BBQ Firewall Also Fails to Prevent SQL Injection Attack
In November, we wrote about how reviews for a WordPress security plugin were claiming that it protected against SQL injection, but testing showed it didn’t. A new review for another plugin, BBQ Firewall, which we happened across, made the same claim:
This is the plugin I install on every WordPress installation. It protects site from SQL injection attacks and doesn’t have any settings. Just install and activate, wonderful!
What might explain them believing it is that the developer says it does that:
BBQ protects your site against many threats:
- SQL injection attacks
Yesterday, we discussed an unfixed SQL injection vulnerability in a WordPress plugin with 100,000+ installs. That is something that we discovered was not fully fixed because of an in development protection for SQL injection in our own firewall plugin was still blocking attempts to exploit it with the supposedly fixed version of the plugin, which shouldn’t have happened if it had been fixed because of how the protection works.
We tested that vulnerability against the latest version of BBQ Firewall and it didn’t stop exploitation, so it failed to protect against a fairly basic SQL injection attack.
That it didn’t provide protection isn’t all that surprising, based on previous posts of our about this security plugin. The vulnerability and many SQL injection vulnerabilities involve the SQL injection code being included as POST input, which is additional data sent with a request. BBQ Firewall doesn’t protect against by itself. The developer claims that it does:
Protects against bad POST content
Scans all types of requests: GET, POST, PUT, DELETE, etc.
Settings Not Accessible
As of one of our previous posts, BBQ firewall didn’t even the possibility of protecting against malicious content in POST input. After that, someone contacted the developer about that post and a capability to do that was added, but it can’t be turned on in the plugin. The review we quoted above was touting that the plugin doesn’t have any settings, which isn’t true. It also isn’t actually good that the settings can’t be accessed through the plugin, as it means that important protection can’t be turned on without an additional plugin.
While settings bloat is a real problem with WordPress security plugins, the solution isn’t to remove them entirely. A better approach is what we have done with our own firewall plugin, which is to provide an approachable way to configure important settings and provide advanced controls for those that need it.
Weak Firewall
As what was mentioned above shows, the firewall provides rather limited protection. A way to measure the protection versus other firewall plugins is to look at the most recent run of automated testing software we use to compare the amount of protection WordPress firewall plugins provide. The plugin provided the 11th best protection. The best free option in that testing provided over nine times as much protection.
Look For Evidence of Effectiveness
When considering a security product or service, you should look for evidence of effectiveness, preferably from independent testing. If the developer doesn’t offer that, they likely don’t know if what they provide works. As this plugin shows, that doesn’t stop them from making claims about what they are offering. It also usually means that what they are providing doesn’t provide good protection.