Save $10 on my new book, Wizard’s SQL Recipes with code: WIZARD2022
Web Dev + WordPress + Security

Customize BBQ Firewall

BBQ Firewall BBQ Firewall is a lightweight, super-fast plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

BBQ is kept as lightweight as possible, so there are no options or settings to change default behavior. Based on years of feedback, the default configuration works great for 99.9% of WordPress setups. It’s all kept super lightweight and easy on server resources. But there are cases where it’s necessary to customize functionality. And that’s exactly the purpose of the BBQ Customize plugin.

Got BBQ? Get advanced firewall protection with BBQ Pro. BBQ Pro features a settings page with options for customizing firewall rules and much more.

About the BBQ Customize plugin

Like BBQ Firewall itself, the Customize addon is super lightweight, weighing only a few kilobytes. It consists of only one file packaged in ZIP format, just like any other plugin. So you can install and activate in the WP Admin Area via the Plugins screen ▸ Add New. The Customize plugin enables control of the long-request check, pattern-match logging, and response headers for blocked requests. There are no settings, rather you will need to edit the file manually as explained below.

Inside of the plugin file, you will find five functions, five ways to customize BBQ Firewall:

  • bbq_long_requests() — enable or disable the long-request check
  • bbq_match_logging() — enable or disable pattern-match logging
  • bbq_header_1() — customize response header for blocked requests
  • bbq_header_2() — customize response header for blocked requests
  • bbq_header_3() — customize response header for blocked requests

Let’s look at each of these functions and use them to change BBQ’s default functionality.

Note: This article and the Customize plugin apply only to the free version of BBQ Firewall. The pro version has its own settings page where you can customize functionality as desired.

Enable/disable long-request blocking

By default BBQ Firewall (free version) blocks excessively long URL requests. Any request or referrer sporting a request string longer than 2,000 characters is blocked immediately. Based on experience, 2,000 characters is more than generous for WordPress sites. But there always are exceptions. So if you are using some plugin or whatever that requires crazy long request URIs, you can disable the long-request blocking by editing this first function.

// long-request check

function bbq_long_requests($enable) {
	return true;
add_filter('bbq_long_requests', 'bbq_long_requests');

Simply change true to false. After save and upload, BBQ will no longer block any requests due to length (number of characters).

Enable/disable pattern-match logging

By default BBQ Firewall does not log anything. But it includes built-in support for logging matched patterns in blocked requests. When BBQ logging is enabled, the plugin will add an entry to your site’s error log indicating the exact pattern match for each blocked request. So for example, when logging is enabled, let’s say some bad request hits your site:

When logging is enabled, that request results in the following line added to the site’s default error log:

BBQ: eval(

This simple information is useful when debugging and troubleshooting is necessary. It’s not meant to provide complete request information (which is already available in your site’s access log).

With that in mind, BBQ logging (again, disabled by default) can be enabled by changing the following function in the BBQ Customize plugin:

// pattern-match logging

function bbq_match_logging($enable) {
	return false;
add_filter('bbq_match_logging', 'bbq_match_logging');

Simply change false to true. After save and upload, BBQ will log matched patterns to the site default error log. To disable logging, yep you guessed it, change true back to false. See popout note below.

Note: BBQ logging is meant as temporary. Not recommended to leave enabled on any live site. After done testing, remember to disable BBQ logging.

Customize BBQ response headers

By default BBQ Firewall responds to blocked requests with the following three HTTP headers:

HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Connection: Close

As with other BBQ functionality, this header combo is optimal in most cases. But you may want to customize for whatever reason, totally your call. To do so, the next/last three functions in the BBQ Customize plugin can help you do the job. Here they are:

// response headers for blocked requests

function bbq_header_1($header) {
	return 'HTTP/1.1 403 Forbidden';
add_filter('bbq_header_1', 'bbq_header_1');

function bbq_header_2($header) {
	return 'Status: 403 Forbidden';
add_filter('bbq_header_2', 'bbq_header_2');

function bbq_header_3($header) {
	return 'Connection: Close';
add_filter('bbq_header_3', 'bbq_header_3');

Notice that there are three of these functions, one for each of the default headers. So you can edit the return header values as needed.

Tip: Learn how to customize BBQ’s default firewall rules with free addons.


Download the free BBQ Customize plugin:

WP Plugin – BBQ Customize Version 1.0 (799B zip)

Feedback? Questions? Send them via my contact form.

Jeff Starr
About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Wrapping up book launch. Now focusing on plugin updates for WP 5.9, due Jan. 25th.
Soft launch for my new book: Wizard’s SQL Recipes for WordPress
New book around 200 pages, almost done!
Making great strides on my new book. Planned release in December :)
To organize my life, I keep it simple. online: plain text files, offline: sticky notes.
Official list of Googlebot IP addresses.
Lot of 1s in today’s date 20211111.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.