A WordPress firewall is a security measure used to protect WordPress websites from various online threats, such as hacking attempts, malware injections, brute force attacks, and other malicious activities.
BBQ Firewall and BBQ Firewall Pro secure your WordPress sites by blocking referrers, query strings, user agents, URI Paths and IP addresses
BBQ Firewall is available for free in the WordPress repository as a plug-and-play plugin.
If you want to take the more advanced approach to WordPress security, you should consider getting yourself a copy of BBQ Firewall Pro
BBQ Firewall Pro brings you option to expand and customize a Firewall so you can have even a more secure WordPress site.
This is my honest review of the plugin in case you are consider using its free or premium version to harden the security of your WordPress site.
Table of Contents
Why Did I Buy BBQ Firewall Pro?
I didn’t want to buy BBQ Firewall Pro because I felt that CloudFlare Firewall Rules do a better job than BBQ.
CloudFlare is a cloud-based firewall and BBQ is an application-level firewall.
The problem with Firewall Rules is that they are limited to 5 if you are CloudFlare Free plan user.
BBQ Firewall Pro is only $20 and you get lifetime updates so you don’t have to worry about one more subscription.
I didn’t think much about those $20 because Jeff Starr, the creator of the plugin has made great contributions in the WordPress security with his plugins.
His blog helped me a lot to create my custom CloudFlare Firewall
I bought BBQ Firewall Pro because I thought it could help me deal with a bunch of sh*tty referrers I am dealing with lately.
The plugin did what it promises but the referrer part didn’t help block those referrers because I am using Cloudflare full-page caching and that prevent the blocking referrers from working as expected.
So at the end, I didn’t end up using BBQ Firewall Pro to help me with the problem I am trying to solve.
That doesn’t mean the plugin doesn’t deliver what it promises.
BBQ Firewall Pro: Custom Firewall
I think that BBQ Firewall by default can secure your WordPress until a certain point.
If I Interpret what I have been reading in Jeff’s blogs, BBQ Firewall blocks certain query strings, user agents and requests that could be a focus of problems for most WordPress users out there.
The firewall by default has been created by the problems that Jeff has dealt with in the past.
The magic from the pro version of the plugin comes from the fact that you can build a custom firewall on top of what Jeff already built
This is what the custom tab of the plugin look like:
You can add as many patterns as you want to secure your WordPress site even more.
This could also be the problem for many wordpress users since they wouldn’t know what else to add there.
If you don’t know what to add there, you have to make a choice between these three:
- Learn more about what hackers and bots are looking for on WordPress sites.
- Stick to the free version of the plugin.
- Use a different plugin to handle WordPress security.
Having said that, you don’t need to turn into a WordPress security expert overnight, you can monitor your site 404 errors and try to find those patterns that you need to build your custom Firewall.
Honest WordPress Security
I know that creating a custom firewall can be a difficult thing to do if you don’t know the basics.
That’s why some try to sell you $100 subscriptions to protect your WordPress.
Sometimes you just need to block a certain pattern and you can sleep better at night.
For example:
- I block my login pages using CloudFlare Firewall rules so I don’t have to worry about brute force attacks and the many security measures available to counter those attacks
- You can do the same with .php files. If you have a 100% content website that doesn’t require logging in, you could block access to those files.
The Problem with Application Level Firewall
The problem with problem application firewalls is that if you lock yourself out, you have to install tools such as FileZilla or CyberDuck, go your WordPress installation and disable the plugin
When can that happen?
If you whitelist your home or office IP addresses bu they are eventually changed, you won’t be able to login to your site unless you disable the plugin.
If you use a Cloud based-firewall like the one provided by Cloudflare, you go to your Cloudflare account and update the IP address or add a new one in case you are trying to access your WordPress dashboard from a different location.