Almost as soon as you install a new WordPress site malicious bots begin scanning it for vulnerabilities. Over the years hackers have built up long lists of web vulnerabilities that they can use to compromise a site. They create bots than scan your site by running through that long list looking for weaknesses. We all know the importance of securing our sites, but there are a bewildering array of options for doing so. In this walk-through I’m going to look at a highly recommended plugin, BBQ Firewall, which is a good piece of your site’s amour. Firewalls are filters with rules to allow good traffic in and block bad traffic. “BBQ” stands for Block Bad Queries, the bad requests that bots make when probing your site for security holes.
About the BBQ Firewall Plugin
The author of the BBQ Firewall plugin, Jeff Starr, created and maintains a well known and widely used PHP firewall that is currently in its seventh generation. This isn’t software like you are used to. New firewall rules are carefully evaluated, some old ones may no longer be needed, and over the course of a few years of testing a new version emerges. This software is open source and the previous 6G and the current 7G firewalls have been included in a number of other security solutions and plugins, both for WordPress and in the wider PHP community.
The BBQ Firewall plugin takes many of the rules of the 6G and 7G firewall and adds them to a WordPress plugin. The plugin is lightweight, fast, and does not slow down your WordPress site. False positives are very rare. The plugin works without conflict alongside other plugins, including other security plugins.
The Free BBQ Firewall Plugin
There is a free version of the BBQ Firewall plugin available in the WordPress plugin directory.
The plugin currently has more than 100,000 active installs, it has 100 5 star reviews, and the developer is active in the support forum.
There are a long list of ways that the plugin helps to protect your site. These include helping to protect against SQL injection attacks, executable file uploads, directory traversal attacks, cross site scripting attacks, and bad bots, among others.
When you install and activate the free version of the BBQ Firewall plugin it starts working immediately. There are no settings or reports, it just works. Here is the “settings” page for the free version. Note the message that it is completely plug and play and works automatically with no settings required.
The Pro Version of the BBQ Firewall Plugin
The pro version of the BBQ firewall plugin is available from the author’s website where he hosts the pro version of this and several other of this plugins.
There are several parts of the website dedicated to the BBQ Pro plugin. There is the Features page that lists all of the features and tools. There is also a list of the differences between the free and pro versions.
Like the free version, the pro version is also plugin and play. You can install it, activate it, and it starts working immediately and not settings changes are required. However, the pro version adds more rules and it exposes all of the rules and settings. This means that you can see all the rules, turn the rules on or off, add new rules of your own, and see a count of how many times each rule has blocked a bad request.
There are a number of website resources for the plugin. There is a documentation section that provides good information for working with the plugin.
There are some tutorials that were written to help people with advanced usage.
And there is a forum where you can ask questions and get help.
The pro version of the plugin comes with lifetime updates, email support, and the website resources listed above. You can purchase for use on 1, 3, 10, or unlimited sites.
Pro Plugin Interface and Options
When you install the pro version you get a new admin menu area with several pages. On the Settings page you can enable or disable the basic, advanced, or custom rules. You can disable the firewall for logged in users. You can limit the length of URL requests and enable a “strict mode” where the firewall will even examine URL encoded characters for issues. You can setup the plugin to send email alerts whenever a request is blocked. You can also configure a blocked message, whether there is a redirect, and a custom status code. You can whitelist IP addresses.
The Firewall page has three tabs. A tab for basic rules, advanced rules, and custom rules. The basic rules page has a section for Request URL rules, query string rules, and user agent rules. The screenshot below shows some of the Request URI rules. Note how you can disable any rule, there is button to test each rule, and there is a count of how often the rule has blocked a bad request. The basic rules are largely the same as the rules in the free version of the BBQ Firewall.
The advanced rules are disabled by default because they have not been as widely tested as the basic ones. They are also grouped into the same three categories: Request URL rules, query string rules, and user agent rules. I’ve had the pro version of the plugin installed for a few years and had the advanced rules enabled from the beginning.
The advanced rules are ones you add yourself. Over the years I’ve added a few based on things I noticed in security logs.
The BBQ Tools page has some reset options so that you can selectively reset sections or the counts, should you need to.
Discussion and Conclusions
One thing to note is that the BBQ firewall plugin does not have advanced protection for the WordPress login page. There is no brute force protection or IP lock out such as these other tools supply. BBQ also does not provide two factor authentication or some other advanced features. Instead, the BBQ firewall does focuses on doing one thing well, filtering the various requests made to your site and blocking bad ones based on the active rules. These bad bots create a lot of churn and when those bad requests get past a security plugin then your server has to process them and in many cases runs database queries. This takes away from the resources used for normal operation.
A question that people often ask is if you can use the BBQ plugin when other WordPress security plugins are installed. The above screenshots for the free version of the BBQ Firewall was from a site that also has iTheme Security Free version installed. Many people don’t realize that iThemes Security, a very popular security plugin with more than a million active installs, does not include a firewall in either the free or pro versions. I’ve often recommended the BBQ Firewall as a natural complement it iThemes Security. The two work side-by-side without issue.
The screenshots above for the pro version of the plugin were taken from a site that also has MalCare and Patchstack installed. I have MalCare as a bundle with my backup solution, BlogVault. MalCare has a malware scanner and remover feature and a basic firewall. Patchstack, formerly WebARX, is a robust security solution, but it has no malware scanning in the version I own. Again, BBQ works fine alongside these other security plugins. In fact, if you look at the stats for the BBQ rules, you can see that it blocks a number of bad requests even with those other two installed.
I’ve used both the free and pro versions of BBQ Firewall and have no hesitation about recommending them. They won’t slow up your site. They work well even when other security plugins are active. They help to block bad requests, reduce needles churn, and keep hackers out. The author provides good support for both the free and the pro versions. The is virtually no downside and plenty of upside potential. Like Oxygen, the BBQ Firewall has no affiliate program. People learn of it by word of mouth because users are impressed by it. The plugin is popular and well respected. If you have been curious about the BBQ plugin, or it was unknown to you, then I hope this walk-through and review has been helpful.