BBQ Firewall – Fast & Powerful Firewall Security


¡Instalar, activar y listo!
Protección potente gracias al plugin cortafuegos más rápido de WP.

BBQ Firewall es un plugin ligero y muy rápido que protege tu sitio contra una amplia gama de amenazas. BBQ comprueba todo el tráfico entrante y bloquea sigilosamente las peticiones maliciosas que contienen cosas dañinas como eval(, base64_ y cadenas de peticiones excesivamente largas. Esta es una solución sencilla, pero sólida, para sitios que no pueden usar un cortafuegos Apache/.htaccess robusto.

Adds a strong firewall to ANY WordPress site
Works with all WordPress plugins and themes

Powerful Protection

BBQ protects your site against many threats:

  • SQL injection attacks
  • Executable file uploads
  • Directory traversal attacks
  • Unsafe character requests
  • Excessively long requests
  • PHP remote/file execution
  • XSS, XXE, and related attacks
  • Protects against bad bots
  • Protects against bad referrers
  • Protects against bad POST content
  • Protects against many other bad requests

Works great with Blackhole for Bad Bots

Características impresionantes

BBQ provides all the best firewall features:

  • Rated 5 stars at
  • 100% plug-&-play, zero configuration
  • Centrado al 100% en la seguridad y el rendimiento
  • Bloquea una amplia gama de peticiones de URL maliciosas
  • Fastest Web Application Firewall (WAF) for WordPress
  • Based on the 6G/7G Firewall
  • Analiza todo el tráfico entrante y bloquea las peticiones maliciosas
  • Escanea todo tipo de peticiones: GET, POST, PUT, DELETE, etc.
  • Protects against known bad bots and referrers
  • Funciona sigilosamente en segundo plano para proteger a tu sitio
  • Plugin de seguridad sin complicaciones y fácil de usar
  • Rendimiento sin errores probado a conciencia
  • Extremely low rate of false positives
  • Compatible con otros plugins de seguridad
  • Actualizado regularmente y con «garantía de futuro»
  • Firewall < 10 kilobytes in size
  • Lightweight, fast and flexible

For advanced protection and features, check out BBQ Pro »
BBQ = Block Bad Queries


Este plugin no recopila ni almacena ningún dato de usuario. No instala ninguna cookie, y no se conecta a ningún servidor de terceros. Por lo tanto, este plugin no afecta a la privacidad del usuario de ninguna manera.

BBQ Firewall is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

Support development

Desarrollo y mantengo este plugin gratuito por amor a la comunidad de WordPress. Para mostrar apoyo, puedes hacer una donación o comprar uno de mis libros:

Y/o comprar uno de mis plugins Premium de WordPress:

También se aprecian enlaces, tweets y likes. ¡Gracias! 🙂


Instalación de BBQ

  1. Instala, activa, listo.

Once active, BBQ automatically protects your site against threats. Quietly, behind the scenes. For more control and stronger protection, check out BBQ Pro »

More info on installing WP plugins


Note that the Pro version of BBQ makes it possible to customize patterns and everything else directly via the plugin settings, with a click. BBQ Pro also displays the current block count for each firewall rule, like this.


This plugin cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.

¿Te gusta el plugin?

Si te gusta BBQ, por favor dedica un momento para dejar una valoración de 5 estrellas. Ayuda a mantener activo el desarrollo y el soporte. ¡Gracias!


How to test that the plugin is working?

To test that the plugin is working, you can request any of the blocked patterns. For example, visit your site’s homepage and enter the following URL:

Replace with your site’s actual domain. If BBQ is active, the request for that URL will be blocked (with a «403 Forbidden» status). This means the plugin is working properly. You can test other patterns as well. To view all the patterns blocked by BBQ, look at the function bbq_core() located in block-bad-queries.php.

¿Ofreces otros plugins de seguridad?

Yes, three of them:

Pro versions with more features available at Plugin Planet.

¿Necesito hacer algo más para que BBQ funcione?

No, solo instala y relájate sabiendo que BBQ está protegiendo tu sitio de las peticiones URL maliciosas.

No veo ningún tipo de ajuste ¿Dónde está la configuración?

¡No hay que configurar nada en BBQ! Todo se hace automáticamente en segundo plano. Configuración cero. La versión gratuita de BBQ es estrictamente plug-n-play, set-it-and-forget-it, sin ningún ajuste a configurar. Simplemente instala, activa y disfruta de una seguridad mejorada y una protección robusta contra peticiones maliciosas. La versión Pro de BBQ es igual de rápida y fácil de usar, pero es mucho más potente e incluye ajustes robustos para personalizar y afinar tu cortafuegos.

Is BBQ free version compatible with Wordfence?

¿Tiene sentido usar ambos? Sí, BBQ free y BBQ Pro son compatibles con cualquier plugin escrito de acuerdo a la API WP. Y sí, hay beneficios al usar BBQ con cualquier otro plugin de seguridad, Wordfence incluido. Protegen contra diferentes amenazas, por lo que si usas los dos estarás más seguro.

¿BBQ hace cambios en mi archivo .htaccess?

Por supuesto que no. A diferencia de otros plugins de seguridad/cortafuegos, ni BBQ (versión gratuita) ni BBQ Pro hacen cambios en ningún archivo .htaccess.

¿BBQ hace cambios en mi base de datos de WP?

No, la versión gratuita de BBQ se ejecuta cuando se carga cada página; no hace ningún cambio en la base de datos de WP.

¿BBQ bloquea cadenas maliciosas incluidas en arrays?

Sí, BBQ analiza los arrays incluidos en las peticiones URI. Si se encuentran patrones coincidentes, se bloquea la petición.

¿Mi plugin escáner/comprobador PHP dice que hay un error?

For example, if your PHP/plugin scanner reports something like, «found 0x3c62723e which is bad.» Normally you would not want to find such bad strings of code, but there is an exception for security plugins. Think about it: in order to block some nasty string, BBQ must know about it. So each bad string that is blocked by BBQ is included in the plugin «blacklist». That means, when some PHP scanner looks at BBQ and finds some known bad strings, it just means that the scanner has discovered BBQ’s list of blocked terms. In other words, BBQ contains static strings of non-functional text, in order to match and block malicious requests to your site. I hope this makes sense, feel free to contact me if I may provide any further infos.

¿Necesito WordPress para usar BBQ?

¡No! BBQ está disponible en las siguientes modalidades:

Así que puedes echar un vistazo al script PHP autónomo para sitios que no están ejecutando WordPress.

¿Puedo usar BBQ y el cortafuegos 6G/7G al mismo tiempo?

Pregunta completa: «Exceptuando las reglas que puedan solaparse, es contraproducente (por ejemplo: ralentización del sitio, conflictos potenciales, errores) o hay algún riesgo si se usa 6G/7G Firewall + BBQ al mismo tiempo?»

Answer: It’s fine to run both BBQ and 6G/7G Firewall at the same time. Both firewalls are super fast, so they won’t slow things down. In other words the two firewalls play well together. The only downside is that some of the rules will be redundant, but there should be no negative impact on performance. The upside is that you get extra protection when using both, as there are variations in the firewall rules and patterns, etc.

My PHP checker found something?

If you are using some PHP checker that’s reporting an error or bad string in BBQ, it’s a false positive and safe to ignore. Why? Because the PHP checker is finding the static strings/patterns that BBQ uses to identify and block bad requests. In other words, your PHP checker is finding a static string thinking it is live code. It’s not. If possible, please take a moment to report this to the developers of your PHP checker. They should be happy to improve the accuracy and quality of their plugin. More info.

How to enable logging?

You can use a free addon to display the total number of blocked requests on the BBQ settings page. Here is a guide that explains how to set it up.

Alternately, BBQ can be configured to log the matching pattern for each blocked request. When match-logging is enabled, BBQ will add a log entry in the site’s default error log. To enable match logging, use the free customize plugin.

Note that the Pro version of BBQ displays the current block count for each firewall rule, like this. All automatic, fiddling with code NOT required 🙂

¿Tienes alguna pregunta?

Send any questions or feedback via my contact form.


26 de mayo de 2023
I have made a living as a WP developer for close to 20 years and have almost seen it all during that time. I manage a lot of sites for myself and for clients. This is one of the most useful plugins that I have come across in the security space. I liked it so much, I sprung for the Pro version which adds a few extra features. Certainly, you could get by with .htaccess rules (either yourself, or with what Jeff provides), but this makes it much easier to implement. I really have made use of the adding custom patterns feature, and the tracking of blocked attempts shows that this is very effective. It's a simple plugin, really, which is what I like most. As a WP developer, I could have written my own, but for what Jeff charges for the Pro version, it makes more sense to just buy his. For the clown who rated it 1 star - that guy didn't really have a clue what he was talking about, and appeared to be someone who thinks he knows what he's talking about but doesn't - that's the most dangerous kind of administrator. Seriously, this is exactly what a WAF is and is supposed to be, and it works great for what it is. Yes, there are other means of intrusion, and this plugin doesn't address those - it's not a "end-all-be-all" which is what I like about it. Those plugins that try to do it all usually end up being complex, bloated, intrusive, and an all-around a pain to work with. Instead, Jeff has produced a plugin that does one thing and does it perfectly with clean code and very light overhead.
17 de marzo de 2023
BBQ gives me peace of mind!And so compact... Thanks Jeff!
15 de marzo de 2023
This is the plugin I install on every WordPress installation. It protects site from SQL injection attacks and doesn't have any settings. Just install and activate, wonderful!
26 de mayo de 2022
There is a kind of collective misunderstanding regarding “security and protection” in the WordPress system, and the developer of this plugin understands the matter perfectly. This plugin, despite its apparent simplicity, is an important piece among other precautions that site administrators should take to protect their sites. Keep up the good work, Jeff!
Leer todas las 119 reseñas

Colaboradores y desarrolladores

«BBQ Firewall – Fast & Powerful Firewall Security» es un software de código abierto. Las siguientes personas han colaborado con este plugin.


«BBQ Firewall – Fast & Powerful Firewall Security» ha sido traducido a 14 idiomas locales. Gracias a los traductores por sus contribuciones.

Traduce «BBQ Firewall – Fast & Powerful Firewall Security» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios

Si te gusta BBQ, por favor dedica un momento para dejar una valoración de 5 estrellas. Ayuda a mantener activo el desarrollo y el soporte. ¡Gracias!


  • Adds action hook bbq_response
  • Adds filter hook bbq_count_plugin_path
  • Adds button to test firewall active
  • Streamlines firewall functionality
  • Tweaks styles on plugin settings page
  • Appends version number to CSS/JS URLs
  • Improves logic when calling get_current_screen()
  • Adds rate and support links to plugin settings page
  • Adds bbq_long_req_length filter for long-request length
  • Displays blocked count on settings screen (when enabled)
  • Updates whitelist/blacklist addons
  • Updates customize addon
  • Adds plugin screenshots on settings page
  • Generates new translation template
  • Tests on WordPress 6.1 + 6.2 (beta)
  • Tests on PHP 8.1 and 8.2


  • Adds custom footer text to plugin settings
  • Improves plugin documentation
  • Updates translation template
  • Tests on WordPress 6.1


  • Removes .inc from firewall patterns
  • Tests on WordPress 6.0


  • Disables POST data scanning by default
  • Tests on WordPress 5.9


  • Refactors for improved performance
  • Improves checking of POST requests
  • Adds filter hook post_items
  • Adds filter hook bbq_post_scanning
  • Adds /.env to Request URI patterns
  • Adds c99.php to Request URI patterns
  • Updates blacklist and customize addons
  • Improves loading of translations
  • Updates some links to external resources
  • Changes minimum required WP version to 4.6
  • Tests on WordPress 5.9


  • Removes ambien from referrer patterns
  • Tests on WordPress 5.8


  • Removes zune pattern from user agents
  • Removes ninja pattern from user agents
  • Tests on WordPress 5.7


  • Tweaks query string pattern for optimal matching
  • Further tests on WordPress 5.6


  • Removes order pattern from Query String rules
  • Removes ahrefs pattern from User Agent rules


  • Removes python from the User Agent rules
  • Adds filter for URI long-request blocking
  • Adds filter for enabling logging of blocked requests
  • Releases customize plugin to change default functionality
  • Further tests on WordPress 5.6


  • Improves XSS protection
  • Improves logic of bbq_core()
  • Integrates 7G patterns to firewall rules
  • Removes some redundant firewall patterns
  • Adds protection against excessive characters
  • Adds logging functionality (disabled by default)
  • Adds filter hooks to customize blocked response
  • Replaces guangxiymcd with www\.(.*)\.cn
  • Changes plugin name to «BBQ Firewall»
  • Updates default translation template
  • Updates/refines readme.txt
  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.6


  • Replaces guangxiymcd with wildcard match www.(.*).cn
  • Refines readme/documentation
  • Tests on WordPress 5.5


  • Adds guangxiymcd to Request URI and Query String patterns
  • Tests on WordPress 5.4 + 5.5 (alpha)


  • Tests on WordPress 5.4


  • Changes to plugins_url() for BBQ_URL constant
  • Tests on WordPress 5.3


  • Updates some links to https
  • Tests on WordPress 5.3 (alpha)


  • Bumps minimum PHP version to 5.6.20
  • Adds activation check if BBQ Pro is active
  • Updates default translation template
  • Tests on WordPress 5.2


  • Improves function bbq_action_links()
  • Refines plugin settings screen UI
  • Generates new default translation template
  • Tests on WordPress 5.1 and 5.2 (alpha)


  • Tests on WordPress 5.1


  • Adds homepage link to Plugins screen
  • Updates default translation template
  • Tests on WordPress 5.0


  • Removes .tar from Request URI patterns
  • Adds rel="noopener noreferrer" to all blank-target links
  • Updates GDPR blurb and donate link
  • Regenerates default translation template
  • Further tests on WP 4.9 and 5.0 (alpha)


  • Adds xrumer to blocked query strings and request URIs
  • Adds indoxploi to blocked query strings and request URIs
  • Generates new translation template
  • Tests on WordPress 5.0


  • Updates readme.txt 🙂
  • Tests on WordPress 4.9


  • Changes \/\.tar to \.tar in Request patterns
  • Changes \/\.bash to \.bash in Request patterns
  • Adds new User Agent patterns: shellshock, md5sum, \/bin\/bash
  • Adds new Request patterns: @@, @eval, \/file\:, \/php\:, \.cmd, \.bat, \.htacc, \.htpas, \.pass, usr\/bin\/perl, var\/lib\/php, wp-config\.php
  • Adds new Query String patterns: @@, \(0x, 0x3c62723e, \(\)\}, \:\;\}\;, \;\!--\=, @eval, eval\(, base64_, UNION(.*)SELECT, \/config\., \/wwwroot, \/makefile, \$_session, \$_request, \$_env, \$_server, \$_post, \$_get, phpinfo\(, shell_exec\(, file_get_contents, allow_url_include, disable_functions, auto_prepend_file, open_basedir, (benchmark|sleep)(\s|%20)*\(
  • Tests on WordPress 4.9


  • Changed menu item name to «BBQ Firewall»
  • Tests on WordPress 4.9 (alpha)


  • Adds plugin settings page
  • Adds French translation (thanks to Bouzin)
  • Generates new default translation template
  • Tests on WordPress version 4.8


  • Replaces esc_html with esc_attr for link title attributes
  • Changes stable tag from trunk to latest version
  • Adds &raquo; to rate this plugin link
  • Updates URL for rate this plugin link
  • Moves «Go Pro» link to action links
  • Renames action/meta link functions
  • Updates default translation template
  • Tests on WordPress version 4.7 (beta)


  • Added translation support
  • Added plugin icons and larger banner
  • General fine-tuning and testing
  • Tested on WordPress 4.6


  • Removed \:\/\/ from Request URI and Query String patterns (see this thread)
  • Added (benchmark|sleep)(\s|%20)*\( to Request URI patterns (thanks to smitka)
  • Tested on WordPress 3.5 beta


  • Added \.php\([0-9]+\), __hdhdhd.php to URI patterns (Thanks to George Lerner)
  • Added acapbot, semalt to User Agent patterns (Thanks to George Lerner)
  • Replaced UNION.*SELECT with UNION(.*)SELECT in Request URI patterns
  • Added morfeus, snoopy to User Agent patterns
  • Refactored redirect/exit functionality
  • Renamed rate_bbq() to bbq_links()
  • Tested with WordPress 4.4 beta


  • Tested on WordPress 4.3
  • Updated minimum version requirement
  • Highlighted Pro link on Plugins screen


  • Added wp-config.php to query-string patterns
  • Added plugin link to BBQ Pro
  • Testing on WP 4.3 (alpha)


  • Tested with WP 4.2 and 4.3 (alpha)
  • Replaced some http with https in readme.txt


  • introduce bbq_core()
  • tested on latest WP
  • tightened up code


  • tested on latest version of WordPress (4.0)
  • retested on Multisite
  • increased minimum version requirement to WP 3.7


  • Bugfix: added conditional checks for empty variables


  • tested on latest version of WordPress (3.8)
  • added link to rate plugin


  • removed ?> from script
  • added optional line for blocking long URLs
  • added line to prevent direct access to BBQ script
  • added \;Nt\., \=Nt\., \,Nt\. to request URI items
  • tested on latest version of WordPress (3.7)


  • replaced Nt\. with \/Nt\. (resolves comment editing/approval issue)


  • removed https\: (from previous version)
  • replaced \/https\/ with \/https\:
  • replaced \/http\/ with \/http\:
  • replaced \/ftp\/ with \/ftp\:


  • removed block for jakarta in user-agents
  • removed union from query strings
  • added to request-URI: \%2Flocalhost, Nt\., https\:, \.exec\(, \)\.html\(, \{x\.html\(, \(function\(
  • resolved PHP Notice «Undefined Index» via isset()


  • removed block for CONCAT in request-URI
  • removed block for environ in query-string
  • removed block for %3C and %3E in query-string
  • removed block for %22 and %27 in query-string
  • removed block for [ and ] in query-string (to allow unsafe characters used in WordPress)
  • removed block for ? in query-string (to allow unsafe character used in WordPress)
  • removed block for : in query-string (to allow unsafe character used by Google)
  • removed block for libwww in user-agents (to allow access to Lynx browser)


  • Removed : match from query string (Google disregards encoding)
  • Removed scanner from query string from query string match
  • Streamlined source code for better performance (thanks to juliobox)

Older versions

  • 2012/10/27 – Disabled check for long strings, disabled check for scanner
  • 2012/10/26 – Rebuilt plugin using 5G/6G technology
  • 2011/02/21 – Updated readme.txt file
  • 2009/12/30 – Added check for admin users
  • 2009/12/30 – Additional request strings added