Ultimate Security Checker
2.7.8 fails to recognize Block Bad Queries (5 posts)

  1. fwchapman
    Posted 2 years ago #

    I love this plugin! It's a great way to check that a site upholds fundamental best practices for securing WordPress.

    Unfortunately, there's a small problem with the Code Check section. I get this warning message even after installing the Block Bad Queries (BBQ) plugin:

    Your blog can be hacked with malicious URL requests.

    The BBQ 1.0 plugin is slightly more elaborate than the plugin recommended in the How to Fix tab. If I replace the BBQ 1.0 plugin code with the exact code in the recommended fix, the warning message goes away, but this results in weaker protection (it does not check for long queries).

    Can you please fix the bug that generates this false positive?

    Thank you,

    Fred Chapman


  2. fwchapman
    Posted 2 years ago #


    I've looked at the plugin code for both Ultimate Security Checker (USC) and Block Bad Queries (BBQ), and I've discovered the problem: BBQ does nothing if the user is logged in as an administrator, which happens to be the only way that a user can run the USC tests! That means BBQ is providing protection against malicious URL requests for users with lesser capabilities and for guests, but this is not being detected by USC.

    I would classify this as a problem with BBQ, not USC. Do you agree?

    I've started a new thread to address this on the BBQ support page.

  3. spaciousmind
    Posted 2 years ago #

    I wish they'd fix this also... I create the BBQ plugin the way they tell you in the "How To Fix" tab, run the tests, and that item is ok -- until I update BBQ, then it shows up in USC as a problem. I saw a new version of USC just came out, was hoping this would be fixed, but it wasn't -- can the plugin author address this?

  4. fwchapman
    Posted 2 years ago #

    Update: 2013-06-08

    SpaciousMind, there is actually a BBQ plugin in the WordPress repository. After the BBQ plugin was totally rewritten, I revisited this issue and concluded that the problem now lies with USC. I reported the problem and provided a workaround.

    It would be great if the author of USC could address this issue, which is very easy to fix.


  5. spaciousmind
    Posted 2 years ago #

    Thanks Fred, I'll try the workaround. I know about the BBQ in the repository, but the problem, as you know, is USC doesn't recognize it.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Ultimate Security Checker
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic