Plugin / BBQ: Block Bad Queries

Changelog

If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

2019/11/09

• Changes to plugins_url() for BBQ_URL constant
• Tests on WordPress 5.3

2019/09/02

• Updates some links to https
• Tests on WordPress 5.3 (alpha)

2019/05/01

• Bumps minimum PHP version to 5.6.20
• Adds activation check if BBQ Pro is active
• Updates default translation template
• Tests on WordPress 5.2

2019/03/11

• Improves function bbq_action_links()
• Refines plugin settings screen UI
• Generates new default translation template
• Tests on WordPress 5.1 and 5.2 (alpha)

2019/02/20

• Tests on WordPress 5.1

2018/11/17

• Adds homepage link to Plugins screen
• Updates default translation template
• Tests on WordPress 5.0

2018/08/21

• Removes .tar from Request URI patterns
• Adds rel="noopener noreferrer" to all blank-target links
• Updates GDPR blurb and donate link
• Regenerates default translation template
• Further tests on WP 4.9 and 5.0 (alpha)

2018/05/11

• Adds xrumer to blocked query strings and request URIs
• Adds indoxploi to blocked query strings and request URIs
• Generates new translation template
• Tests on WordPress 5.0

2017/11/01

• Updates readme.txt 🙂
• Tests on WordPress 4.9

2017/10/19

• Changes \/\.tar to \.tar in Request patterns
• Changes \/\.bash to \.bash in Request patterns
• Adds new User Agent patterns: shellshock, md5sum, \/bin\/bash
• Adds new Request patterns: @@, @eval, \/file\:, \/php\:, \.cmd, \.bat, \.htacc, \.htpas, \.pass, usr\/bin\/perl, var\/lib\/php, wp-config\.php
• Adds new Query String patterns: @@, \(0x, 0x3c62723e, \(\)\}, \:\;\}\;, \;\!--\=, @eval, eval\(, base64_, UNION(.*)SELECT, \/config\., \/wwwroot, \/makefile, \$_session, \$_request, \$_env, \$_server, \$_post, \$_get, phpinfo\(, shell_exec\(, file_get_contents, allow_url_include, disable_functions, auto_prepend_file, open_basedir, (benchmark|sleep)(\s|%20)*\(
• Tests on WordPress 4.9

2017/07/30

• Changed menu item name to “BBQ Firewall”
• Tests on WordPress 4.9 (alpha)

2017/03/22

• Adds plugin settings page
• Adds French translation (thanks to Bouzin)
• Generates new default translation template
• Tests on WordPress version 4.8

2016/11/14

• Replaces esc_html with esc_attr for link title attributes
• Changes stable tag from trunk to latest version
• Adds » to rate this plugin link
• Updates URL for rate this plugin link
• Moves “Go Pro” link to action links
• Renames action/meta link functions
• Updates default translation template
• Tests on WordPress version 4.7 (beta)

2016/08/10

• Added translation support
• Added plugin icons and larger banner
• General fine-tuning and testing
• Tested on WordPress 4.6

2016/03/28

• Removed \:\/\/ from Request URI and Query String patterns (see this thread)
• Added (benchmark|sleep)(\s|%20)*\( to Request URI patterns (thanks to smitka)
• Tested on WordPress 3.5 beta

2015/11/07

• Added \.php\([0-9]+\), __hdhdhd.php to URI patterns (Thanks to George Lerner)
• Added acapbot, semalt to User Agent patterns (Thanks to George Lerner)
• Replaced UNION.*SELECT with UNION(.*)SELECT in Request URI patterns
• Added morfeus, snoopy to User Agent patterns
• Refactored redirect/exit functionality
• Renamed rate_bbq() to bbq_links()
• Tested with WordPress 4.4 beta

2015/08/08

• Tested on WordPress 4.3
• Updated minimum version requirement
• Highlighted Pro link on Plugins screen

2015/06/24

• Replaced UNION\+SELECT with UNION.*SELECT
• Added wp-config.php to query-string patterns
• Added plugin link to BBQ Pro
• Testing on WP 4.3 (alpha)

2015/05/07

• Tested with WP 4.2 and 4.3 (alpha)
• Replaced some http with https in readme.txt

2015/03/14

• introduce bbq_core()
• tested on latest WP
• tightened up code

2014/09/22

• tested on latest version of WordPress (4.0)
• retested on Multisite
• increased minimum version requirement to WP 3.7

2014/03/05

• Bugfix: added conditional checks for empty variables

2014/01/23

• tested on latest version of WordPress (3.8)
• added link to rate plugin

2013/11/03

• removed ?> from script
• added optional line for blocking long URLs
• added line to prevent direct access to BBQ script
• added \;Nt\., \=Nt\., \,Nt\. to request URI items
• tested on latest version of WordPress (3.7)

2013/07/07

• replaced Nt\. with \/Nt\. (resolves comment editing/approval issue)

2013/07/05

• removed https\: (from previous version)
• replaced \/https\/ with \/https\:
• replaced \/http\/ with \/http\:
• replaced \/ftp\/ with \/ftp\:

2013/07/04

• removed block for jakarta in user-agents
• removed union from query strings
• added to request-URI: \%2Flocalhost, Nt\., https\:, \.exec\(, \)\.html\(, \{x\.html\(, \(function\(
• resolved PHP Notice “Undefined Index” via isset()

2013/01/03

• removed block for CONCAT in request-URI
• removed block for environ in query-string
• removed block for %3C and %3E in query-string
• removed block for %22 and %27 in query-string
• removed block for [ and ] in query-string (to allow unsafe characters used in WordPress)
• removed block for ? in query-string (to allow unsafe character used in WordPress)
• removed block for : in query-string (to allow unsafe character used by Google)
• removed block for libwww in user-agents (to allow access to Lynx browser)

2012/11/08

• Removed : match from query string (Google disregards encoding)
• Removed scanner from query string from query string match
• Streamlined source code for better performance (thanks to juliobox)

Older versions

• 2012/10/27 – Disabled check for long strings, disabled check for scanner
• 2012/10/26 – Rebuilt plugin using 5G/6G technology
• 2011/02/21 – Updated readme.txt file
• 2009/12/30 – Added check for admin users
• 2009/12/30 – Additional request strings added