Plugins DatabasePlugins Database logo
Back to plugins
Homepage WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 3,136,960
Active installs: 100,000
Total reviews: 154
Average rating: 4.9
Support threads opened: 2
Support threads resolved: 2 (100%)
Available in: 19 language(s)
Contributors: 7
Last updated: 11/20/2025 (40 days ago)
Added to WordPress: 3/5/2010 (15 years old)
Minimum WordPress version: 4.7
Tested up to WordPress version: 6.9
Minimum PHP version: 7.1

Maintenance & Compatibility

Maintenance score

Actively maintained • Last updated 40 days ago • Support resolved 100% • 154 reviews

78/100

Is BBQ Firewall – Fast & Powerful Firewall Security abandoned?

Likely maintained (last update 40 days ago).

Compatibility

Requires WordPress: 4.7
Tested up to: 6.9
Requires PHP: 7.1

Ratings

151
1
0
0
2See all reviews

Developers

Julio Potier (Owner)26Jeff Starr (Owner)31Julio Potier81wp-website-mastery1John H1Aldo Latino1

Languages

Spanish (Spain)32,360Dutch30,206Russian27,196French (France)20,849German19,853Spanish (Venezuela)17,048Italian15,565Swedish14,890Dutch (Formal)11,736Dutch (Belgium)10,363German (Formal)9,953Persian8,053Spanish (Chile)8,024Greek5,862Korean5,844Slovak5,058Croatian4,253Galician4,008

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

Wordfence Security – Firewall, Malware Scan, and Login Security
Rating 4.7/5 (4,733 reviews)Active installs 5,000,000
Compare
Security Optimizer – The All-In-One Protection Plugin
Rating 4.6/5 (149 reviews)Active installs 900,000
Compare
RSFirewall!
Rating 5.0/5 (5 reviews)Active installs 4,000
Compare
SiteLock Security – WP Hardening, Login Security & Malware Scans
Rating 3.2/5 (13 reviews)Active installs 1,000
Compare
IP Threat Blocker
Rating 5.0/5 (7 reviews)Active installs 70
Compare
Sabres Security Website Protection
Rating 0.0/5 (0 reviews)Active installs 10
Compare
See more alternatives to BBQ Firewall – Fast & Powerful Firewall Security

Description

🔥 Install, activate, and done!
🔥 Powerful protection from WP’s fastest firewall plugin.

BBQ Firewall is a lightweight, blazing-fast firewall plugin that protects your site against a wide range of threats. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong Apache/.htaccess firewall.

🔥 Adds a strong firewall to ANY WordPress site
🔥 Works with all WordPress plugins and themes

Powerful Protection

BBQ protects your site against many threats:

  • SQL injection attacks
  • Executable file uploads
  • Directory traversal attacks
  • Unsafe character requests
  • Excessively long requests
  • PHP remote/file execution
  • XSS, XXE, and related attacks
  • Protects against bad bots
  • Protects against bad referrers
  • Protects against bad POST content
  • Protects against many other bad requests

🔥 Works great with Blackhole for Bad Bots and Banhammer

Awesome Features

BBQ provides all the best firewall features:

  • Rated 5 stars at WordPress.org
  • 100% plug-&-play, zero configuration
  • 100% focused on security and performance
  • Blocks a wide range of malicious URL requests
  • Fastest Web Application Firewall (WAF) for WordPress
  • Based on the 7G/8G Firewall
  • Scans all incoming traffic and blocks bad requests
  • Scans all types of requests: GET, POST, PUT, DELETE, etc.
  • Protects against known bad bots and referrers
  • Works silently behind the scenes to protect your site
  • Hassle-free security plugin that’s easy to use
  • Thoroughly tested, error-free performance
  • Extremely low rate of false positives
  • Compatible with other security plugins
  • Regularly updated and “future proof”
  • Firewall < 10 kilobytes in size
  • Lightweight, fast and flexible

🔥 For advanced protection and features, check out BBQ Pro »

Exclusive Pro Version Features

  • Customize firewall via plugin settings
  • Easily add or remove firewall patterns
  • Easily add Jeff Starr’s AI Block List
  • Send Email Alerts for blocked requests
  • Quickly enable/disable firewall rules
  • Disable firewall for logged-in users
  • Block excessively long URI requests
  • Protect against XML-RPC exploits
  • Block any individual IP address
  • Block entire ranges of IP addresses
  • Protect against user-ID phishing
  • Redirect all blocked requests
  • Display a custom “blocked” message
  • Set your own response status code
  • Complete inline documentation
  • Statistics for blocked requests
  • Tools to reset options and patterns
  • Import and Export firewall patterns
  • One-click pattern testing
  • Whitelist IP addresses

..plus everything the free version can do and more.

🔥 Learn more and get BBQ Pro »

Privacy

This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.

BBQ Firewall is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

🔥 BBQ = Block Bad Queries

Support development

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂

Installation

Installing BBQ

  1. Install, activate, done.

Once active, BBQ automatically protects your site against threats. Quietly, behind the scenes. For more control and stronger protection, check out BBQ Pro »

More info on installing WP plugins

Customizing

Note that the Pro version of BBQ makes it possible to customize patterns and everything else directly via the plugin settings, with a click. BBQ Pro also displays the current block count for each firewall rule, like this.

Uninstalling

This plugin cleans up after itself. All plugin settings will be removed from the WordPress database when the plugin is uninstalled via the Plugins screen.

Like the plugin?

If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

Frequently Asked Questions

How to test that the plugin is working?

To test that the plugin is working, you can request any of the blocked patterns. For example, visit your site’s homepage and enter the following URL:

https://example.com/eval(

Replace example.com with your site’s actual domain. If BBQ is active, the request for that URL will be blocked (with a “403 Forbidden” status). This means the plugin is working properly. You can test other patterns as well. To view all the patterns blocked by BBQ, look at the function bbq_core() located in block-bad-queries.php.

Do you offer any other security plugins?

Yes, three of them:

Pro versions with more features available at Plugin Planet.

Do I need to do anything else for BBQ to work?

Nope, just install and relax knowing that BBQ is protecting your site from bad URL requests.

Where are the plugin settings?

No settings needed for BBQ! Everything is done automatically behind the scenes. Zero configuration required. The free version of BBQ is strictly plug-n-play, set-it-and-forget-it, with no settings to configure whatsoever. Just install, activate, and enjoy better security and robust protection against malicious requests. The Pro version of BBQ is just as fast and simple to use, but is much more powerful and includes robust settings to customize and fine-tune your firewall.

Is BBQ free version compatible with Wordfence?

Does it makes sense to use both? Yes BBQ free and BBQ Pro are both compatible with any plugin written according to the WP API. And yes, there is benefit to using BBQ with any other security plugin, including Wordfence. They protect against different threats, so using both means you are extra secure.

Does BBQ make changes to my .htaccess file?

Absolutely not. Unlike other security/firewall plugins, neither BBQ (free version) nor BBQ Pro make any changes to any .htaccess file.

Does BBQ make any changes to my WP database?

No, the free version of BBQ operates as each page is loaded; it does not make any changes whatsoever to the WP database.

Does BBQ block malicious strings included in arrays?

Yes, BBQ scans any arrays that are included in the URI request. If any matching patterns are found, the request is blocked.

My PHP scanner/checker plugin says there is an error?

For example, if your PHP/plugin scanner reports something like, “found 0x3c62723e which is bad.” Normally you would not want to find such bad strings of code, but there is an exception for security plugins. Think about it: in order to block some nasty string, BBQ must know about it. So each bad string that is blocked by BBQ is included in the plugin “blacklist”. That means, when some PHP scanner looks at BBQ and finds some known bad strings, it just means that the scanner has discovered BBQ’s list of blocked terms. In other words, BBQ contains static strings of non-functional text, in order to match and block malicious requests to your site. I hope this makes sense, feel free to contact me if I may provide any further infos.

Do I need WordPress to run BBQ?

Nope! BBQ is available in the following flavors:

So you can check out the Standalone PHP Script for sites that are not running WordPress.

Can I use BBQ and 7G/8G Firewall at the same time?

Full question: “Except most of the rules overlapping, is it counter productive (site slowing down for example, potential conflicts, bugs) or is there any risks using 7G/8G Firewall + BBQ at the same time?”

Answer: It’s fine to run both BBQ and 7G/8G Firewall at the same time. Both firewalls are super fast, so they won’t slow things down. In other words the two firewalls play well together. The only downside is that some of the rules will be redundant, but there should be no negative impact on performance. The upside is that you get extra protection when using both, as there are variations in the firewall rules and patterns, etc.

My PHP checker found something?

If you are using some PHP checker that’s reporting an error or bad string in BBQ, it’s a false positive and safe to ignore. Why? Because the PHP checker is finding the static strings/patterns that BBQ uses to identify and block bad requests. In other words, your PHP checker is finding a static string thinking it is live code. It’s not. If possible, please take a moment to report this to the developers of your PHP checker. They should be happy to improve the accuracy and quality of their plugin. More info.

How to enable logging?

You can use a free addon to display the total number of blocked requests on the BBQ settings page. Here is a guide that explains how to set it up.

Alternately, BBQ can be configured to log the matching pattern for each blocked request. When match-logging is enabled, BBQ will add a log entry in the site’s default error log. To enable match logging, use the free customize plugin.

Note that the Pro version of BBQ displays the current block count for each firewall rule, like this. All automatic, fiddling with code NOT required 🙂

Got a question?

Send any questions or feedback via my contact form.

Review feed

Chad Butler
5/26/2023

Great lightweight security

I have made a living as a WP developer for close to 20 years and have almost seen it all during that time. I manage a lot of sites for myself and for clients. This is one of the most useful plugins that I have come across in the security space. I liked it so much, I sprung for the Pro version which adds a few extra features. Certainly, you could get by with .htaccess rules (either yourself, or with what Jeff provides), but this makes it much easier to implement. I really have made use of the adding custom patterns feature, and the tracking of blocked attempts shows that this is very effective. It's a simple plugin, really, which is what I like most. As a WP developer, I could have written my own, but for what Jeff charges for the Pro version, it makes more sense to just buy his. For the clown who rated it 1 star - that guy didn't really have a clue what he was talking about, and appeared to be someone who thinks he knows what he's talking about but doesn't - that's the most dangerous kind of administrator. Seriously, this is exactly what a WAF is and is supposed to be, and it works great for what it is. Yes, there are other means of intrusion, and this plugin doesn't address those - it's not a "end-all-be-all" which is what I like about it. Those plugins that try to do it all usually end up being complex, bloated, intrusive, and an all-around a pain to work with. Instead, Jeff has produced a plugin that does one thing and does it perfectly with clean code and very light overhead.
defmans7
8/7/2023

Great plugin - very handy.

After discovering this plugin, I use it all the time for smaller projects and sometimes for larger projects - doesn't seem to add too much overhead but gives great piece of mind.
Aurélien Denis
5/6/2025

Great plugin and fast support

BBQ is a lightweight plugin, install it and forget it!

Screenshots

No screenshots available

Changelog

If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

2025/11/20

  • Restores bbq_languages() function
  • Renames expiration function bbq_check_date_expired
  • Updates plugin settings page
  • Improves readme.txt documentation
  • Generates new language template
  • Tests on WordPress 6.9 (beta)

Full changelog @ https://plugin-planet.com/wp/changelog/block-bad-queries.txt

Back to plugins