Celebrating 20 years online :)
Web Dev + WordPress + Security

BBQ Firewall (Free WordPress Plugin)

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ Firewall is available as a free or pro WordPress plugin. This post describes the free version of BBQ Firewall. Visit Plugin Planet to learn more about BBQ Pro.

BBQ is the lightest, fastest firewall plugin for WordPress.

Welcome to BBQ

BBQ adds a powerful firewall to your WordPress site. That’s it. No bells. No whistles. No bloat. Just a lean, mean bad-request blocking machine.

To use BBQ on any WordPress-powered site, install and activate the plugin via the WP Admin Area. Then sit back and enjoy the automatic, behind-the-scenes protection and a more secure website. No configuration required, just activate and done. BBQ is 100% plug-&-play, lightweight super fast, super strong WAF firewall.

BBQ adds powerful firewall protection with a few clicks.

Verify BBQ is working

Once BBQ is installed and active, you can verify that it’s working by requesting any of the following URLs (replace example.com with your own domain name).

  • http://example.com/proc/self/environ
  • http://example.com/path/?q=%2e%2e
  • http://example.com/path/base64_

These are just examples of the type of garbage that’s blocked by BBQ. If your server returns a 403 “Forbidden” response for these examples, BBQ is working properly. Silently protecting your site behind the scenes.

Note that additional tests are possible using the patterns contained in the firewall rules, located in the main plugin file, block-bad-queries.php.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.

How BBQ works

BBQ basically is an adaptation of my Apache/.htaccess G-series firewalls ported to PHP/WordPress. The plugin works by defining a set of regular expressions to match and block malicious URL requests. The BBQ firewall rules have been refined and battle tested for years, with false positive rates near zero. It’s a simple, effective, lightweight solution that’s easy on server resources.

BBQ scans the following parts of each request:

  • The Request URI
  • The Query String
  • The User Agent
  • Referrer

Also for each request, BBQ checks all available request methods, GET, POST, PUT, DELETE, etc. Checking these variables against a strategically crafted set of known attack patterns is an effective way to protect your site against a wide range of threats.

If BBQ detects foul play in any part of the request, it is blocked immediately via 403 “Forbidden” response.

Tip: Check out the BBQ Customize plugin to enable pattern-match logging, customize response headers, and disable blocking of long URI requests.

More information

Check the following articles for more information on the underlying functionality:

More infos on this and related topics in the security and .htaccess archives.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

Download BBQ Firewall

Download BBQ from the WordPress Plugin Directory:

Need help? Contact anytime via my contact form.

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Blackhole Pro: Trap bad bots in a virtual black hole.

118 responses to “BBQ Firewall (Free WordPress Plugin)”

  1. J32: Try: SEO Smart Links Version 2.7.5 | By Vladimir Prelovac http://www.prelovac.com/vladimir/wordpress-plugins/seo-smart-links

    “SEO Smart Links provides automatic SEO benefits for your site in addition to custom keyword lists, nofollow and much more.”

    Prevolac is pretty well known in the WP community.

  2. Below is a list of urls that evildoers just (unsuccessfully) went went fishin’ for on my site:


    A couple of notes: Access to wp-config, wp-admin, wp-include, my login page and htaccess areas are restricted by ip (mine ;) I am using BBQ and also a plugin that catches 404’s (404 Redirected) so the 404’s can be fixed.

    Myhosting setup is a garden variety CPanel LAMP shared hosting environment.

    My question is: can I safely redirect all these off to my honeypot? Thx

    • Jeff Starr 2012/12/01 3:49 pm

      It’s tricky with index.php because it’s so closely tied to normal functionality. I would redirect based on portions of the strings other than “index.php” (e.g., “websql”) when sending to honeypot.

    • Jeff Starr 2012/12/01 3:45 pm

      Could be! One thing I’ve (re)realized since writing that article, is that it’s probably not just one person running the scan/script. New “sploit” scripts are released, then used by countless morons. So repeat patterns suggest unique scanning scripts, of which the index.php scan is one of the most benign (fortunately).

  3. Hi Jeff, first of all thanks for all the work you’ve put into BBQ and the blocklists. I’m just starting to find my way around WordPress and have learnt a lot from them and the discussions here :)

    I’m using WP with a caching plugin and many of the BBQ blocks don’t seem to trigger when the caching is active. I dont know if I should be surprised by this or not – if the pages are being cached then naturally the php wont be run… I guess. This isn’t a problem for malformed url’s – they dont exist in the cache – but it would be useful though to be able to use the user-agent blocking and other filters to cut down on the noise level.

    Unfortunately I’m running on litespeed based hosting and cant do it in .htaccess. I hope this isn’t a stupid question – but is there some way to flag the BBQ code as “do not cache”?

    There you go, I hope some of that made sense :)

    Thanks again for helping the community out, I’ll be taking a look at your books.


    • Jeff Starr 2012/12/01 3:34 pm

      Steven, very interesting. What is the cache plugin you are using? There may be a way to do it :)

  4. Thanks for the reply Jeff. I’m using wordpress quickcache: http://wordpress.org/extend/plugins/quick-cache/

    After I posted I did a little reading about using salts and other strategies to serve different cache pages (or uncached pages) for certain requests but it all got a bit too heavy for me :O “Can I customize the way cache files are stored & served up?” here -> http://wordpress.org/extend/plugins/quick-cache/faq/

    … as did this dicussion about making wordpress supercache work with any plugin http://omninoggin.com/wordpress-posts/make-any-plugin-work-with-wp-super-cache/

    I couldn’t get w3totalcache to work for my site but it was the one I tried first.

    Hope some of that is useful!

  5. Grégoire Noyelle 2012/12/04 1:15 am

    Hi Jeff
    I get error when I try to preview an article (no published). Here is the URL:
    You’re not allowed to see this web page http://www.gregoirenoyelle.com/wp-admin/post.php?t=1354606328662?t=1354606440605?t=1354606522912.
    Hope it helps

  6. Something was causing 500 errors (the bad kind – the ones you cant see yourself!) Google Webmasters Tools (GWT) was reporting hundreds of 500’s and I eventually encountered visible 500’s only by browsing (the visitor area) of my site using a proxy site and selectively. At some point somewhere along the line deactivating / removing / reinstating plugins to diagnose the problems, I logged out of my admin area and got caught in a login loop! (fyi after hours of trial and error and googling solutions, I eventually got in by requesting a password change and clearing the cache and cookies)

    Why am I relating all this?

    I was using several very useful (and popular) WP Plugins, WordPress-SEO, W3TC and Plugin Organizer (as well as a couple dozen misc others); the ones mentioned above seem to be very complex; WordPress SEO and W3TC in particular make a lot of complicated calls and need to talk to external resources; part of the reason(s) I think I had problems is the (by nature) restrictiveness of BBQ (I have used Bad Behavior, Akismet and WebsiteDefender at different times as well). It is a daunting task for an armchair webmaster like myself to debug problems such as this – I certainly appreciate the work that goes in to something BBQ and hope that feedback like mine might be helpful; I understand that trying solutions on a production site is subject to problems such as these and will look into “sandbox” site solutions in the future. Has BBQ been tested with a broad range of plugins? Thanks

    • BBQ is tested on as many plugins as possible, but we really can’t do in-depth testing of every WP plugin or even all of the popular ones (there’s just too many). What I can say is that if you’re running a plugin such as BBQ and experience issues with other scripts or plugins, BBQ (or similar) should be the first plugin that should be checked. Sandbox is a good idea too.

      • it just gets really frustrating to put the time and energy into keeping the site secure and shooting one’self in the foot; knowing that the software out of the box just aint gonna cut it – the site is going to get hacked. Then there is a financial consideration to use a premium hosting service as opposed to the cost-efficient (and as helpful as they can be), but “WordPress as-is” shared hosting service I use. I use WordPress as a business tool and have hundreds of hours of work in building content as well diy maintenence but I may be reaching a point where I will be biting the bullet to move up to high end WordPress-specialized hosting service. Please dont everybody with running a WordPress Hosting Service come a-running – I have a pretty good idea where I’ll be going already. Thank you for the rant(s).

  7. Robert Wilkins 2012/12/19 1:19 pm

    getting Ajax 403 errors when trying to use this script on wp 3.4.2 or 3.5. Didn’t use to happen before.

    Any ideas?

    • Nathan "Spanky" Briggs 2012/12/19 1:40 pm

      3.5 uses incorrect, unencoded []s to enqueue javascript libraries. The fix, for now, is to disable BBQ.

    • Jeff Starr 2012/12/19 3:09 pm

      Robert, can you let us know which URL(s) aren’t loading/working? That will help us troubleshoot things.

  8. Robert Wilkins 2012/12/19 1:46 pm

    It’s not just 3.5. It’s not working in 3.4.2 sadly either. The older version of bbq was fine. I know about the [] because it was messing up presssite backup.


  9. Robert Wilkins 2012/12/19 9:53 pm

    Thanks Jeff. Here you go..

    Failed to load resource: the server responded with a status of 403 (Forbidden) http://mysite.com/wp-admin/admin-ajax.php?action=imgedit-preview&_ajax_nonce=16a8xxxxxxx&postid=1071&history=%5B%7B%22xxxxxxxxxx&rand=xxxxxxx

    Thanks, hope it helps.

  10. I think this plugin my have saved my site! I found some malicious code injected into my htaccess/header.php file that redirects to another page. If this plugin wasn’t installed, who knows what type of code they would have used!

  11. is there possibly an (easy?) way to exchange the rules in BBQ with the “old” G5 rules?

    Any reason why this might not be a good idea?

    BBQ unfortunately currently a bit too unreliable for my production site.


    • Jeff Starr 2012/12/29 2:20 pm

      It’s possible to do, but untested.. further you would be losing the performance advantage of handling HTTP activity at the server level. PHP requires additional processing/resources to do the same. Also, I’ll be updating BBQ with further improvements and fixes within the next week, so that might help. Just been super-busy recently.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.