BBQ:Block Bad Queries is a WordPress Web Application Firewall that blocks malicious HTTP requests
There are many WordPress security plugins available but only a few really address WordPress security properly and help you protect your WordPress installation from malicious hacker attacks.
One of these plugins is BBQ: Block Bad Queries. This plugin is like a highly customizable, yet simple and maintenance free WordPress web application firewall that every WordPress administrator and manager should install.
This WordPress security post explains:
- How BBQ:Block Bad Queries Plugin Works
- How to Customize BBQ:Block Bad Queries Plugin
- How to test BBQ: Block Bad Queries and your customizations
How BBQ:Block Bad Queries WordPress Plugin Works
BBQ:Block Bad Queries plugin analyses every request sent to your WordPress before it is executed by the WordPress core. Should the request be malicious, the plugin forbids the visitor from accessing such resource by responding with an HTTP Status code 403, access forbidden.
The default list of malicious patterns Block Bad Queries blocks will not only protect your WordPress from targeted WordPress attacks, but will also protect your WordPress from potential zero day vulnerabilities and other typical attacks such as Cross-site scripting, SQL Injection and directory traversal. Therefore if you install BBQ:Block Bad Queries malicious hackers still cannot exploit known vulnerabilities if you are running a vulnerable (old) WordPress installation, plugin or theme.
WP White Security Tip: Even if you run BBQ:Block Bad Queries, you should still run the latest and most secure versions of WordPress, plugins and themes. WordPress BBQ plugin should be used as an additional layer of security rather than to close existing security holes.
Customizing BBQ:Block Bad Queries Plugin
By default Block Bad Queries does not need any customizations or configuration changes, but there are always the exceptions to the rules. In case you need to customize BBQ:Block Bad Queries, here is an explanation of what you can customize. To start off with, it scans three parts of each request that is sent to a WordPress installation:
Request URI: the URL requested by the user, e.g. https://www.wpwhitesecurity.com/wordpress-security/
Query String: the query string included with the URL, e.g. https://www.wpwhitesecurity.com/wordpress-security/?query_string=1
User Agent String: The user agent string is sent automatically from the client software accessing your WordPress to identify itself. For example Google Chrome uses the following user agent string:
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36
All the patterns typically used in malicious requests are stored in three arrays in the plugin and their name is self-explanatory:
BBQ:Block Bad Queries has no configuration interface. Therefore if you would like to do any modifications as explained in the below examples, you have to edit the code from the php plugin file.
Modifying the HTTP Requests which BBQ:Block Bad Queries Plugin Should Block
If you would like to block a specific type of query string, add the query string pattern to $query_string_array array. Once you add a new pattern test it to ensure you are not blocking legitimate requests. A syntax example follows:
$query_string_array = apply_filters( 'query_string_items', array( 'PATTERN_1', 'PATTERN_2', 'PATTERN_3');
Note: Each pattern you add should be declared in between single quotes (‘) and separated from the other patterns with a comma (,) symbol.
Blocking Visitors with a Specific User Agent from WordPress
To block visitors using a specific user agent, like automated virus and malware bots, add their user agent string in the $user_agent_array.
Configuring a Maximum URL Length Limit for WordPress
By limiting the number of characters that can be used in an HTTP request you can protect your WordPress installation from zero day attacks and several other malicious attacks. Zero day attacks are software vulnerabilities that are exploited by malicious hackers but are not known by the software vendor yet, hence no patch exists yet.
Most malicious web application attacks employ long URLs to exploit known vulnerabilities. Therefore if you limit the number of characters that can be used in an HTTP request you are automatically protecting your WordPress installation from such type of attacks.
By limiting the number of characters used in a URL you might also block legitimate requests. Therefore before enabling this security feature, check what is the length of the longest URL you have on your WordPress installation (including in the WordPress admin pages (/wp-admin/) section.
To enable and configure a maximum URL Length, uncomment (by deleting ‘//’) the below line of code in the plugin and specify the maximum number of characters an HTTP request can contain. The default value in the plugin is 255, as shown below.
strlen( $_SERVER['REQUEST_URI'] ) > 255 ||
Testing Your WordPress Web Application Firewall
Once you installed BBQ:Block Bad Queries WordPress plugin run several tests by requesting the below list of sample URLs to ensure it is working (replace some_site.com with your domain):
- http://www. some_site.com/path/?q=%00
- http://www. some_site.com/path/base64_
If the plugin is working correctly, the server should respond with an HTTP Status Code of 403 Forbidden upon requesting such URLs. The above request are just URL examples that should be blocked by BBQ:Block Bad Requests plugin. You can run several other tests by using requests typically used in real life hacking attacks.
Testing BBQ:Block Bad Queries Plugin with Fiddler
If you are not sure what is the server response when sending malicious HTTP requests you can confirm the response by using Fiddler proxy.
As highlighted in the below screenshot, in this test we have requested the URL https://www.wpwhitesecurity.com/contact/base64_ and can confirm that the server responds with a HTTP 403 Forbidden response.
Block Bad Queries Plugin – A Web Application Firewall for WordPress
There you have it! If you have been looking for a highly customizable and strong web application firewall for your WordPress blogs and websites, install BBQ:Block Bad Queries plugin and forget about it. You can download BBQ:Block Bad Queries from the WordPress plugin repository.
If on the other hand you prefer something that does not need any configuration and also does malware scanning, I would recommend Malcare malware scanner.
Thanks for a very interesting article.
It raises a couple of question with the BBQ plugin. You give an example of an array with blacklisted patterns, described as ‘PATTERN_1’, ‘PATTERN_2’, etc.
Is there any known patterns worth blocking?
Is there a list of known patterns?
Where can such a list be found? If there is one.
The plugin itself already got a robust list of things one should block. I would only add things to such list if you have something specific yourself, using specific URLs and verbs etc.
With so many security and firewall plugins to choose from it’s so hard to pick.
I’ve been using Ninja Firewall and WordFence, and Anti Malware to scan first to find all existing threats.
BBQ vs Ninja Firewall? Any recommendations to which is better?
I personally prefer BBQ because it is a more straight forward and no frills plugin. Yes there are many other good ones but many have a lot of features which in reality one wouldn’t really need if proper WordPress hardening is applied.
I totaly agree with you, WP White Security. I use QueryWall: Plug’n Play Firewall https://wordpress.org/plugins/querywall/stats/ instead of BBQ. They support the same filters, but in addition they have a panel in wp-admin where you can see the blocked requests.
Hello Libra, BBQ firewall also has that and much more in the pro version, which does not cost a lot considering the value it gives you. In fact we have to update this post.
I just wanna block tag to avoid any plugin vulnerability to insert/update it to DB, how to add this pattern?
Thank you for your comment Thaitq. If you are using BBQ I would recommend you to contact its developer for such questions. Good luck.