The BBQ Firewall Plugin for WordPress Isn’t a “Strong Firewall”
A clear takeaway of of our testing to see if WordPress security plugins can protect against vulnerabilities in other plugins, is that the developers of these plugins are making inaccurate, to highly inaccurate, claims about the protection they can provide. One of those plugins, which we took a closer look at while addressing a question from someone, is the plugin BBQ Firewall. That plugin has 100,000+ installs, according to the wordpress.org stats.
In one of the most recent topics on the support forum for it, the developer claimed it is a “strong firewall”:
In general, I can tell you that BBQ adds a strong firewall that is super fast.
In our testing so far, the plugin has only provided protection once, and that was easily bypassed. Looking at the underlying code, you get a good understanding of why that is, since the plugin doesn’t even check much of the input coming in to the website. With what it does, it is fairly limited in certain ways.
What it checks are the URL (in two different ways), the user agent of the request, and the referer for the request:
67 68 69 70 | if (isset($_SERVER['REQUEST_URI']) && !empty($_SERVER['REQUEST_URI'])) $request_uri_string = $_SERVER['REQUEST_URI']; if (isset($_SERVER['QUERY_STRING']) && !empty($_SERVER['QUERY_STRING'])) $query_string_string = $_SERVER['QUERY_STRING']; if (isset($_SERVER['HTTP_USER_AGENT']) && !empty($_SERVER['HTTP_USER_AGENT'])) $user_agent_string = $_SERVER['HTTP_USER_AGENT']; if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) $referrer_string = $_SERVER['HTTP_REFERER']; |
So, for example, anything sent as POST data won’t be checked at all. That is not how someone reading the plugin’s marketing material might be led to believe, as this is one of the claims about it:
Scans all types of requests: GET, POST, PUT, DELETE, etc.
While it does scan POST requests, it doesn’t actually scan the POST input in it, which makes the claim rather meaningless.
But even with what it checks for, it doesn’t check for much. Here are the things it claims to protect against:
- SQL injection attacks
- Executable file uploads
- Directory traversal attacks
- Unsafe character requests
- Excessively long requests
- PHP remote/file execution
- XSS, XXE, and related attacks
- Protects against bad bots
- Protects against bad referrers
- Plus many other bad requests
But let’s say a hacker includes JavaScript code to cause cross-site scripting (XSS) in to either the user agent or referer (something that would be done when exploiting certain vulnerabilities), the plugin doesn’t check for XSS in either of those inputs, only in the URL. Here, for example, are the things the referer is checked for:
53 | $referrer_array = apply_filters('referrer_items', array('blue\s?pill', 'ejaculat', 'erectile', 'erections', 'hoodia', 'huronriver', 'impotence', 'levitra', 'libido', 'lipitor', 'phentermin', 'pro[sz]ac', 'sandyauer', 'semalt\.com', 'todaperfeita', 'tramadol', 'ultram', 'unicauca', 'valium', 'viagra', 'vicodin', 'xanax', 'ypxaieo')); |
It isn’t quite clear what the purpose of checking for spam keywords would be from a security perspective.
Making things more problematic is when the plugin runs. Another recent support request asked about running the plugin as a Must-Use plugin and the developer response was that they hadn’t tried it. That is an important detail, as early in development of our plugin, we found that running that way was important, as otherwise other plugins can run before the plugin, meaning the protection can come in to play too late. We switched over to running as a Must-Use plugin by default, after seeing that NinjaFirewall does that (for some reason the Wordfence Security plugin doesn’t do that).
When landing on the plugin’s page on the WordPress Plugin Directory, the first thing stated is this:
Install, activate, and done!
Powerful protection from WP’s fastest firewall plugin.
The plugin is likely fast, but that is because it doesn’t even attempt to provide powerful protection. If you are looking for at least a reasonable amount of protection without an unnecessary performance penalty, our testing has shown that the options available would be either our upcoming WordPress firewall plugin or NinjaFirewall.