The BBQ Firewall Plugin for WordPress Isn’t a “Powerful WAF”
One of the most recent reviews for the BBQ firewall plugin for WordPress is titled “Not a real firewall..” and the author makes this claim:
I had the PRO version and it doesn’t stop the real hacks.
Part of the response from the developer was this:
It’s used by thousands of users for over 10 years, has an excellent rating, and tons of positive reviews. BBQ’s track record and effectiveness as a powerful WAF speak for itself.
None of that is actual evidence the firewall is effective or powerful, despite the developer claiming that it speaks for itself. As most websites are not being hacked, it is easy to find people that believe a security product or service works, even if does nothing. The developer also pushes for positive reviews with messages like this:
If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!
The developer actually has been told in the past that the plugin isn’t powerful, but he has ignored reality. Specifically, we wrote a post last year mentioning that the plugin doesn’t provide much protection. We were contacted by someone that brought that to the developer’s attention. The developer’s response to that was forwarded to us. We won’t quote that response, but the summarized version was for them to treat the examples mentioned in the post as being the only issues with the plugin. That is despite those being mentioned as only examples of the broader issue of limited protection.
We are sure that the forwarded email was legitimate, because the developer subsequent made a change related to that. In version 20220118, one of the changelog entries is “Improves checking of POST requests”, which related to one of the examples we gave. That being that POST input wasn’t being checked. Just four days later version 20220122 was released, which the changelog indicated disabled that change, “Disables POST data scanning by default”.
As the plugin touts that it is “100% plug-&-play, zero configuration”, you can’t actually enable the feature through the plugin. Instead, you would need to install another plugin and manually change a file in it to enable that feature.
Enabling the feature though doesn’t address the limited protection provided by the plugin. One way to look at that is with automated testing we do to see if WordPress firewall plugins provide protection against the same threats that our firewall blocks. BBQ Firewall currently provides protection against only 3.92% of the malicious requests. By comparison, the best competing firewall plugin, NinjaFirewall, provides protection against 35.9%. Enabling BBQ’s “POST data scanning” doesn’t change the situation much, as it now protects against 5.23%.
When looking at a WordPress firewall, or more broadly at security products and services, what you want to look for is evidence, preferably from independent testing, that it provides effective protection. Looking at reviews and install counts, as this plugin shows, isn’t going to give a good sense of the security provided.