WAFPlanet
Official logo for BBQ Firewall WordPress plugin

BBQ Firewall

by Plugin Planet / Monzilla Media

Free Tier Available
4.0
WAFPlanet Rating

The lightest WordPress firewall plugin. Under 10KB, zero configuration, based on Jeff Starr's battle-tested 7G/8G ruleset. 100,000+ active installs. Free version covers most sites. Pro adds customizable rules and statistics.

Visit Website Documentation View Pricing
Company: Plugin Planet / Monzilla Media
Pricing: Freemium (Free tier + paid licenses with lifetime option)
Founded: 2010

Overview

BBQ Firewall stands for Block Bad Queries, and that is exactly what it does. Built by Jeff Starr of Perishable Press, it is a PHP port of his 7G/8G Firewall rulesets that have been refined over more than a decade of real-world use on Apache/.htaccess servers. The plugin is under 10 kilobytes. That is not a typo.

The concept is dead simple: BBQ scans every incoming request (URI, query string, user agent, referrer) against a set of regex patterns that match known attack signatures. SQL injection attempts, directory traversal, base64-encoded payloads, eval() calls, executable file uploads, and various bot/spam patterns all get caught and rejected with a 403 response. No settings page in the free version. No configuration options. No database writes on every request. Install, activate, done.

That extreme minimalism is both the strength and the limitation. BBQ does not understand WordPress internals. It does not know about user sessions, plugin states, or authentication contexts like Wordfence does. It does not hook into PHP before WordPress loads like NinjaFirewall. It simply pattern-matches incoming requests against known bad strings. But those patterns have been battle-tested across hundreds of thousands of sites with near-zero false positive rates, which is more than many fancier solutions can claim.

BBQ Pro ($30-50 for a single site, lifetime option available) adds a settings page where you can customize patterns, add your own rules, whitelist IPs, view block statistics, send email alerts on blocked requests, and disable the firewall for logged-in users. The lifetime licensing model is a standout: pay once and you own it forever with updates and support included. For agencies, 300 sites at $440 lifetime is hard to beat anywhere in the WordPress security space.

If you want the absolute lightest-touch WordPress firewall that adds zero overhead and just quietly blocks the obvious garbage, BBQ is it. Pair it with a cloud WAF like Cloudflare for edge protection, or use it alongside a more comprehensive security suite like Security Ninja or Solid Security for their non-WAF features (vulnerability scanning, hardening) while BBQ handles the request filtering.

Ratings Breakdown

Ease of Use 5.0/5
Value for Money 4.6/5
Customer Support 3.7/5
Features 3.3/5

Key Features

7G/8G Request Filtering

Regex-based pattern matching against incoming URIs, query strings, user agents, and referrers. Based on over a decade of refinement by Jeff Starr.

SQL Injection Protection

Blocks common SQL injection patterns including UNION, SELECT, eval(), and base64-encoded payloads.

Directory Traversal Protection

Catches path traversal attempts, null byte injection, and requests for sensitive system files.

Bad Bot Blocking

Filters known malicious user agents and referrer spam patterns.

Request Method Scanning

Checks all HTTP methods (GET, POST, PUT, DELETE, etc.) against firewall rules.

Customizable Patterns

Add, edit, or remove firewall patterns to fine-tune protection for your specific site (Pro feature).

Block Statistics

Visual bar graphs showing hit counts per pattern to measure firewall effectiveness (Pro feature).

Email Alerts

Receive notifications when requests are blocked (Pro feature).

Pros & Cons

Pros

  • Absolute lightest footprint

    Under 10KB total plugin size. No database queries on requests, no external API calls, no JavaScript, no CSS. Arguably the lowest-overhead WordPress firewall in existence.

  • Zero configuration

    Install and activate. That is the entire setup process. The free version has no settings page because it does not need one.

  • Battle-tested ruleset

    The 7G/8G patterns have been refined over 15+ years across hundreds of thousands of sites with near-zero false positive rates.

  • Lifetime licensing

    Pro offers pay-once-own-forever pricing. $50 for one site or $440 for 300 sites with lifetime updates is unmatched value.

Cons

  • No WordPress awareness

    Pure regex pattern matching on raw requests. Cannot see user sessions, plugin states, or WordPress-specific context like Wordfence can.

  • Free version has no settings

    You cannot customize rules, whitelist IPs, or view statistics without upgrading to Pro. It is truly fire-and-forget.

  • No malware scanning

    BBQ only filters incoming requests. It does not scan files, check for backdoors, or detect existing malware on your site.

  • No login security features

    No 2FA, no login attempt limiting, no login URL rename. Pair with another plugin if you need these.

Pricing

Pricing model: Freemium (Free tier + paid licenses with lifetime option)

Free

$0

Full 7G/8G firewall protection with zero configuration. Blocks SQL injection, XSS, directory traversal, bad bots, and more.

  • 7G/8G-based request filtering
  • Scans URI, query string, user agent, and referrer
  • Blocks all request methods (GET, POST, PUT, DELETE)
  • Near-zero false positive rate
  • Under 10KB total plugin size
  • Zero configuration required

Pro (1 site, yearly)

$30/year

Customizable firewall with settings page, statistics, alerts, and IP management

  • Everything in Free
  • Customizable firewall patterns
  • Add/edit/remove rules
  • Email alerts on blocked requests
  • Block statistics with bar graphs
  • IP whitelist and blacklist
  • Disable firewall for logged-in users
  • Custom blocked message
  • Custom response status code
  • Pattern import/export
  • One-click pattern testing

Pro (1 site, lifetime)

$50 one-time

Same as Pro yearly but pay once, own forever with lifetime updates and support

  • Everything in Pro
  • Pay once, own forever
  • Lifetime auto updates
  • Lifetime pro support

Pro (3 sites, lifetime)

$100 one-time

Pro for up to 3 sites with lifetime license

  • Everything in Pro
  • Covers 3 websites
  • Lifetime license

Pro (10 sites, lifetime)

$200 one-time

Pro for up to 10 sites with lifetime license

  • Everything in Pro
  • Covers 10 websites
  • Lifetime license

Pro (300 sites, lifetime)

$440 one-time

Pro for up to 300 sites with lifetime license and white-label potential

  • Everything in Pro
  • Covers 300 websites
  • Lifetime license

Our Verdict

BBQ Firewall is the purist's WordPress WAF. Jeff Starr took his Apache/.htaccess firewall rules, ported them to PHP, wrapped them in a plugin under 10KB, and shipped it with zero configuration. The result is probably the fastest WordPress firewall available, one that adds effectively zero overhead to your page loads.

The free version is remarkably capable for what it is. The 7G/8G patterns catch the standard attack patterns that automated bots spray at every WordPress site on the internet: SQL injection, directory traversal, base64 payloads, and known bad user agents. With 100,000+ active installs and near-zero false positive rates, the patterns are proven. But BBQ does not try to be a comprehensive security solution. There is no malware scanner, no vulnerability detection, no login hardening, no 2FA.

Pro at $50 lifetime for a single site is a great deal. The ability to customize patterns, view statistics, and get email alerts transforms it from a set-and-forget tool into an actively managed firewall. The 300-site lifetime license at $440 is possibly the best value proposition in WordPress security for agencies.

Our verdict: The best WordPress firewall for people who want protection without complexity. If you need just a firewall and nothing else, BBQ is the cleanest option. For more comprehensive protection, combine it with Security Ninja (security tests + vulnerability scanner) or Solid Security (virtual patching + login hardening), and add Cloudflare at the edge for DDoS and caching. For the full WordPress WAF landscape, see our best WAF for WordPress guide.

CVE Coverage

BBQ Firewall can detect and block attacks matching 82K+ known CVEs based on its supported rule sets.

13K+
Critical
17K+
High
33K+
Medium
423
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
36K+ CVEs
SQL Injection High
14K+ CVEs
Improper Input Validation Medium
8.4K+ CVEs
Path Traversal High
6.6K+ CVEs
OS Command Injection High
5.2K+ CVEs
Unrestricted File Upload Medium
3.9K+ CVEs
Code Injection Medium
3.9K+ CVEs
Command Injection High
3.1K+ CVEs
Open Redirect Medium
1.4K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-34887 UNKNOWN
CVE-2026-5197 MEDIUM
CVE-2026-4317 UNKNOWN
CVE-2026-5196 MEDIUM
CVE-2026-5195 HIGH
CVE-2026-3107 UNKNOWN
CVE-2026-3106 UNKNOWN
CVE-2025-41357 UNKNOWN
CVE-2025-41356 UNKNOWN
CVE-2025-41355 UNKNOWN
Browse all CVEs →

Frequently Asked Questions

Is BBQ Firewall enough to protect my WordPress site on its own?

It depends on your threat model. BBQ blocks the most common automated attacks: SQL injection, directory traversal, XSS payloads, and known malicious bots. For a blog or portfolio site, that covers the majority of threats you will actually face. The patterns have near-zero false positives after 15+ years of refinement.

Where BBQ falls short on its own is everything beyond request filtering. It does not scan for malware already on your site, does not check for vulnerable plugins, does not offer login protection or 2FA, and does not monitor file integrity. If you want a single-plugin security solution, Wordfence or Security Ninja are better all-in-one picks. But BBQ pairs well with non-WAF security plugins since it focuses purely on request filtering without overlap.

How does BBQ compare to Wordfence?

They are fundamentally different tools. Wordfence is a full security suite with a WordPress-aware WAF, malware scanner, 2FA, live traffic monitoring, and vulnerability detection. BBQ is a focused request filter with zero bloat. Wordfence understands WordPress sessions, user roles, and plugin states. BBQ just pattern-matches against known bad strings.

On performance, BBQ wins decisively. Under 10KB, no database writes, no learning mode, no external API calls. Wordfence is heavier, especially with Live Traffic enabled. On protection depth, Wordfence wins. It catches WordPress-specific exploits that BBQ's generic patterns will miss. You can actually run both together without conflict since BBQ adds negligible overhead, but most people are better off choosing one firewall and supplementing with other tools for non-WAF features.

BBQ vs Security Ninja, which should I use?

They are more complementary than competing. BBQ is a pure firewall: just request filtering, nothing else. Security Ninja is a broader security toolkit with its own 8G-based firewall plus 50+ security tests, a vulnerability scanner, and core file integrity checking.

If you want the lightest possible firewall with zero overhead, BBQ is smaller and leaner. If you want a firewall plus security auditing in one plugin, Security Ninja gives you more. Both use 8G-derived rules for request filtering, so the core WAF protection is similar. Running both would be redundant on the firewall side. Pick BBQ if you want pure minimalism, Security Ninja if you want the extra security tooling bundled in.

Why does the free version have no settings page?

By design. Jeff Starr built BBQ to be a zero-configuration firewall. The free version is meant to be installed, activated, and forgotten. No decisions to make, no settings to misconfigure, no dashboard to check. The patterns are battle-tested defaults that work for the vast majority of WordPress sites without tuning.

If you need to customize rules, whitelist IPs, or see block statistics, that is what BBQ Pro is for. The $50 lifetime license adds a full settings page with pattern editing, import/export, email alerts, and visual statistics. But plenty of sites run the free version indefinitely without ever needing those features.

Can I use BBQ alongside Cloudflare or another cloud WAF?

Absolutely, and it is a smart combination. Cloudflare (or Sucuri) filters traffic at the edge before it reaches your server. BBQ filters traffic at the application layer inside WordPress. They operate at different levels and do not conflict.

The edge WAF handles DDoS, bot management, and caching. BBQ catches anything that slips through to your application layer. Since BBQ adds effectively zero overhead, there is no performance penalty for running it as a second layer. Just make sure your server is configured to pass the real visitor IP from Cloudflare's headers so that any IP-based features in BBQ Pro work correctly.

Is BBQ Pro worth it over the free version?

For most personal sites and blogs, the free version is fine. The patterns are the same, the protection is the same, you just cannot see what is being blocked or customize anything.

Pro becomes worth it when you want visibility or control. The block statistics show you exactly what patterns are catching traffic, which helps you understand your threat landscape. Custom patterns let you add site-specific rules. IP whitelisting prevents false positives on specific services or partners. Email alerts give you awareness of attack spikes. At $50 lifetime for a single site, the price is low enough that most people running a business site should just get it. For agencies, the 300-site lifetime license at $440 ($1.47/site) is a no-brainer.

Ready to try BBQ Firewall?

Start with the free tier and upgrade as you grow.

Visit Website View Pricing