Not a real firewall..

Hi @fmh999,

BBQ absolutely is a firewall, a Web Application Firewall (WAF) to be precise. It’s used by thousands of users for over 10 years, has an excellent rating, and tons of positive reviews. BBQ’s track record and effectiveness as a powerful WAF speak for itself.

Can you provide any further details about what happened to your site? Without more information about what you found, it’s difficult to say for sure what actually happened. Please be more specific about the details, thank you.

All this “firewall” does is have some basic rules in the htaccess that anyone can add themselves and nothing more. It blocks some “bad” queries that every hacker probably knows about and not much more than that

After running a scan with REAL firewall I noticed some files were compromised with back door trojans while having the PRO version of this “firewall” for 8-9 months. The block bad queries feature did not block anything.

Don’t advertise this as a firewall.. its false advertisement, you’re giving people a false sense of hope.

Yeah yeah, you’ve said that already, “not a real firewall”, “site got hacked”, “you suck”, etc. Got it.

What would be useful are more details about what actually happened. For example, what were the file names included with the payload? How were they added? How did they get in? Etc. That sort of specific info would give you some credibility and be much more useful to the community than some baseless, anonymous claim.

You see, part of my job as developer is to learn from user feedback, gather information, and improve the plugin however possible. But that’s not possible when the user only wants to bash and blame the plugin, without providing any actual information or willingness to help.

So come on, @fmh999, let’s get to the bottom of this. Help the WordPress community by providing some actual details about what happened.

Hey Jeff,

I found the following malicious code with backdoor trojans in the following files while running this “firewall”.

/plugins/wordpress-seo/src/schema-templates/wp-signup.php
/plugins/nextend-social-login-pro/providers/github/atomlib.php

How did they get there? Certainly on the web side and BBQ Pro Version did not stop it.

WordPress is a very complicated/delicate CMS and I recommend everyone who uses this plugin to get a real firewall to run scans because they could have viruses too.

This firewall, with a bunch of htaccess rules that every hacker is familiar with, is not capable of real protection.

Last you should learn how to control your emotions and learn how to talk to a real customer, my ID receipt is #74088 in case you want to look it up.

Hi @fmh999,

Thanks for sharing further information, it is useful. Allow me to respond to some of your points:

1) For this: “found the following malicious code with backdoor trojans in the following files …”

The first file you mention is from Yoast SEO plugin. The second file is from a plugin named “nextend-social-login-pro” (which seems to have been removed or does not exist in the Plugin Directory).

The Yoast plugin has suffered from various attacks and vulnerabilities in the past, here are some examples. There are others, but you get the idea.

Not sure about the second file (because the plugin is outside of www.ads-software.com), but the same principle holds true: it is possible for plugins to have vulnerabilities that may be exploited outside of HTTP request methods.

2) “How did they get there? Certainly on the web side”

That is what we’re trying to figure out. Currently it is not known how the files were added, but it could very well be from a vulnerability that is accessible via some non-HTTP route. Unless you have some evidence to support your claim that it happened “on the web side”..? How do you know for sure how the files were added?

3) “This firewall, with a bunch of htaccess rules that every hacker is familiar with”

This again demonstrates your lack of understanding and/or confusion. BBQ is a firewall that does not require or make use of any .htaccess whatsoever. BBQ works on any site/server that can run WordPress. Apache server is not required, neither is .htaccess.

4) “not capable of real protection”

I’ve already provided evidence that BBQ effectively protects WordPress sites. Here it is again in case you missed it in my first reply:

[BBQ] is used by thousands of users for over 10 years, has an excellent rating, and tons of positive reviews. BBQ’s track record and effectiveness as a powerful WAF speak for itself.

That’s a pretty amazing track record, right? Tens of thousands of active installs over a 10 year period with a near perfect 5-star rating.. pretty much confirms that BBQ provides real firewall protection. And it does so without slowing down your site with lots of needless heavy features.

So when you make wild claims like “not capable of real protection”, it’s just hard to take seriously, because literally every other indicator says the opposite is true: BBQ provides powerful protection against threats.

Does it block every threat and malicious request? No. There is no plugin that can do that. On the Web, 100% perfect security is a great goal to pursue, but impossible to achieve in reality.

Security is not a one-dimensional issue Dear friend @fmh999 ! Before you say what this program is, let me explain about security.

Security – no matter the phone or the system or the server – is a general issue. As a result, you can see that, for example, Total Security offers a variety of other services in addition to the firewall. Basically, the firewall is not anti-spyware or anti-malware! And basically this is a security dimension and there are many other dimensions.

Dear friend! The plugin in front of you is a firewall, not an antivirus or anything else; This plugin works great. You must use antivirus and scanners to detect backdoor files and spywares! As the update of the web server version, SSL, PHP and WordPress each have a unique place in maintaining the security of your site.

Just as a malware scanner cannot protect against malicious code in user queries, so a firewall cannot scan your files! No firewalls!
Finally, here are a few things to keep in mind for your own safety:
1. Hardware and software updates
?. Manage access and users
3. Use multi-layer security
4. This plugin is only for user-side requests (HTTP) and no more! This plugin is not anti-malware, anti-DDoS, anti-Spam, etc.

Thanks dear @specialk .

• This reply was modified 2 years, 12 months ago by Farhad.