Hi, yes that is a bug that will be fixed in the next update. If you want to contact me directly, I can send a simple whitelist plugin that will resolve the issue in the current version. To get it, reach me via my contact form: https://perishablepress.com/contact/
This issue is resolved in the latest version of BBQ, v20160328. Thanks for reporting.
Explanation
It turns out that certain WordPress functions such as wp_lostpassword_url()
fail to encode URLs properly. Specifically, this function and possibly others include reserved characters, :
(colon) and /
(forward slash), in the query string, for example:
http://example.com/wp-login.php?action=lostpassword&redirect_to=http://example.com/
Because of this, security plugins and firewalls no longer can block a wide range of malicious requests without also interfering with WP’s unencoded URLs.
Thus the pattern \:\/\/
was removed in BBQ version 20160328.
Learn more about encoding characters in URLs