to get this fixed up for the next version. The URL example is a huge help – Thanks for posting.
I took a minor liberty with BBQ and implemented the following in lieu of 403, beginning Line 28 ;-)
header('HTTP/1.1 418 I'm a teapot');header('HTTP/1.1 418 I'm a teapot');You are a mind-reader or something.. in the next update we’ve implemented an option for choosing your own response status and message :)
kewl :)
My syntax seems to be off a little above; btn the curly brackets, try:
header('HTCPCP/1.1 418 I'm a teapot');status('HTCPCP/1.1 418 I'm a teapot');header('Connection: Close');exit;Disappointingly, my host does not seem to support 418, I keep just getting the boring ol’ 403.
Hi Jeff,
I am using a plugin called WP No External Links which masks my outgoing links. It changes the link from lets say http://www.google.com to j32design.com/goto/http://www.google.com and uses 302 redirect.
I use this plugin and the BBQ plugin since quite a long time now, but as far as I could see in google webmaster tools I started to get 403 Permission Denied errors for all my outgoing links somewhere in the end of October.. The redirects work fine as soon as I turn the BBQ plugin off. Now, I really don’t want to turn it off.
Is there anything you or I can do to make them both work together?
Thank you in advance for your time.
The reason the URLs are blocked in this case is because they include
http://unencoded in the request string. Unfortunately that particular string is common among malicious requests, so is blocked in the BBQ plugin. The question now is do we remove protection for requests containing unencodedhttp://? What are your thoughts?Thank you Jeff for getting back to me. For now I decided to turn of the plugin that masks my outgoing links until I find a better solution. The masking plugin has an option where it replaces the url with a random number, which seems to work, but I have to see how it will effect my blog regarding speed.