BBQ Block Bad Queries Plugin

Price: FREE
Sold By: Startup StrideStartup Stride

Plugin Name: Block Bad Queries (BBQ)
Plugin URI: https://perishablepress.com/block-bad-queries/
Description: BBQ is a super fast firewall that automatically protects WordPress against malicious URL requests.
Tags: firewall, security, protect, malicious, hack, blacklist, lockdown, eval, http, query, request, secure, spam, whitelist
Usage: No configuration necessary. Upload, activate and done. BBQ blocks bad queries automically to protect your site against malicious URL requests. For advanced protection check out BBQ Pro.
Author: Jeff Starr
Author URI: https://plugin-planet.com/
Contributors: specialk, aldolat, WpBlogHost, jameswilkes, juliobox, lernerconsult
Donate link: https://monzillamedia.com/donate.html
Requires at least: 4.1
Tested up to: 5.3
Stable tag: 20191109
Version: 20191109
Requires PHP: 5.6.20
Text Domain: block-bad-queries
Domain Path: /languages
License: GPLv2 or later

The fastest firewall plugin for WordPress.

== Description ==

> Install, activate, and done!
> Powerful protection from WP's __fastest__ firewall plugin.

[Block Bad Queries](https://perishablepress.com/block-bad-queries/) (BBQ) is a simple, super-fast plugin that protects your site against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like `eval(`, `base64_`, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a [strong .htaccess firewall](https://perishablepress.com/6g/).

**Awesome Features**

* 100% Plug-n-play functionality
* No configuration required (it just works)
* Born of speed and simplicity, no frills
* 100% focused on security and performance
* Blocks a wide range of malicious requests
* Blocks directory traversal attacks
* Blocks executable file uploads
* Blocks SQL injection attacks
* Based on the [5G/6G Firewall](https://perishablepress.com/6g/)
* Scans all incoming traffic and blocks bad requests
* Scans all types of requests: GET, POST, PUT, DELETE, etc.
* Works silently behind the scenes to protect your site
* Hassle-free security plugin that's easy to use
* Thoroughly tested, error-free performance
* Compatible with other security plugins
* Regularly updated and "future proof"
* Customize blocked strings via [Whitelist/Blacklist plugins](https://perishablepress.com/bbq-whitelist-blacklist/)

**Privacy**

This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.

> Works perfectly with or without Gutenberg Block Editor

**Pro Version**

For advanced protection and awesome features, check out [BBQ Pro](https://plugin-planet.com/bbq-pro/).

== Installation ==

**Installing BBQ**

1. Install, activate, done.

Once active, BBQ automically blocks bad queries to protect your site against malicious URL requests. For more control and stronger protection, [check out BBQ Pro »](https://plugin-planet.com/bbq-pro/)

[More info on installing WP plugins](https://codex.wordpress.org/Managing_Plugins#Installing_Plugins)

**Customizing**

* To allow patterns otherwise blocked by BBQ, check out the [BBQ Whitelist plugin](https://perishablepress.com/bbq-whitelist-blacklist/)
* To block patterns otherwise allowed by BBQ, check out the [BBQ Blacklist plugin](https://perishablepress.com/bbq-whitelist-blacklist/)

Note that the [Pro version of BBQ](https://plugin-planet.com/bbq-pro/) makes it possible to customize patterns (add, edit, remove) directly via the plugin settings, with a click.

**Like the plugin?**

If you like BBQ, please take a moment to [give a 5-star rating](https://wordpress.org/support/plugin/block-bad-queries/reviews/?rate=5#new-post). It helps to keep development and support going strong. Thank you!

== Upgrade Notice ==

To upgrade BBQ, remove old version and replace with new version. Or just click "Update" from the Plugins screen and let WordPress do it for you automatically. Nothing else needs done.

== Screenshots ==

Sorry, there are no screenshots for BBQ! Everything is done behind the scenes.

The free version of BBQ is strictly plug-n-play, set-it-and-forget-it, with no settings to configure whatsoever. Just install, activate, and enjoy better security and robust protection against malicious requests.

The Pro version of BBQ is just as fast and simple to use, but is much more powerful and includes settings to customize and fine-tune your firewall. [Check out screenshots of BBQ Pro](https://plugin-planet.com/bbq-pro/#screenshots) (click the three grey buttons near the top of the page).

== Frequently Asked Questions ==

**What other security plugins do you recommend?**

I recently recorded a video tutorial series for Lynda.com on [how to secure WordPress sites](https://m0n.co/securewp). That's a good place to learn more about the best techniques and WP plugins for protecting your site against threats.

**Do I need to do anything else for BBQ to work?**

Nope, just install and relax knowing that BBQ is protecting your site from bad URL requests.

**I don't see any Settings whatsoever? Where is the settings?**

No settings needed for BBQ! Everything is done automatically behind the scenes. Zero configuration required. The free version of BBQ is strictly plug-n-play, set-it-and-forget-it, with no settings to configure whatsoever. Just install, activate, and enjoy better security and robust protection against malicious requests. The Pro version of BBQ is just as fast and simple to use, but is much more powerful and includes robust settings to customize and fine-tune your firewall.

**Is BBQ free version compatible with Wordfence? Does it makes sense to use both?**

Yes BBQ free and BBQ Pro are both compatible with any plugin written according to the WP API. And yes, there is benefit to using BBQ with any other security plugin, including Wordfence. They protect against different threats, so using both means you are extra secure.

**Does BBQ make changes to my .htaccess file?**

Absolutely not. Unlike other security/firewall plugins, neither BBQ (free version) nor BBQ Pro make any changes to any .htaccess file.

**Does BBQ make any changes to my WP database?**

No, the free version of BBQ operates as each page is loaded; it does not make any changes whatsoever to the WP database.

**Does BBQ block malicious strings included in arrays?**

Yes, BBQ scans any arrays that are included in the URI request. If any matching patterns are found, the request is blocked.

**My PHP scanner/checker plugin says there is an error?**

For example, if your PHP/plugin scanner reports something like, "found `0x3c62723e` which is bad." Normally you would not want to find such bad strings of code, but there is an exception for security plugins. Think about it: in order to block some nasty string, BBQ must _know_ about it. So each bad string that is blocked by BBQ is included in the plugin "blacklist". That means, when some PHP scanner looks at BBQ and finds some known bad strings, it just means that the scanner has discovered BBQ's list of blocked terms. In other words, BBQ contains static strings of non-functional text, in order to match and block malicious requests to your site. I hope this makes sense, feel free to [contact me](https://perishablepress.com/contact/) if I may provide any further infos.

**Do I need WordPress to run BBQ?**

Nope! BBQ is available in the following flavors:

* [BBQ Free - WordPress Plugin](https://wordpress.org/plugins/block-bad-queries/)
* [BBQ Pro - WordPress Plugin](https://plugin-planet.com/bbq-pro/)
* [BBQ Standalone PHP Script](https://perishablepress.com/block-bad-queries/#bbq-php-script)

So you can check out the Standalone PHP Script for sites that are not running WordPress.

**Can I use BBQ and 6G/7G Firewall at the same time?**

__Full question:__ "Except most of the rules overlapping, is it counter productive (site slowing down for example, potential conflicts, bugs) or is there any risks using 6G/7G Firewall + BBQ at the same time?"

__Answer:__ It's fine to run both BBQ and 6G/7G Firewall at the same time. Both firewalls are super fast, so they won't slow things down. In other words the two firewalls play well together. The only downside is that some of the rules will be redundant, but there should be no negative impact on performance. The upside is that you get extra protection when using both, as there are variations in the firewall rules and patterns, etc.

**Do you offer any other security plugins?**

Yes, check out [Blackhole for Bad Bots](https://wordpress.org/plugins/blackhole-bad-bots/) to protect your site against bad bots. I also have a [video course on WordPress security](https://m0n.co/securewp), for more plugin recommendations and lots of tips and tricks.

**Got a question?**

Send any questions or feedback via my [contact form](https://perishablepress.com/contact/).

== Support development of this plugin ==

I develop and maintain this free plugin with love for the WordPress community. To show support, you can [make a donation](https://monzillamedia.com/donate.html) or purchase one of my books:

* [The Tao of WordPress](https://wp-tao.com/)
* [Digging into WordPress](https://digwp.com/)
* [.htaccess made easy](https://htaccessbook.com/)
* [WordPress Themes In Depth](https://wp-tao.com/wordpress-themes-book/)

And/or purchase one of my premium WordPress plugins:

* [BBQ Pro](https://plugin-planet.com/bbq-pro/) - Super fast WordPress firewall
* [Blackhole Pro](https://plugin-planet.com/blackhole-pro/) - Automatically block bad bots
* [Banhammer Pro](https://plugin-planet.com/banhammer-pro/) - Monitor traffic and ban the bad guys
* [GA Google Analytics Pro](https://plugin-planet.com/ga-google-analytics-pro/) - Connect your WordPress to Google Analytics
* [USP Pro](https://plugin-planet.com/usp-pro/) - Unlimited front-end forms

Links, tweets and likes also appreciated. Thank you! :)

== Changelog ==

If you like BBQ, please take a moment to [give a 5-star rating](https://wordpress.org/support/plugin/block-bad-queries/reviews/?rate=5#new-post). It helps to keep development and support going strong. Thank you!

**2019/11/09**

* Changes to `plugins_url()` for `BBQ_URL` constant
* Tests on WordPress 5.3

**2019/09/02**

* Updates some links to https
* Tests on WordPress 5.3 (alpha)

**2019/05/01**

* Bumps [minimum PHP version](https://codex.wordpress.org/Template:Server_requirements) to 5.6.20
* Adds activation check if BBQ Pro is active
* Updates default translation template
* Tests on WordPress 5.2

**2019/03/11**

* Improves function `bbq_action_links()`
* Refines plugin settings screen UI
* Generates new default translation template
* Tests on WordPress 5.1 and 5.2 (alpha)

**2019/02/20**

* Tests on WordPress 5.1

**2018/11/17**

* Adds homepage link to Plugins screen
* Updates default translation template
* Tests on WordPress 5.0

**2018/08/21**

* Removes `.tar` from Request URI patterns
* Adds `rel="noopener noreferrer"` to all [blank-target links](https://perishablepress.com/wordpress-blank-target-vulnerability/)
* Updates GDPR blurb and donate link
* Regenerates default translation template
* Further tests on WP 4.9 and 5.0 (alpha)

**2018/05/11**

* Adds `xrumer` to blocked query strings and request URIs
* Adds `indoxploi` to blocked query strings and request URIs
* Generates new translation template
* Tests on WordPress 5.0

**2017/11/01**

* Updates readme.txt :)
* Tests on WordPress 4.9

**2017/10/19**

* Changes `\/\.tar` to `\.tar` in Request patterns
* Changes `\/\.bash` to `\.bash` in Request patterns
* Adds new User Agent patterns: `shellshock`, `md5sum`, `\/bin\/bash`
* Adds new Request patterns: `@@`, `@eval`, `\/file\:`, `\/php\:`, `\.cmd`, `\.bat`, `\.htacc`, `\.htpas`, `\.pass`, `usr\/bin\/perl`, `var\/lib\/php`, `wp-config\.php`
* Adds new Query String patterns: `@@`, `\(0x`, `0x3c62723e`, `\(\)\}`, `\:\;\}\;`, `\;\!--\=`, `@eval`, `eval\(`, `base64_`, `UNION(.*)SELECT`, `\/config\.`, `\/wwwroot`, `\/makefile`, `\$_session`, `\$_request`, `\$_env`, `\$_server`, `\$_post`, `\$_get`, `phpinfo\(`, `shell_exec\(`, `file_get_contents`, `allow_url_include`, `disable_functions`, `auto_prepend_file`, `open_basedir`, `(benchmark|sleep)(\s|%20)*\(`
* Tests on WordPress 4.9

**2017/07/30**

* Changed menu item name to "BBQ Firewall"
* Tests on WordPress 4.9 (alpha)

**2017/03/22**

* Adds plugin settings page
* Adds French translation (thanks to Bouzin)
* Generates new default translation template
* Tests on WordPress version 4.8

**2016/11/14**

* Replaces `esc_html` with `esc_attr` for link title attributes
* Changes stable tag from trunk to latest version
* Adds `»` to rate this plugin link
* Updates URL for rate this plugin link
* Moves "Go Pro" link to action links
* Renames action/meta link functions
* Updates default translation template
* Tests on WordPress version 4.7 (beta)

**2016/08/10**

* Added translation support
* Added plugin icons and larger banner
* General fine-tuning and testing
* Tested on WordPress 4.6

**2016/03/28**

* Removed `\:\/\/` from Request URI and Query String patterns (see [this thread](https://wordpress.org/support/topic/redirection-blocked))
* Added `(benchmark|sleep)(\s|%20)*\(` to Request URI patterns (thanks to [smitka](https://wordpress.org/support/topic/idea-better-sqli-filter))
* Tested on WordPress 3.5 beta

**2015/11/07**

* Added `\.php\([0-9]+\)`, `__hdhdhd.php` to URI patterns (Thanks to [George Lerner](https://www.glerner.com/))
* Added `acapbot`, `semalt` to User Agent patterns (Thanks to [George Lerner](https://www.glerner.com/))
* Replaced `UNION.*SELECT` with `UNION(.*)SELECT` in Request URI patterns
* Added `morfeus`, `snoopy` to User Agent patterns
* Refactored redirect/exit functionality
* Renamed `rate_bbq()` to `bbq_links()`
* Tested with WordPress 4.4 beta

**2015/08/08**

* Tested on WordPress 4.3
* Updated minimum version requirement
* Highlighted Pro link on Plugins screen

**2015/06/24**

* Replaced `UNION\+SELECT` with `UNION.*SELECT`
* Added `wp-config.php` to query-string patterns
* Added plugin link to [BBQ Pro](https://plugin-planet.com/bbq-pro/)
* Testing on WP 4.3 (alpha)

**2015/05/07**

* Tested with WP 4.2 and 4.3 (alpha)
* Replaced some `http` with `https` in readme.txt

**2015/03/14**

* introduce `bbq_core()`
* tested on latest WP
* tightened up code

**2014/09/22**

* tested on latest version of WordPress (4.0)
* retested on Multisite
* increased minimum version requirement to WP 3.7

**2014/03/05**

* Bugfix: added conditional checks for empty variables

**2014/01/23**

* tested on latest version of WordPress (3.8)
* added link to rate plugin

**2013/11/03**

* removed `?>` from script
* added optional line for blocking long URLs
* added line to prevent direct access to BBQ script
* added `\;Nt\.`, `\=Nt\.`, `\,Nt\.` to request URI items
* tested on latest version of WordPress (3.7)

**2013/07/07**

* replaced `Nt\.` with `\/Nt\.` (resolves comment editing/approval issue)

**2013/07/05**

* removed `https\:` (from previous version)
* replaced `\/https\/` with `\/https\:`
* replaced `\/http\/` with `\/http\:`
* replaced `\/ftp\/` with `\/ftp\:`

**2013/07/04**

* removed block for `jakarta` in user-agents
* removed `union` from query strings
* added to request-URI: `\%2Flocalhost`, `Nt\.`, `https\:`, `\.exec\(`, `\)\.html\(`, `\{x\.html\(`, `\(function\(`
* resolved PHP Notice "Undefined Index" via `isset()`

**2013/01/03**

* removed block for `CONCAT` in request-URI
* removed block for `environ` in query-string
* removed block for `%3C` and `%3E` in query-string
* removed block for `%22` and `%27` in query-string
* removed block for `[` and `]` in query-string (to allow unsafe characters used in WordPress)
* removed block for `?` in query-string (to allow unsafe character used in WordPress)
* removed block for `:` in query-string (to allow unsafe character used by Google)
* removed block for `libwww` in user-agents (to allow access to Lynx browser)

**2012/11/08**

* Removed `:` match from query string (Google disregards encoding)
* Removed `scanner` from query string from query string match
* Streamlined source code for better performance (thanks to juliobox)

**Older versions**

* 2012/10/27 - Disabled check for long strings, disabled check for scanner
* 2012/10/26 - Rebuilt plugin using 5G/6G technology
* 2011/02/21 - Updated readme.txt file
* 2009/12/30 - Added check for admin users
* 2009/12/30 - Additional request strings added

BBQ Block Bad Queries Plugin
Price: FREE

> Install, activate, and done! > Powerful protection from WP's __fastest__ firewall plugin.

View Cart