Black Friday Sale! 40% OFF all books & plugins w/ code: FRIDAY22
Web Dev + WordPress + Security

Customize BBQ Firewall

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ is kept as lightweight as possible, so there are no options or settings to change default behavior. Based on years of feedback, the default configuration works great for 99.9% of WordPress setups. It’s all kept super lightweight and easy on server resources. But there are cases where it’s necessary to customize functionality. And that’s exactly the purpose of the BBQ Customize plugin.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

About the BBQ Customize plugin

Like BBQ Firewall itself, the Customize addon is super lightweight, weighing only a few kilobytes. It consists of only one file packaged in ZIP format, just like any other plugin. So you can install and activate in the WP Admin Area via the Plugins screen ▸ Add New. The Customize plugin enables control of the long-request check, pattern-match logging, and response headers for blocked requests. There are no settings, rather you will need to edit the file manually as explained below.

Inside of the plugin file, you will find six functions, six ways to customize BBQ Firewall:

  • bbq_long_requests() — enable or disable the long-request check
  • bbq_match_logging() — enable or disable pattern-match logging
  • bbq_post_scanning() — enable or disable scanning of POST requests
  • bbq_header_1() — customize response header for blocked requests
  • bbq_header_2() — customize response header for blocked requests
  • bbq_header_3() — customize response header for blocked requests

Let’s look at each of these functions and use them to change BBQ’s default functionality.

Note: This article and the Customize plugin apply only to the free version of BBQ Firewall. The pro version has its own settings page where you can customize functionality as desired.

Enable/disable long-request blocking

By default BBQ Firewall (free version) blocks excessively long URL requests. Any request or referrer sporting a request string longer than 2,000 characters is blocked immediately. Based on experience, 2,000 characters is more than generous for WordPress sites. But there always are exceptions. So if you are using some plugin or whatever that requires crazy long request URIs, you can disable the long-request blocking by editing this first function.

// long-request check

function bbq_long_requests($enable) {
	return true;
add_filter('bbq_long_requests', 'bbq_long_requests');

Simply change true to false. After save and upload, BBQ will no longer block any requests due to length (number of characters).

Enable/disable pattern-match logging

By default BBQ Firewall does not log anything. But it includes built-in support for logging matched patterns in blocked requests. When BBQ logging is enabled, the plugin will add an entry to your site’s error log indicating the exact pattern match for each blocked request. So for example, when logging is enabled, let’s say some bad request hits your site:

When logging is enabled, that request results in the following line added to the site’s default error log:

BBQ: eval(

This simple information is useful when debugging and troubleshooting is necessary. It’s not meant to provide complete request information (which is already available in your site’s access log).

With that in mind, BBQ logging (again, disabled by default) can be enabled by changing the following function in the BBQ Customize plugin:

// pattern-match logging

function bbq_match_logging($enable) {
	return false;
add_filter('bbq_match_logging', 'bbq_match_logging');

Simply change false to true. After save and upload, BBQ will log matched patterns to the site default error log. To disable logging, yep you guessed it, change true back to false. See popout note below.

Note: BBQ logging is meant as temporary. Not recommended to leave enabled on any live site. After done testing, remember to disable BBQ logging.

Enable/disable scanning of POST requests

As of 2022, BBQ Firewall provides a feature to scan for XSS in POST data (i.e., not the request URL, the actual form data). So if some foul miscreant submits malicious script data via any of your forms, BBQ can block the request and keep your site safe. This feature is not enabled by default, but can be enabled anytime.

To enable BBQ’s scanning of POST requests, locate the following function in the BBQ Customize plugin:

// post-request scanning

function bbq_post_scanning($enable) {
	return false;
add_filter('bbq_post_scanning', 'bbq_post_scanning');

Simply change false to true. After save and upload, BBQ will scan any/all POST data for XSS-related mischief. If you run into any false positives or issues, you can disable the extra POST scanning by changing true back to false. Bada bing, bada boom.

Customize BBQ response headers

By default BBQ Firewall responds to blocked requests with the following three HTTP headers:

HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Connection: Close

As with other BBQ functionality, this header combo is optimal in most cases. But you may want to customize for whatever reason, totally your call. To do so, the next/last three functions in the BBQ Customize plugin can help you do the job. Here they are:

// response headers for blocked requests

function bbq_header_1($header) {
	return 'HTTP/1.1 403 Forbidden';
add_filter('bbq_header_1', 'bbq_header_1');

function bbq_header_2($header) {
	return 'Status: 403 Forbidden';
add_filter('bbq_header_2', 'bbq_header_2');

function bbq_header_3($header) {
	return 'Connection: Close';
add_filter('bbq_header_3', 'bbq_header_3');

Notice that there are three of these functions, one for each of the default headers. So you can edit the return header values as needed.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.


Download the free BBQ Customize plugin:

Download BBQ CustomizeVersion 2.1 ( 824 bytes ZIP )

Feedback? Questions? Send them via my contact form.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
BBQ Pro: The fastest firewall to protect your WordPress.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »
Upgraded iMac to Ventura. Disabled "unsend mail" feature and found some (now) hidden wallpaper settings. Overall smooth upgrade.
( $this ) is bloat. ($this) is better.
The Legend of Zelda: Tears of the Kingdom coming May 12, 2023. Absolutely pumped.
Favorite thing for breakfast is a tall glass of cold water. Hits the spot every time.
Fall is my favorite season :)
Still a few days left before “Unlimited” pro licenses are no longer available.
Getting back into it after a nice mini vacation. Time to ramp up and get busy.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.