BBQ Firewall – Customize Features
BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(
, base64_
, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.
BBQ is kept as lightweight as possible, so there are no options or settings to change default behavior. Based on years of feedback, the default configuration works great for 99.9% of WordPress setups. It’s all kept super lightweight and easy on server resources. But there are cases where it’s necessary to customize functionality. And that’s exactly the purpose of the BBQ Customize plugin.
About the BBQ Customize plugin
Like BBQ Firewall itself, the Customize addon is super lightweight, weighing only a few kilobytes. It consists of only one file packaged in ZIP format, just like any other plugin. So you can install and activate in the WP Admin Area via the Plugins screen ▸ Add New. The Customize plugin enables control of the long-request check, pattern-match logging, and response headers for blocked requests. There are no settings, rather you will need to edit the file manually as explained below.
Contents
Inside of the customize plugin, you will find six functions, six ways to customize BBQ Firewall:
- bbq_long_requests() — enable or disable the long-request check
- bbq_long_req_length() — specify long-request max length
- bbq_match_logging() — enable or disable pattern-match logging
- bbq_post_scanning() — enable or disable scanning of POST requests
- bbq_header_1() — customize response header for blocked requests
- bbq_header_2() — customize response header for blocked requests
- bbq_header_3() — customize response header for blocked requests
Let’s look at each of these functions and use them to change BBQ’s default functionality.
Enable/disable long-request blocking
By default BBQ Firewall (free version) blocks excessively long URL requests. Any request or referrer sporting a request string longer than 2,000 characters is blocked immediately. Based on experience, 2,000 characters is more than generous for WordPress sites. But there always are exceptions. So if you are using some plugin or whatever that requires crazy long request URIs, you can disable the long-request blocking by editing this first function.
// bbq long-request check
function bbq_long_requests($enable) {
return true;
}
add_filter('bbq_long_requests', 'bbq_long_requests');
Simply change true
to false
. After save and upload, BBQ will no longer block any requests due to length (number of characters).
Customize long-request max length
By default BBQ Firewall blocks long URL requests if they contain more than 2,000 characters. That’s a pretty generous limit, but there may be some cases where longer URLs are required for normal functionality. So to allow for longer requests, change 2000
in the following function:
// bbq long-request max length
function bbq_long_req_length() {
return 2000;
}
add_action('bbq_long_req_length', 'bbq_long_req_length');
You can change the max limit to whatever makes sense, whether it’s more than 2,000 characters, or even something less, if you want to get more stringent with your requirements. Remember if you want to allow requests of any length, simply disable long-request blocking.
Enable/disable pattern-match logging
By default BBQ Firewall does not log anything. But it includes built-in support for logging matched patterns in blocked requests. When BBQ logging is enabled, the plugin will add an entry to your site’s error log indicating the exact pattern match for each blocked request. So for example, when logging is enabled, let’s say some bad request hits your site:
https://example.com/eval(
When logging is enabled, that request results in the following line added to the site’s default error log:
BBQ: eval(
This simple information is useful when debugging and troubleshooting is necessary. It’s not meant to provide complete request information (which is already available in your site’s access log).
With that in mind, BBQ logging (again, disabled by default) can be enabled by changing the following function in the BBQ Customize plugin:
// bbq pattern-match logging
function bbq_match_logging($enable) {
return false;
}
add_filter('bbq_match_logging', 'bbq_match_logging');
Simply change false
to true
. After save and upload, BBQ will log matched patterns to the site default error log. To disable logging, yep you guessed it, change true
back to false
. See popout note below.
Enable/disable scanning of POST requests
As of 2022, BBQ Firewall provides a feature to scan for XSS in POST data (i.e., not the request URL, the actual form data). So if some foul miscreant submits malicious script data via any of your forms, BBQ can block the request and keep your site safe. This feature is not enabled by default, but can be enabled anytime.
To enable BBQ’s scanning of POST requests, locate the following function in the BBQ Customize plugin:
// bbq post-request scanning
function bbq_post_scanning($enable) {
return false;
}
add_filter('bbq_post_scanning', 'bbq_post_scanning');
Simply change false
to true
. After save and upload, BBQ will scan any/all POST data for XSS-related mischief. If you run into any false positives or issues, you can disable the extra POST scanning by changing true
back to false
. Bada bing, bada boom.
Customize BBQ response headers
By default BBQ Firewall responds to blocked requests with the following three HTTP headers:
HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Connection: Close
As with other BBQ functionality, this header combo is optimal in most cases. But you may want to customize for whatever reason, totally your call. To do so, the next/last three functions in the BBQ Customize plugin can help you do the job. Here they are:
// bbq response headers for blocked requests
function bbq_header_1($header) {
return 'HTTP/1.1 403 Forbidden';
}
add_filter('bbq_header_1', 'bbq_header_1');
function bbq_header_2($header) {
return 'Status: 403 Forbidden';
}
add_filter('bbq_header_2', 'bbq_header_2');
function bbq_header_3($header) {
return 'Connection: Close';
}
add_filter('bbq_header_3', 'bbq_header_3');
Notice that there are three of these functions, one for each of the default headers. So you can edit the return header values as needed.
Note: if you want to redirect all blocked requests to any URL, download the BBQ Redirect plugin below.
Download
Download the BBQ Customize Features plugin. Includes all techniques mentioned above. This addon is 100% free addon licensed via GPL version 2 or later.
Download the BBQ Redirect plugin. It does one thing: redirects all blocked requests to the URL of your choice. Also 100% free and GPL license.
Feedback? Questions? Send them via my contact form.
More Addons
Here are some available addons for BBQ Firewall (free version).
- BBQ Firewall – Count Blocked Requests
- BBQ Firewall – Customize Features
- BBQ Firewall – Customize Rules
- BBQ Firewall – Customize Rules GUI (Thanks to LyntServices)