Download

BBQ: Block Bad Queries

By Jeff Starr

Description

Install, activate, and done! Powerful protection from WP’s fastest firewall plugin.

Block Bad Queries (BBQ) is a simple, super-fast plugin that protects your site against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong .htaccess firewall.

Awesome Features

  • 100% Plug-n-play functionality
  • No configuration required (it just works)
  • Born of speed and simplicity, no frills
  • 100% focused on security and performance
  • Blocks a wide range of malicious requests
  • Based on the 5G/6G Firewall
  • Scans all incoming traffic and blocks bad requests
  • Scans all types of requests: GET, POST, PUT, DELETE, etc.
  • Works silently behind the scenes to protect your site
  • Hassle-free security plugin that’s easy to use
  • Thoroughly tested, error-free performance
  • Compatible with other security plugins
  • Customize blocked strings via Whitelist/Blacklist plugins

Pro Version

For advanced protection and awesome features, check out BBQ Pro.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a cash donation, bitcoin donation, or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

  • BBQ Pro – Pro version of Block Bad Queries
  • SES Pro – Super-simple & flexible email signup forms
  • USP Pro – Pro version of User Submitted Posts

Links, tweets and likes also appreciated. Thank you! 🙂

Installation

Installing BBQ

  1. Install, activate, done.

Once active, BBQ automically blocks bad queries to protect your site against malicious URL requests. For more control and stronger protection, check out BBQ Pro »

More info on installing WP plugins

Customizing

Note that the Pro version of BBQ makes it possible to customize patterns (add, edit, remove) directly via the plugin settings, with a click.

FAQ

What other security plugins do you recommend?

I recently recorded a video tutorial series for Lynda.com on how to secure WordPress sites. That’s a good place to learn more about the best techniques and WP plugins for protecting your site against threats.

Do I need to do anything else for BBQ to work?

Nope, just install and relax knowing that BBQ is protecting your site from bad URL requests.

Does BBQ make changes to my .htaccess file?

Absolutely not. Unlike other security/firewall plugins, neither BBQ (free version) nor BBQ Pro make any changes to any .htaccess file.

Does BBQ make any changes to my WP database?

No, the free version of BBQ operates as each page is loaded; it does not make any changes whatsoever to the WP database.

Does BBQ block malicious strings included in arrays?

Yes, BBQ scans any arrays that are included in the URI request. If any matching patterns are found, the request is blocked.

Do I need WordPress to run BBQ?

Nope! BBQ is available in the following flavors:

So you can check out the Standalone PHP Script for sites that are not running WordPress.

Got a question?

Send any questions or feedback via my contact form.

Reviews

Best firewall plugin that I have ever used

I installed this plugin alongside Wordfence, Ninja Firewall, and a few other security plugins (paranoid – moi?), and was astonished at how well and comprehensively it weeded out all the dodgy requests to access my PHP config, login, and indexes, etc. It has made the review of malicious activity a 5-minute job, versus the daily 30-60 minutes I was spending analysing logs & blocking baddies before. Have tried WP Security Log, Wordfence, Ninja FW, Sucuri, etc., and this really is a worthy addition to any such setup.

Simply Does What it Says

I love the simple effectiveness of this plugin. Simply activate it to protect your site from malicious requests, and deactivate it to stop.

No options, no settings, just on or off.

There is a relatively inexpensive pro version available if you want more options, but in an age where similar firewall plugins keep adding features and options, this is a welcome relief.

Read all 58 reviews

Contributors & Developers

“BBQ: Block Bad Queries” is open source software. The following people have contributed to this plugin.

Contributors

Translate “BBQ: Block Bad Queries” into your language.

Interested in development?

Browse the code or subscribe to the development log by RSS.

Changelog

2016/11/14

  • Replaces esc_html with esc_attr for link title attributes
  • Changes stable tag from trunk to latest version
  • Adds » to rate this plugin link
  • Updates URL for rate this plugin link
  • Moves „Go Pro“ link to action links
  • Renames action/meta link functions
  • Updates default translation template
  • Tests on WordPress version 4.7 (beta)

2016/08/10

  • Added translation support
  • Added plugin icons and larger banner
  • General fine-tuning and testing
  • Tested on WordPress 4.6

2016/03/28

  • Removed \:\/\/ from Request URI and Query String patterns (see this thread)
  • Added (benchmark|sleep)(\s|%20)*\( to Request URI patterns (thanks to smitka)
  • Tested on WordPress 3.5 beta

2015/11/07

  • Added \.php\([0-9]+\), __hdhdhd.php to URI patterns (Thanks to George Lerner)
  • Added acapbot, semalt to User Agent patterns (Thanks to George Lerner)
  • Replaced UNION.*SELECT with UNION(.*)SELECT in Request URI patterns
  • Added morfeus, snoopy to User Agent patterns
  • Refactored redirect/exit functionality
  • Renamed rate_bbq() to bbq_links()
  • Tested with WordPress 4.4 beta

2015/08/08

  • Tested on WordPress 4.3
  • Updated minimum version requirement
  • Highlighted Pro link on Plugins screen

2015/06/24

  • Replaced UNION\+SELECT with UNION.*SELECT
  • Added wp-config.php to query-string patterns
  • Added plugin link to BBQ Pro
  • Testing on WP 4.3 (alpha)

2015/05/07

  • Tested with WP 4.2 and 4.3 (alpha)
  • Replaced some http with https in readme.txt

2015/03/14

  • introduce bbq_core()
  • tested on latest WP
  • tightened up code

2014/09/22

  • tested on latest version of WordPress (4.0)
  • retested on Multisite
  • increased minimum version requirement to WP 3.7

2014/03/05

  • Bugfix: added conditional checks for empty variables

2014/01/23

  • tested on latest version of WordPress (3.8)
  • added link to rate plugin

2013/11/03

  • removed ?> from script
  • added optional line for blocking long URLs
  • added line to prevent direct access to BBQ script
  • added \;Nt\., \=Nt\., \,Nt\. to request URI items
  • tested on latest version of WordPress (3.7)

2013/07/07

  • replaced Nt\. with \/Nt\. (resolves comment editing/approval issue)

2013/07/05

  • removed https\: (from previous version)
  • replaced \/https\/ with \/https\:
  • replaced \/http\/ with \/http\:
  • replaced \/ftp\/ with \/ftp\:

2013/07/04

  • removed block for jakarta in user-agents
  • removed union from query strings
  • added to request-URI: \%2Flocalhost, Nt\., https\:, \.exec\(, \)\.html\(, \{x\.html\(, \(function\(
  • resolved PHP Notice „Undefined Index“ via isset()

2013/01/03

  • removed block for CONCAT in request-URI
  • removed block for environ in query-string
  • removed block for %3C and %3E in query-string
  • removed block for %22 and %27 in query-string
  • removed block for [ and ] in query-string (to allow unsafe characters used in WordPress)
  • removed block for ? in query-string (to allow unsafe character used in WordPress)
  • removed block for : in query-string (to allow unsafe character used by Google)
  • removed block for libwww in user-agents (to allow access to Lynx browser)

2012/11/08

  • Removed : match from query string (Google disregards encoding)
  • Removed scanner from query string from query string match
  • Streamlined source code for better performance (thanks to juliobox)

Older versions

  • 2012/10/27 – Disabled check for long strings, disabled check for scanner
  • 2012/10/26 – Rebuilt plugin using 5G/6G technology
  • 2011/02/21 – Updated readme.txt file
  • 2009/12/30 – Added check for admin users
  • 2009/12/30 – Additional request strings added

Meta

Ratings

See all

Support

Got something to say? Need help?

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin