Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

BBQ Firewall – Customize Features

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ is kept as lightweight as possible, so there are no options or settings to change default behavior. Based on years of feedback, the default configuration works great for 99.9% of WordPress setups. It’s all kept super lightweight and easy on server resources. But there are cases where it’s necessary to customize functionality. And that’s exactly the purpose of the BBQ Customize plugin.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

About the BBQ Customize plugin

Like BBQ Firewall itself, the Customize addon is super lightweight, weighing only a few kilobytes. It consists of only one file packaged in ZIP format, just like any other plugin. So you can install and activate in the WP Admin Area via the Plugins screen ▸ Add New. The Customize plugin enables control of the long-request check, pattern-match logging, and response headers for blocked requests. There are no settings, rather you will need to edit the file manually as explained below.

Contents

Inside of the customize plugin, you will find six functions, six ways to customize BBQ Firewall:

Let’s look at each of these functions and use them to change BBQ’s default functionality.

Note: This article and the Customize plugin apply only to the free version of BBQ Firewall. The pro version has its own settings page where you can customize functionality as desired. Code wrangling not required!

Enable/disable long-request blocking

By default BBQ Firewall (free version) blocks excessively long URL requests. Any request or referrer sporting a request string longer than 2,000 characters is blocked immediately. Based on experience, 2,000 characters is more than generous for WordPress sites. But there always are exceptions. So if you are using some plugin or whatever that requires crazy long request URIs, you can disable the long-request blocking by editing this first function.

// bbq long-request check
function bbq_long_requests($enable) {
	
	return true;
	
}
add_filter('bbq_long_requests', 'bbq_long_requests');

Simply change true to false. After save and upload, BBQ will no longer block any requests due to length (number of characters).

Customize long-request max length

By default BBQ Firewall blocks long URL requests if they contain more than 2,000 characters. That’s a pretty generous limit, but there may be some cases where longer URLs are required for normal functionality. So to allow for longer requests, change 2000 in the following function:

// bbq long-request max length
function bbq_long_req_length() {
	
	return 2000;
	
}
add_action('bbq_long_req_length', 'bbq_long_req_length');

You can change the max limit to whatever makes sense, whether it’s more than 2,000 characters, or even something less, if you want to get more stringent with your requirements. Remember if you want to allow requests of any length, simply disable long-request blocking.

Enable/disable pattern-match logging

By default BBQ Firewall does not log anything. But it includes built-in support for logging matched patterns in blocked requests. When BBQ logging is enabled, the plugin will add an entry to your site’s error log indicating the exact pattern match for each blocked request. So for example, when logging is enabled, let’s say some bad request hits your site:

https://example.com/eval(

When logging is enabled, that request results in the following line added to the site’s default error log:

BBQ: eval(

This simple information is useful when debugging and troubleshooting is necessary. It’s not meant to provide complete request information (which is already available in your site’s access log).

With that in mind, BBQ logging (again, disabled by default) can be enabled by changing the following function in the BBQ Customize plugin:

// bbq pattern-match logging
function bbq_match_logging($enable) {
	
	return false;
	
}
add_filter('bbq_match_logging', 'bbq_match_logging');

Simply change false to true. After save and upload, BBQ will log matched patterns to the site default error log. To disable logging, yep you guessed it, change true back to false. See popout note below.

Note: BBQ logging is meant as temporary. Not recommended to leave enabled on any live site. After done testing, remember to disable BBQ logging.

Enable/disable scanning of POST requests

As of 2022, BBQ Firewall provides a feature to scan for XSS in POST data (i.e., not the request URL, the actual form data). So if some foul miscreant submits malicious script data via any of your forms, BBQ can block the request and keep your site safe. This feature is not enabled by default, but can be enabled anytime.

To enable BBQ’s scanning of POST requests, locate the following function in the BBQ Customize plugin:

// bbq post-request scanning
function bbq_post_scanning($enable) {
	
	return false;
	
}
add_filter('bbq_post_scanning', 'bbq_post_scanning');

Simply change false to true. After save and upload, BBQ will scan any/all POST data for XSS-related mischief. If you run into any false positives or issues, you can disable the extra POST scanning by changing true back to false. Bada bing, bada boom.

Customize BBQ response headers

By default BBQ Firewall responds to blocked requests with the following three HTTP headers:

HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Connection: Close

As with other BBQ functionality, this header combo is optimal in most cases. But you may want to customize for whatever reason, totally your call. To do so, the next/last three functions in the BBQ Customize plugin can help you do the job. Here they are:

// bbq response headers for blocked requests

function bbq_header_1($header) {
	
	return 'HTTP/1.1 403 Forbidden';
	
}
add_filter('bbq_header_1', 'bbq_header_1');


function bbq_header_2($header) {
	
	return 'Status: 403 Forbidden';
	
}
add_filter('bbq_header_2', 'bbq_header_2');


function bbq_header_3($header) {
	
	return 'Connection: Close';
	
}
add_filter('bbq_header_3', 'bbq_header_3');

Notice that there are three of these functions, one for each of the default headers. So you can edit the return header values as needed.

Note: if you want to redirect all blocked requests to any URL, download the BBQ Redirect plugin below.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.

Download

Download the BBQ Customize Features plugin. Includes all techniques mentioned above. This addon is 100% free addon licensed via GPL version 2 or later.

Download BBQ CustomizeVersion 2.4 ( 1.02 KB ZIP )

Download the BBQ Redirect plugin. It does one thing: redirects all blocked requests to the URL of your choice. Also 100% free and GPL license.

Download BBQ RedirectVersion 1.2 ( 775 bytes ZIP )

Feedback? Questions? Send them via my contact form.

More Addons

Here are some available addons for BBQ Firewall (free version).

About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
.htaccess made easy: Improve site performance and security.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
.htaccess made easy: Improve site performance and security.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.