Celebrating 20 years online :)
Web Dev + WordPress + Security

BBQ Firewall (Free WordPress Plugin)

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ Firewall is available as a free or pro WordPress plugin. This post describes the free version of BBQ Firewall. Visit Plugin Planet to learn more about BBQ Pro.

BBQ is the lightest, fastest firewall plugin for WordPress.

Welcome to BBQ

BBQ adds a powerful firewall to your WordPress site. That’s it. No bells. No whistles. No bloat. Just a lean, mean bad-request blocking machine.

To use BBQ on any WordPress-powered site, install and activate the plugin via the WP Admin Area. Then sit back and enjoy the automatic, behind-the-scenes protection and a more secure website. No configuration required, just activate and done. BBQ is 100% plug-&-play, lightweight super fast, super strong WAF firewall.

BBQ adds powerful firewall protection with a few clicks.

Verify BBQ is working

Once BBQ is installed and active, you can verify that it’s working by requesting any of the following URLs (replace example.com with your own domain name).

  • http://example.com/proc/self/environ
  • http://example.com/path/?q=%2e%2e
  • http://example.com/path/base64_

These are just examples of the type of garbage that’s blocked by BBQ. If your server returns a 403 “Forbidden” response for these examples, BBQ is working properly. Silently protecting your site behind the scenes.

Note that additional tests are possible using the patterns contained in the firewall rules, located in the main plugin file, block-bad-queries.php.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.

How BBQ works

BBQ basically is an adaptation of my Apache/.htaccess G-series firewalls ported to PHP/WordPress. The plugin works by defining a set of regular expressions to match and block malicious URL requests. The BBQ firewall rules have been refined and battle tested for years, with false positive rates near zero. It’s a simple, effective, lightweight solution that’s easy on server resources.

BBQ scans the following parts of each request:

  • The Request URI
  • The Query String
  • The User Agent
  • Referrer

Also for each request, BBQ checks all available request methods, GET, POST, PUT, DELETE, etc. Checking these variables against a strategically crafted set of known attack patterns is an effective way to protect your site against a wide range of threats.

If BBQ detects foul play in any part of the request, it is blocked immediately via 403 “Forbidden” response.

Tip: Check out the BBQ Customize plugin to enable pattern-match logging, customize response headers, and disable blocking of long URI requests.

More information

Check the following articles for more information on the underlying functionality:

More infos on this and related topics in the security and .htaccess archives.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

Download BBQ Firewall

Download BBQ from the WordPress Plugin Directory:

Need help? Contact anytime via my contact form.

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
BBQ Pro: The fastest firewall to protect your WordPress.

118 responses to “BBQ Firewall (Free WordPress Plugin)”

  1. Im also having a problem with 403 errors: http://blog.sergeys.us/beer?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SergeySus+(Sergey+Sus+Photography+%C2%BB+Blog)&utm_content=Google+Reader

    • It’s the “:” in the query string that’s causing the issue.. Google should know better that “:” is a special-use character and must be encoded for literal use. It’s blocked by the plugin because it’s commonly seen (unencoded) in malicious attacks. Do you think I should remove the block and allow it?

      • Jeff,
        I do not you see the*.* in the URL?

        I cant turn on the plugin as it gets 403 on all the posts from RSS feeds. What are the negatives of removing the block?

      • Jeff Starr 2012/11/06 3:19 pm

        I don’t see *.* in the URL you posted, but I do see “:” (without the quotes), which is blocked by BBQ.

        I’m updating the plugin soon and think I will remove “:” from the list. Stay tuned!

  2. Hey Jeff,

    Commenting to let you know that my site also got the 403, but it’s because of Chrome that I see this happened after reading the comments. It’s a tough call to keep or remove the recent update but until this issue is resolved I sadly have to disable BBQ. I work in the Chrome browser for a reason and therefore can’t have BBQ activated.

  3. Grégoire Noyelle 2012/11/02 6:06 am

    Jeff, I get an other “denied access” when I try to publish article with code inside (here is the html file. I get the problem after opy and paste this in the HTML WordPress part.

    Hope it helps.

    • Jeff Starr 2012/11/02 2:07 pm

      Hi Grégoire, Thanks for this, it will help to further improve the plugin. Will be updating soon :)

      • Grégoire Noyelle 2012/11/03 3:22 am

        Cool. Thanks so much for your great support (as always!!)

  4. Janel Gelien 2012/11/06 12:10 pm

    I can’t get Socrates 3.04 WP theme to work properly on my site if either the 5G Firewall code is included in my .htaccess file or if the BBQ plugin is installed. Any Idea which part of the code is affecting the setup of this theme? I found if I removed the word menu from the query string I could set up the menus but as far as the header and layout setup, no such luck. I would like to be able to use the plugin or firewall or both. Socrates is the only theme that seems to not work with your script but it is perfect for my new site. Any help would be appreciated.

    • Jeff Starr 2012/11/08 7:09 pm

      Hi Janel, what are some of the URLs that aren’t loading/working and I’ll be glad to take a look. Please wrap the URLs with <code> tags. Thanks!

      • Janel Gelien 2012/11/09 11:13 am

        I’m not sure if this is what you’re asking. If for instance I go to the Socrates header setup page without the plugin activated, I can see all the options and set up the header. If I activate the plugin and bring up the same page wp-admin/admin.php?page=functions.php?option=header all I get is a blank page. Same with the layout option page and the settings page. As soon as I deactivate the BBQ plugin, they all appear and work properly.

      • Jeff Starr 2012/11/09 2:25 pm

        Yes, that’s what we’re after.. it looks like the plugin is blocking the URL because it contains an invalid character, the literal question mark, which should only appear once in the URL (unless encoded). Instead of using a question mark to append query strings, the ampersand “&” should be used.

        That said, it’s a tough call whether or not to remove the block for “?” from the BBQ firewall.. it protects against a lot of malicious requests. What are your thoughts?

      • Janel Gelien 2012/11/10 12:20 am

        I am thinking that rather than change anything I might just go ahead and completely customize the site the way I want and then reactivate the plugin.

  5. using BBQ http://wordpress.org/extend/plugins/block-bad-queries/ in conjunction with http://wordpress.org/extend/plugins/add-from-server/ (Add From Server Plugin) seems to generate a 403. Admittedly Add From Server Plugin is outdated; I am not code-savvy enough to debug it – it is a shame because the purpose of Add From Server Plugin is to allow for adding images (that may already be in the /uploads folder…) to the WP Media Library.

    What happenned is I added about one dozen images from my server ok to test if the Add From Server Plugin would work – and it did ok :) – when I went back to add the rest my site gave me ol’ “you do not have permission….” page and it generally firewalled off ALL ? the backend – none of the css would work – the site would load but without any of its styling. Also I tried to upload an image from computer to the media library and although the image uploaded, the site would not allow access to the new image via browser.

    I deactivated and deleted Add From Server Plugin and BBQ, removed the db options for Add From Server Plugin and the site went back to “normal” and the uploaded image was once again accessible via browsing.

    One another note is I also had your 5G rules in my htaccess (while running BBQ) – I deleted the 5G rules, cleared the caches (using W3TC for that is worth informationally….) and reinstalled BBQ. Things seem to be remaining normal for the moment. I havent reinstalled Add From Server Plugin, but it sure would be useful! I have a number of images on my server that are in the in the /uploads folder that are not in the media library – would love to get them in there somehow!

    One other note is the BBQ Plugin does indeed seem to work – in spite of using the 5G rules, Bad Behavior and Akismet, I had been spending WAY too much time tweaking 404’s from bad bots and a lot of those seem to have gone away :) – I am looking forward to the next update as I am sure you must be tweaking BBQ constantly toward better functionality. Thanks

    One last note is my site is running WP 3.42 in a shared hosting environment. It is CPanel based and my host allows what are probly pretty general server permissions for a shared hosting account.

    • Jeff Starr 2012/11/08 7:13 pm

      I am looking forward to the next update as I am sure you must be tweaking BBQ constantly toward better functionality.

      Yes, very true :)

      Also, I’m glad to look at any specific URLs/errors that aren’t loading or working with BBQ (or 5G) installed. That’s the best way to help with the next update, just be sure to wrap each of them with <code> tags.

      Thanks for the feedback!

  6. Nathan "Spanky" Briggs 2012/11/09 8:45 am

    Still having trouble with the latest and a link from twitter, because the URL includes %27.
    I’ve edited BBQ on my client’s sites to remove the %27 match from. Could you include removing %27 from the match list for the next update?


    • Jeff Starr 2012/11/09 2:55 pm

      Yes, will do for the next update. Can you post an example of the twitter URL for reference?

      • Nathan "Spanky" Briggs 2012/11/09 3:11 pm


        (it 404s, because this client removed the post, doesn’t affect the BBQ problem, I checked)

      • Nathan "Spanky" Briggs 2012/11/09 3:11 pm

        And thanks!

      • Jeff Starr 2012/11/09 3:20 pm

        Perfect! Thanks Nathan.

  7. MickeyRoush 2012/11/12 1:15 am

    You should really reconsider your blockage of %27. True it’s the root of all evil XSS attacks but those usually use more than one of those. Blocking that may also block users searching for something with it being once in the string. You should right a bypass for if there is only one occurrence of %27 and that more than one will trigger the block. I’ve created my own Block Bad Queries based from _ck_’s original plugin and I’ve been able to do so.

    It also seems that you may have to whitelist the admin for certain things again. In my opinion, if an attacker already has admin privileges, there’s so much damage they can do that most plugins can’t really help against anyways.

  8. Hello,

    I am having a problem where I started losing traffic from Facebook after installing this plugin. I had to disable it!

    The URL FB was passing it as follows:


    Could you please fix the plugin so at least FB traffic is not blocked.

    Thank you.

    • Jeff Starr 2012/11/19 3:05 am

      Thanks for the feedback, Adam – we’re currently updating the plugin and will try to get this fixed up for the next version. The URL example is a huge help – Thanks for posting.

  9. I took a minor liberty with BBQ and implemented the following in lieu of 403, beginning Line 28 ;-)

    header('HTTP/1.1 418 I'm a teapot');
    header('HTTP/1.1 418 I'm a teapot');

    • Jeff Starr 2012/11/23 1:19 pm

      You are a mind-reader or something.. in the next update we’ve implemented an option for choosing your own response status and message :)

  10. kewl :)

    My syntax seems to be off a little above; btn the curly brackets, try:

    header('HTCPCP/1.1 418 I'm a teapot');
    status('HTCPCP/1.1 418 I'm a teapot');
    header('Connection: Close');

    Disappointingly, my host does not seem to support 418, I keep just getting the boring ol’ 403.

  11. J32 Design 2012/11/24 9:57 pm

    Hi Jeff,

    I am using a plugin called WP No External Links which masks my outgoing links. It changes the link from lets say http://www.google.com to j32design.com/goto/http://www.google.com and uses 302 redirect.

    I use this plugin and the BBQ plugin since quite a long time now, but as far as I could see in google webmaster tools I started to get 403 Permission Denied errors for all my outgoing links somewhere in the end of October.. The redirects work fine as soon as I turn the BBQ plugin off. Now, I really don’t want to turn it off.

    Is there anything you or I can do to make them both work together?

    Thank you in advance for your time.

    • Jeff Starr 2012/11/26 1:38 pm

      The reason the URLs are blocked in this case is because they include http:// unencoded in the request string. Unfortunately that particular string is common among malicious requests, so is blocked in the BBQ plugin. The question now is do we remove protection for requests containing unencoded http://? What are your thoughts?

  12. J32 Design 2012/11/29 9:39 pm

    Thank you Jeff for getting back to me. For now I decided to turn of the plugin that masks my outgoing links until I find a better solution. The masking plugin has an option where it replaces the url with a random number, which seems to work, but I have to see how it will effect my blog regarding speed.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
The Tao of WordPress: Master the art of WordPress.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.