BBQ:Block Bad Queries WordPress Plugin Review

Last updated on May 30th, 2018 by Robert Abela. Filed under WordPress Security Hacks

BBQ:Block Bad Queries is a WordPress Web Application Firewall that blocks malicious HTTP requests

There are many WordPress security plugins available but only a few really address WordPress security properly and help you protect your WordPress installation from malicious hacker attacks.

One of these plugins is BBQ: Block Bad Queries. This plugin is like a highly customizable, yet simple and maintenance free WordPress web application firewall that every WordPress administrator and manager should install.

This WordPress security post explains:

How BBQ:Block Bad Queries WordPress Plugin Works

BBQ:Block Bad Queries plugin analyses every request sent to your WordPress before it is executed by the WordPress core. Should the request be malicious, the plugin forbids the visitor from accessing such resource by responding with an HTTP Status code 403, access forbidden.

The default list of malicious patterns Block Bad Queries blocks will not only protect your WordPress from targeted WordPress attacks, but will also protect your WordPress from potential zero day vulnerabilities and other typical attacks such as Cross-site scripting, SQL Injection and directory traversal. Therefore if you install BBQ:Block Bad Queries malicious hackers still cannot exploit known vulnerabilities if you are running a vulnerable (old) WordPress installation, plugin or theme.

WP White Security Tip: Even if you run BBQ:Block Bad Queries, you should still run the latest and most secure versions of WordPress, plugins and themes. WordPress BBQ plugin should be used as an additional layer of security rather than to close existing security holes.

Customizing BBQ:Block Bad Queries Plugin

By default Block Bad Queries does not need any customizations or configuration changes, but there are always the exceptions to the rules. In case you need to customize BBQ:Block Bad Queries, here is an explanation of what you can customize. To start off with, it scans three parts of each request that is sent to a WordPress installation:

Request URI: the URL requested by the user, e.g. http://www.wpwhitesecurity.com/wordpress-security-services/

Query String: the query string included with the URL, e.g. http://www.wpwhitesecurity.com/wordpress-security-services/?query_string=1

User Agent String: The user agent string is sent automatically from the client software accessing your WordPress to identify itself. For example Google Chrome uses the following user agent string:

Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36

All the patterns typically used in malicious requests are stored in three arrays in the plugin and their name is self-explanatory:

  • $request_uri_array
  • $query_string_array
  • $user_agent_array

BBQ:Block Bad Queries has no configuration interface. Therefore if you would like to do any modifications as explained in the below examples, you have to edit the code from the php plugin file.

Modifying the HTTP Requests which BBQ:Block Bad Queries Plugin Should Block

If you would like to block a specific type of query string, add the query string pattern to $query_string_array array. Once you add a new pattern test it to ensure you are not blocking legitimate requests. A syntax example follows:

$query_string_array  = apply_filters( 'query_string_items',  array( 'PATTERN_1', 'PATTERN_2', 'PATTERN_3');

Note: Each pattern you add should be declared in between single quotes (‘) and separated from the other patterns with a comma (,) symbol.

Blocking Visitors with a Specific User Agent from WordPress

To block visitors using a specific user agent, like automated virus and malware bots, add their user agent string in the $user_agent_array.

Configuring a Maximum URL Length Limit for WordPress

By limiting the number of characters that can be used in an HTTP request you can protect your WordPress installation from zero day attacks and several other malicious attacks. Zero day attacks are software vulnerabilities that are exploited by malicious hackers but are not known by the software vendor yet, hence no patch exists yet.

Most malicious web application attacks employ long URLs to exploit known vulnerabilities. Therefore if you limit the number of characters that can be used in an HTTP request you are automatically protecting your WordPress installation from such type of attacks.

By limiting the number of characters used in a URL you might also block legitimate requests. Therefore before enabling this security feature, check what is the length of the longest URL you have on your WordPress installation (including in the WordPress admin pages (/wp-admin/) section.

To enable and configure a maximum URL Length, uncomment (by deleting ‘//’) the below line of code in the plugin and specify the maximum number of characters an HTTP request can contain. The default value in the plugin is 255, as shown below.

strlen( $_SERVER['REQUEST_URI'] ) > 255 ||

Testing Your WordPress Web Application Firewall

Once you installed BBQ:Block Bad Queries WordPress plugin run several tests by requesting the below list of sample URLs to ensure it is working (replace some_site.com with your domain):

  • http://www.some_site.com/../../../etc/passwd
  • http://www. some_site.com/path/?q=%00
  • http://www. some_site.com/path/base64_

If the plugin is working correctly, the server should respond with an HTTP Status Code of 403 Forbidden upon requesting such URLs. The above request are just URL examples that should be blocked by BBQ:Block Bad Requests plugin. You can run several other tests by using requests typically used in real life hacking attacks.

Testing BBQ:Block Bad Queries Plugin with Fiddler

If you are not sure what is the server response when sending malicious HTTP requests you can confirm the response by using Fiddler proxy.

As highlighted in the below screenshot, in this test we have requested the URL http://www.wpwhitesecurity.com/contact-wp-white-security/base64_ and can confirm that the server responds with a HTTP 403 Forbidden response.

Testing BBQ: Block Bad Requests WordPress plugin with Fiddler

Block Bad Queries Plugin – A Web Application Firewall for WordPress

There you have it! If you have been looking for a highly customizable and strong web application firewall for your WordPress blogs and websites, install BBQ:Block Bad Queries plugin and forget about it. You can download BBQ:Block Bad Queries from the WordPress plugin repository or buy their PRO version from here.

If on the other hand you prefer something that does not need any configuration and also does malware scanning, I would recommend Malcare malware scanner.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

6 comments

Govertz 27/04/2015

Thanks for a very interesting article.
It raises a couple of question with the BBQ plugin. You give an example of an array with blacklisted patterns, described as ‘PATTERN_1’, ‘PATTERN_2’, etc.
Is there any known patterns worth blocking?
Is there a list of known patterns?
Where can such a list be found? If there is one.

Robert Abela 27/04/2015

HI Govertz,

The plugin itself already got a robust list of things one should block. I would only add things to such list if you have something specific yourself, using specific URLs and verbs etc.

Kyle 27/04/2015

With so many security and firewall plugins to choose from it’s so hard to pick.

I’ve been using Ninja Firewall and WordFence, and Anti Malware to scan first to find all existing threats.

BBQ vs Ninja Firewall? Any recommendations to which is better?

WP White Security 28/04/2015

I personally prefer BBQ because it is a more straight forward and no frills plugin. Yes there are many other good ones but many have a lot of features which in reality one wouldn’t really need if proper WordPress hardening is applied.

Libra 25/04/2016

I totaly agree with you, WP White Security. I use QueryWall: Plug’n Play Firewall https://wordpress.org/plugins/querywall/stats/ instead of BBQ. They support the same filters, but in addition they have a panel in wp-admin where you can see the blocked requests.

Robert Abela 26/04/2016

Hello Libra, BBQ firewall also has that and much more in the pro version, which does not cost a lot considering the value it gives you. In fact we have to update this post.

Leave a Reply

Your email address will not be published. Required fields are marked *