BBQ:Block Bad Queries WordPress Plugin Review

BBQ:Block Bad Queries is a WordPress Web Application Firewall that blocks malicious HTTP requests

There are many WordPress security plugins available but only a few really address WordPress security properly and help you protect your WordPress installation from malicious hacker attacks.

One of these plugins is BBQ: Block Bad Queries. This plugin is like a highly customizable, yet simple and maintenance free WordPress web application firewall that every WordPress administrator and manager should install.

This WordPress security post explains:

• How BBQ:Block Bad Queries Plugin Works
• How to Customize BBQ:Block Bad Queries Plugin
  • Modifying / adding patters to be blocked
  • Block visitors using a specific User Agent string
  • Configuring a maximum number of characters allowed in HTTP Requests
• How to test BBQ: Block Bad Queries and your customizations

How BBQ:Block Bad Queries WordPress Plugin Works

BBQ:Block Bad Queries plugin analyses every request sent to your WordPress before it is executed by the WordPress core. Should the request be malicious, the plugin forbids the visitor from accessing such resource by responding with an HTTP Status code 403, access forbidden.

The default list of malicious patterns Block Bad Queries blocks will not only protect your WordPress from targeted WordPress attacks, but will also protect your WordPress from potential zero day vulnerabilities and other typical attacks such as Cross-site scripting, SQL Injection and directory traversal. Therefore if you install BBQ:Block Bad Queries malicious hackers still cannot exploit known vulnerabilities if you are running a vulnerable (old) WordPress installation, plugin or theme.

WP White Security Tip: Even if you run BBQ:Block Bad Queries, you should still run the latest and most secure versions of WordPress, plugins and themes. WordPress BBQ plugin should be used as an additional layer of security rather than to close existing security holes.

Customizing BBQ:Block Bad Queries Plugin

By default Block Bad Queries does not need any customizations or configuration changes, but there are always the exceptions to the rules. In case you need to customize BBQ:Block Bad Queries, here is an explanation of what you can customize. To start off with, it scans three parts of each request that is sent to a WordPress installation:

Request URI: the URL requested by the user, e.g. https://www.wpwhitesecurity.com/wordpress-security/

Query String: the query string included with the URL, e.g. https://www.wpwhitesecurity.com/wordpress-security/?query_string=1

User Agent String: The user agent string is sent automatically from the client software accessing your WordPress to identify itself. For example Google Chrome uses the following user agent string:

Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36

All the patterns typically used in malicious requests are stored in three arrays in the plugin and their name is self-explanatory:

• $request_uri_array
• $query_string_array
• $user_agent_array

BBQ:Block Bad Queries has no configuration interface. Therefore if you would like to do any modifications as explained in the below examples, you have to edit the code from the php plugin file.

Modifying the HTTP Requests which BBQ:Block Bad Queries Plugin Should Block

If you would like to block a specific type of query string, add the query string pattern to $query_string_array array. Once you add a new pattern test it to ensure you are not blocking legitimate requests. A syntax example follows:

$query_string_array  = apply_filters( 'query_string_items',  array( 'PATTERN_1', 'PATTERN_2', 'PATTERN_3');

Note: Each pattern you add should be declared in between single quotes (‘) and separated from the other patterns with a comma (,) symbol.

Blocking Visitors with a Specific User Agent from WordPress

To block visitors using a specific user agent, like automated virus and malware bots, add their user agent string in the $user_agent_array.

Configuring a Maximum URL Length Limit for WordPress

By limiting the number of characters that can be used in an HTTP request you can protect your WordPress installation from zero day attacks and several other malicious attacks. Zero day attacks are software vulnerabilities that are exploited by malicious hackers but are not known by the software vendor yet, hence no patch exists yet.

Most malicious web application attacks employ long URLs to exploit known vulnerabilities. Therefore if you limit the number of characters that can be used in an HTTP request you are automatically protecting your WordPress installation from such type of attacks.

By limiting the number of characters used in a URL you might also block legitimate requests. Therefore before enabling this security feature, check what is the length of the longest URL you have on your WordPress installation (including in the WordPress admin pages (/wp-admin/) section.

To enable and configure a maximum URL Length, uncomment (by deleting ‘//’) the below line of code in the plugin and specify the maximum number of characters an HTTP request can contain. The default value in the plugin is 255, as shown below.

strlen( $_SERVER['REQUEST_URI'] ) > 255 ||

Testing Your WordPress Web Application Firewall

Once you installed BBQ:Block Bad Queries WordPress plugin run several tests by requesting the below list of sample URLs to ensure it is working (replace some_site.com with your domain):

• http://www.some_site.com/../../../etc/passwd
• http://www. some_site.com/path/?q=%00
• http://www. some_site.com/path/base64_

If the plugin is working correctly, the server should respond with an HTTP Status Code of 403 Forbidden upon requesting such URLs. The above request are just URL examples that should be blocked by BBQ:Block Bad Requests plugin. You can run several other tests by using requests typically used in real life hacking attacks.

Testing BBQ:Block Bad Queries Plugin with Fiddler

If you are not sure what is the server response when sending malicious HTTP requests you can confirm the response by using Fiddler proxy.

As highlighted in the below screenshot, in this test we have requested the URL https://www.wpwhitesecurity.com/contact/base64_ and can confirm that the server responds with a HTTP 403 Forbidden response.

Block Bad Queries Plugin – A Web Application Firewall for WordPress

There you have it! If you have been looking for a highly customizable and strong web application firewall for your WordPress blogs and websites, install BBQ:Block Bad Queries plugin and forget about it. You can download BBQ:Block Bad Queries from the WordPress plugin repository.

If on the other hand you prefer something that does not need any configuration and also does malware scanning, I would recommend Malcare malware scanner.