Save 10% on our Pro WordPress plugins with discount code: 10PERCENT
Web Dev + WordPress + Security

BBQ Firewall (Free WordPress Plugin)

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ Firewall is available as a free or pro WordPress plugin. This post describes the free version of BBQ Firewall. Visit Plugin Planet to learn more about BBQ Pro.

BBQ is the lightest, fastest firewall plugin for WordPress.

Welcome to BBQ

BBQ adds a powerful firewall to your WordPress site. That’s it. No bells. No whistles. No bloat. Just a lean, mean bad-request blocking machine.

To use BBQ on any WordPress-powered site, install and activate the plugin via the WP Admin Area. Then sit back and enjoy the automatic, behind-the-scenes protection and a more secure website. No configuration required, just activate and done. BBQ is 100% plug-&-play, lightweight super fast, super strong WAF firewall.

BBQ adds powerful firewall protection with a few clicks.

Verify BBQ is working

Once BBQ is installed and active, you can verify that it’s working by requesting any of the following URLs (replace example.com with your own domain name).

  • http://example.com/proc/self/environ
  • http://example.com/path/?q=%2e%2e
  • http://example.com/path/base64_

These are just examples of the type of garbage that’s blocked by BBQ. If your server returns a 403 “Forbidden” response for these examples, BBQ is working properly. Silently protecting your site behind the scenes.

Note that additional tests are possible using the patterns contained in the firewall rules, located in the main plugin file, block-bad-queries.php.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.

How BBQ works

BBQ basically is an adaptation of my Apache/.htaccess G-series firewalls ported to PHP/WordPress. The plugin works by defining a set of regular expressions to match and block malicious URL requests. The BBQ firewall rules have been refined and battle tested for years, with false positive rates near zero. It’s a simple, effective, lightweight solution that’s easy on server resources.

BBQ scans the following parts of each request:

  • The Request URI
  • The Query String
  • The User Agent
  • Referrer

Also for each request, BBQ checks all available request methods, GET, POST, PUT, DELETE, etc. Checking these variables against a strategically crafted set of known attack patterns is an effective way to protect your site against a wide range of threats.

If BBQ detects foul play in any part of the request, it is blocked immediately via 403 “Forbidden” response.

Tip: Check out the BBQ Customize plugin to enable pattern-match logging, customize response headers, and disable blocking of long URI requests.

More information

Check the following articles for more information on the underlying functionality:

More infos on this and related topics in the security and .htaccess archives.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

Download BBQ Firewall

Download BBQ from the WordPress Plugin Directory:

Need help? Contact anytime via my contact form.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
The Tao of WordPress: Become your own WordPress guru.

118 responses to “BBQ Firewall (Free WordPress Plugin)”

  1. Aamir Rizwan 2013/02/25 9:19 am

    Hello Jef, thanks for your awesome plugins. I’m confused between your 5G blacklist and BBQ. Is this for those who don’t have access to .htaccess. I do have access to .htaccess file. Should I use both or only one ?

    • Jeff Starr 2013/02/25 1:26 pm

      I recommend 5G if you have access to .htaccess, but it is also okay to use only the BBQ, or even both — up to you :)

  2. Hi Jeff, New on your blog. congrat for the topics and contents :) Just installed and tested BBQ.. looking fine. Thx for this nice implementation of our Plateform :)

  3. Hi Jeff. Thanks for such a good post. I installed it and its was looking good.. :D

  4. Cliff Minks 2013/06/05 10:47 am

    I was wondering if anyone else has an issue when this plugin is active and someone tries to link to a page on LinkedIn, The share box is unable to pull OpenGraph Data.

    It took me awhile to figure out that this BBQ code was responsible. It is interesting to note that facebook is still able to get the OG data and LI cannot but hey.

  5. Replying to Cliff Minks comment about LinkedIn not working with BBQ on. I also had the same problem. Turned off BBQ and yes, LinkedIn now displays my OG data properly! That solved a major mystery! Hopefully BBQ can be updated to play nice with LinkedIn as it’s a major feature for me to be able to post my blogs on LI.

    • Jeff Starr 2013/06/30 2:54 pm

      Yep, thank you for the feedback – I have this on the list for the next BBQ update. That should be sometime within the next few weeks if all goes well. Cheers.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
GA Pro: Add Google Analytics to WordPress like a pro.
Thoughts
W3C.org has a very thorough list of accessibility tools.
The more you wake up, the more you realize you are still asleep.
7G Firewall v1.4 now available!
I would pay twice as much for a shorter/smaller/lighter phone.
Taking a much needed break in August :)
The Web was better before social media.
WP 5.8 Gutenberg/Block Widgets is breaking many sites. Fortunately Disable Gutenberg makes it easy to restore Classic Widgets with a click.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.