BZU: Blokiraj zlonamjerne upite


Install, activate, and done!
Powerful protection from WP’s fastest firewall plugin.

Block Bad Queries (BBQ) is a simple, super-fast plugin that protects your site against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong .htaccess firewall.

Fantastične značajke

  • 100-postotna funkcionalnost temeljena na principu “uključi i radi”
  • No configuration required (it just works)
  • Born of speed and simplicity, no frills
  • 100% focused on security and performance
  • Blocks a wide range of malicious requests
  • Blocks directory traversal attacks
  • Blocks executable file uploads
  • Blocks SQL injection attacks
  • Based on the 5G/6G Firewall
  • Scans all incoming traffic and blocks bad requests
  • Scans all types of requests: GET, POST, PUT, DELETE, etc.
  • Works silently behind the scenes to protect your site
  • Hassle-free security plugin that’s easy to use
  • Thoroughly tested, error-free performance
  • Compatible with other security plugins
  • Redovite nadolazeće nadogradnje
  • Customize blocked strings via Whitelist/Blacklist plugins


This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.

Pro inačica

For advanced protection and awesome features, check out BBQ Pro.

Podržite razvoj ovog dodatka

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂


Instaliranje BBQ

  1. Instalirajte, aktivirajte, dovršeno.

Once active, BBQ automically blocks bad queries to protect your site against malicious URL requests. For more control and stronger protection, check out BBQ Pro »

Više informacija o instaliranju WordPress dodataka

Mogućnosti uređivanja

Note that the Pro version of BBQ makes it possible to customize patterns (add, edit, remove) directly via the plugin settings, with a click.

Sviša vam se ovaj dodatak?

If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


What other security plugins do you recommend?

I recently recorded a video tutorial series for on how to secure WordPress sites. That’s a good place to learn more about the best techniques and WP plugins for protecting your site against threats.

Do I need to do anything else for BBQ to work?

Nope, just install and relax knowing that BBQ is protecting your site from bad URL requests.

I don’t see any Settings whatsoever? Where is the settings?

No settings needed for BBQ! Everything is done automatically behind the scenes. Zero configuration required. The free version of BBQ is strictly plug-n-play, set-it-and-forget-it, with no settings to configure whatsoever. Just install, activate, and enjoy better security and robust protection against malicious requests. The Pro version of BBQ is just as fast and simple to use, but is much more powerful and includes robust settings to customize and fine-tune your firewall.

Je li BZU besplatna inačica kompatibilna s dodatkom Wordfence?

Does it makes sense to use both? Yes BBQ free and BBQ Pro are both compatible with any plugin written according to the WP API. And yes, there is benefit to using BBQ with any other security plugin, including Wordfence. They protect against different threats, so using both means you are extra secure.

Unosi li BBQ promjene u moju .htaccess datoteku?

Absolutely not. Unlike other security/firewall plugins, neither BBQ (free version) nor BBQ Pro make any changes to any .htaccess file.

Uvodi li BBQ promjene u bazu podataka WordPress-a?

No, the free version of BBQ operates as each page is loaded; it does not make any changes whatsoever to the WP database.

Does BBQ block malicious strings included in arrays?

Yes, BBQ scans any arrays that are included in the URI request. If any matching patterns are found, the request is blocked.

Moj dodatak za provjeru PHP ispitivač kazuje da postoji pogreška?

For example, if your PHP/plugin scanner reports something like, “found 0x3c62723e which is bad.” Normally you would not want to find such bad strings of code, but there is an exception for security plugins. Think about it: in order to block some nasty string, BBQ must know about it. So each bad string that is blocked by BBQ is included in the plugin “blacklist”. That means, when some PHP scanner looks at BBQ and finds some known bad strings, it just means that the scanner has discovered BBQ’s list of blocked terms. In other words, BBQ contains static strings of non-functional text, in order to match and block malicious requests to your site. I hope this makes sense, feel free to contact me if I may provide any further infos.

Trebam li WordPress kako bih koristio BBQ?

Nope! BBQ is available in the following flavors:

So you can check out the Standalone PHP Script for sites that are not running WordPress.

Mogu li istovremeno koristiti BBQ i 6G/7G vatrozid?

Full question: “Except most of the rules overlapping, is it counter productive (site slowing down for example, potential conflicts, bugs) or is there any risks using 6G/7G Firewall + BBQ at the same time?”

Answer: It’s fine to run both BBQ and 6G/7G Firewall at the same time. Both firewalls are super fast, so they won’t slow things down. In other words the two firewalls play well together. The only downside is that some of the rules will be redundant, but there should be no negative impact on performance. The upside is that you get extra protection when using both, as there are variations in the firewall rules and patterns, etc.

Do you offer any other security plugins?

Yes, check out Blackhole for Bad Bots to protect your site against bad bots. I also have a video course on WordPress security, for more plugin recommendations and lots of tips and tricks.

Moj PHP ispitivač je pronašao nešto?

If you are using some PHP checker that’s reporting an error or bad string in BBQ, it’s a false positive and safe to ignore. Why? Because the PHP checker is finding the static strings/patterns that BBQ uses to identify and block bad requests. In other words, your PHP checker is finding a static string thinking it is live code. It’s not. If possible, please take a moment to report this to the developers of your PHP checker. They should be happy to improve the accuracy and quality of their plugin.

Imate pitanje?

Send any questions or feedback via my contact form.


17. kolovoza 2020.
Using BBQ since 7 years on 50 websites and love it, simple, efficient, everything is fine and perfect, thanks a lot for your really good work 🙂
08. kolovoza 2020.
I've run four of Jeff Starr's security plugins on my website for many years now. I sleep better at night knowing I'm protected. Jeff's plugins, including BBQ, are single-purposed and focused in their features and scope. No Jetpack do-everything crap here. He consistently updates and improves all of his plugins. I trust Jeff's code, and I immediately review any new plugins he develops.
10. srpnja 2020.
In moving away from an all-encompassing WP security plugin, I did quite a bit of research into the available options regarding site security and came across BBQ Pro and the other premium and freemium plugins by Jeff Star. Aside from it being an excellent plugin that does exactly what is sets out to do, and well, Jeff Star is star (pun not intended) in his field and provides first-rate customer service. To clear up some issues I was having with his security plugins - they were related to my lack of understanding, not to the plugins themselves - Jeff called me and clarified all my doubts (this was an international call!). Moreover, the security-related articles on his site, as well as on other, have helped further secure our site and gain a greater understanding of WP security as a whole and on the "atomic" level. Thank you Jeff for the great plugins, articles, and support! Cheers!
Pročitajte sve 92 recenzije

Suradnici i Programeri

“BZU: Blokiraj zlonamjerne upite” is open source software. The following people have contributed to this plugin.


“BZU: Blokiraj zlonamjerne upite” je prijeveden na 10 dijalekata. Zahvala prevodiocima za njihov doprinos.

Prevedite “BZU: Blokiraj zlonamjerne upite” na svoj jezik.

Zainteresirani ste za razvoj?

Pregledajte kôd, pogledajte SVN spremišteili se pretplatite na dnevnik razvoja od RSS.

Dnevnik promjena

If you like BBQ, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


  • Replaces guangxiymcd with wildcard match www.(.*).cn
  • Refines readme/documentation
  • Tests on WordPress 5.5


  • Adds guangxiymcd to Request URI and Query String patterns
  • Ispitivanje na WordPress inačici 5.4 + 5.5 (alfa)


  • Ispitivanja na WordPress inačici 5.4


  • Changes to plugins_url() for BBQ_URL constant
  • Ispitivanja na WordPress inačici 5.3


  • Nadograđene poveznice na sigurnosne (HTTPS) veze
  • Ispitivanja na WordPress inačici 5.3 (alfa)


  • Bumps minimum PHP version to 5.6.20
  • Adds activation check if BBQ Pro is active
  • Ažurira zadani predložak prijevoda
  • Ispitivanja na WordPress inačici 5.2


  • Improves function bbq_action_links()
  • Refines plugin settings screen UI
  • Stvara novi zadani predložak za prijevod
  • Ispitivanja na WordPress inačici 5.1 i 5.2 (alfa)


  • Ispitivanja na WordPress inačici 5.1


  • Adds homepage link to Plugins screen
  • Ažurira zadani predložak prijevoda
  • Ispitivanja na WordPress inačici 5.0


  • Removes .tar from Request URI patterns
  • Adds rel="noopener noreferrer" to all blank-target links
  • Updates GDPR blurb and donate link
  • Regenerates default translation template
  • Daljnja ispitivanja na WordPress inačici 4.9 i 5.0 (alfa)


  • Adds xrumer to blocked query strings and request URIs
  • Adds indoxploi to blocked query strings and request URIs
  • Generates new translation template
  • Ispitivanja na WordPress inačici 5.0


  • Nadograđena datoteka pročitajme.txt 🙂
  • Ispitivanja na WordPress inačici 4.9


  • Changes \/\.tar to \.tar in Request patterns
  • Changes \/\.bash to \.bash in Request patterns
  • Adds new User Agent patterns: shellshock, md5sum, \/bin\/bash
  • Adds new Request patterns: @@, @eval, \/file\:, \/php\:, \.cmd, \.bat, \.htacc, \.htpas, \.pass, usr\/bin\/perl, var\/lib\/php, wp-config\.php
  • Adds new Query String patterns: @@, \(0x, 0x3c62723e, \(\)\}, \:\;\}\;, \;\!--\=, @eval, eval\(, base64_, UNION(.*)SELECT, \/config\., \/wwwroot, \/makefile, \$_session, \$_request, \$_env, \$_server, \$_post, \$_get, phpinfo\(, shell_exec\(, file_get_contents, allow_url_include, disable_functions, auto_prepend_file, open_basedir, (benchmark|sleep)(\s|%20)*\(
  • Ispitivanja na WordPress inačici 4.9


  • Changed menu item name to “BBQ Firewall”
  • Ispitivanja na WordPress inačici 4.9 (alfa)


  • Dodaje stranicu za postavke dodataka
  • Dodaje francuski prijevod (hvala Bouzinu)
  • Stvara novi zadani predložak za prijevod
  • Ispitivanja na WordPress inačici 4.8


  • Replaces esc_html with esc_attr for link title attributes
  • Changes stable tag from trunk to latest version
  • Adds » to rate this plugin link
  • Ažuriranja URL-a poveznice za davanje ocjene ovog dodatka
  • Pomak “Idi na Pro inačicu” na akcijske veze
  • Renames action/meta link functions
  • Ažurira zadani predložak prijevoda
  • Ispitivanja na WordPress inačici 4.7 (beta)


  • Dodana podrška za prijevod
  • Dodane ikone dodataka i veći banner
  • General fine-tuning and testing
  • Ispitano na WordPress inačici 4.6


  • Removed \:\/\/ from Request URI and Query String patterns (see this thread)
  • Added (benchmark|sleep)(\s|%20)*\( to Request URI patterns (thanks to smitka)
  • Ispitano na WordPress inačici 3.5 (beta)


  • Added \.php\([0-9]+\), __hdhdhd.php to URI patterns (Thanks to George Lerner)
  • Added acapbot, semalt to User Agent patterns (Thanks to George Lerner)
  • Replaced UNION.*SELECT with UNION(.*)SELECT in Request URI patterns
  • Added morfeus, snoopy to User Agent patterns
  • Refactored redirect/exit functionality
  • Renamed rate_bbq() to bbq_links()
  • Ispitano na WordPress inačici 4.4 (beta)


  • Ispitivanja na WordPress inačici 4.3
  • Nadograđeni minimalni zahtjevi za inačicu
  • Istaknuta poveznica na Pro inačicu na zaslonu dodataka


  • Added wp-config.php to query-string patterns
  • Dodana je poveznica na dodatak BBQ Pro
  • Ispitivanja na WordPress inačici 4.3 (alfa)


  • Ispitano sa WordPress inačicom 4.2 i 4.3 (alfa)
  • Zamijenjene neke poveznice sa http na https u pročitajme.txt datoteci


  • introduce bbq_core()
  • Ispitano na posljednjoj dostupnoj inačici WordPress-a
  • tightened up code


  • tested on latest version of WordPress (4.0)
  • retested on Multisite
  • increased minimum version requirement to WP 3.7


  • Bugfix: added conditional checks for empty variables


  • tested on latest version of WordPress (3.8)
  • added link to rate plugin


  • removed ?> from script
  • added optional line for blocking long URLs
  • added line to prevent direct access to BBQ script
  • added \;Nt\., \=Nt\., \,Nt\. to request URI items
  • tested on latest version of WordPress (3.7)


  • replaced Nt\. with \/Nt\. (resolves comment editing/approval issue)


  • removed https\: (from previous version)
  • replaced \/https\/ with \/https\:
  • replaced \/http\/ with \/http\:
  • replaced \/ftp\/ with \/ftp\:


  • removed block for jakarta in user-agents
  • removed union from query strings
  • added to request-URI: \%2Flocalhost, Nt\., https\:, \.exec\(, \)\.html\(, \{x\.html\(, \(function\(
  • resolved PHP Notice “Undefined Index” via isset()


  • removed block for CONCAT in request-URI
  • removed block for environ in query-string
  • removed block for %3C and %3E in query-string
  • removed block for %22 and %27 in query-string
  • removed block for [ and ] in query-string (to allow unsafe characters used in WordPress)
  • removed block for ? in query-string (to allow unsafe character used in WordPress)
  • removed block for : in query-string (to allow unsafe character used by Google)
  • removed block for libwww in user-agents (to allow access to Lynx browser)


  • Removed : match from query string (Google disregards encoding)
  • Removed scanner from query string from query string match
  • Streamlined source code for better performance (thanks to juliobox)

Prethodne inačice

  • 2012/10/27 – Disabled check for long strings, disabled check for scanner
  • 2012/10/26 – Rebuilt plugin using 5G/6G technology
  • 2011/02/21 – Updated readme.txt file
  • 2009/12/30 – Added check for admin users
  • 2009/12/30 – Additional request strings added