- ⚙ What is SQLi?
- ⚙ How it Works?
- ⚙ Examples
- ⚙ Types
- ⚙ SQL Injection in WordPress
- ⚙ Detect & Fix Sql Injection WordPress
- ⚙ WordPress SQL Injection Protection
- ⚙ Prevent SQL Injection WordPress
To start with, WordPress is not 100% safe. ⚠️
SQL injection is one of the most devastating hack which can impact your business site and lead to leakage of sensitive information from your database to the hacker. Have following questions in mind, then this article is a must read for you.
- What is SQL injection & How does it work?
- Is my WordPress vulnerable to SQL Injection?
- wp login php sql injection?
- How to prevent SQL injection in WordPress?
In this detailed guide, we will provide 🔎 in-depth information on SQL injection attack, examples, consequences, how to detect & clean SQL injection in WordPress site & most importantly how to prevent WordPress Sql Injection. Read on to discover more and take steps to ensure your site isn’t a victim of an injection attack in 2020.
WordPress SQL injection vulnerability is ranked as the second most critical security vulnerabilities in WordPress. We can say that almost 39% of WordPress vulnerabilities is related to cross-site scripting issues (SEE STATS BELOW). One is shielded from SQL injection vulnerabilities once the latest WordPress core files are deployed. On the contrary, you risk the whole application by using third-party themes and plugins.
We have already known the danger of SQL injection for 14 years. However, this remains one of the worst hazards to which dynamic websites are exposed. This attack method can indeed cause significant damage to your site database as well as impact your SEO rankings too. When it comes to WordPress security, there are certain best practices you follow in order to keep your site safe. You can also follow our WordPres security checklist 2020 to keep SQL injections at bay.
Under the term SQL injection, we understand the exploitation of a security flaw in relational database systems which refers to the SQL language. WordPress is a platform including a database that runs server-side scripts, in PHP. These two characteristics can make WordPress vulnerable to attack by inserting malicious URLs. SQL injection and XSS describes a class of these attacks in which hackers embed commands in a URL that will trigger behaviors from the database.
These attacks can reveal sensitive information about the database, which can give hackers access to make changes to your content and the entire website. Many attacks are accomplished today by some forms of SQL injections.
WordPress SQL injection can destroy the entire database of your site. According to various studies, SQL Injection vulnerability is the 2nd most common exploit among various WordPress security vulnerabilities after Cross site scripting XSS attack WordPress.
- While most web applications receive at least 4 web attack campaigns per month, some sites are still under attack.
- Each website receives 94,057 SQL injection attack requests in one day.
- E-commerce experiences twice as many SQL injection attacks as other industries.
- An observed website was attacked 176 days out of 180, 98% of the time.
- 94,057 is equivalent to 1,567 SQLi attacks per hour or 26 attack requests per minute, on average.
- “How to hack wordpress site using sql injection” – This is a widely searched query and its volume has increased by 200% in 2020. Means more people are interested in finding more out about it. Their intention can be negative as well as for knowledge purposes.
⚠️ What is SQL injection?
A SQL injection is, as the name suggests, injection or insertion of SQL code via data transmitted from a website. A successful and correctly exploited injection makes it possible to recover sensitive information from a database or even to modify/delete/add data. In general, all actions linked to a database are possible. Usually, this type of injection concerns PHP with an SQL database but other languages like ASP can also be concerned.It poses a big security risk to WordPress.
The attacker uses data entered by the user on the database interface that is not sufficiently masked and that contains meta characters (such as the double hyphen, quotation marks, semicolon, etc.). These signs have specific functions for the SQL interpreter and allow external commands to be executed. Often, SQL injection occurs with PHP and ASP programs that rely on older interfaces. The data does not always include the necessary masks and therefore constitutes a perfect target for an attack.
By using function characters in a targeted manner, an unauthorized user can infiltrate SQL commands and manipulate the entries so as to change the data, delete them or read them. In the most serious cases, it is even possible that the attacker, using this way, succeeds in accessing the instruction lines of the command execution systems and thus in the whole of the database server.
Your WordPress application may not be able to withstand even a small vulnerability. Here, we would like to consider the measures that will ensure to reduce or stop SQL injection in WordPress and also evaluate the methods to curb vulnerabilities in your WordPress application.
Find list of SQLi exploits which are freely available on Exploit DB.
Are You a Victim of WordPress SQL injection? Contact Us
Identify SQL Injection Attack
There are many ways to perform an attack with a SQL injection but in this article, we bring you the easiest ways to detect it. For instance, let us assume that we have a typical login form in which we request an email and a password to validate the user and have access to new functions on the web.
If we wish to perform an injection of SQL code, we could fill in the first field with an email, for example, XYZ@myemail.com and in the second field you need to enter a the password, we would complete it with this value: ‘or 1 = 1-
By checking with an SQL query if that user exists, we would get this:
SELECT * FROM users WHERE email = 'XYZ@myemail.com' and password = ' ' or 1 = 1 -
In the previous query, we indicated in bold the SQL injection that we just processed. This injection would deactivate the statement by adding a logical or operator plus an equality comparison that is true 1 = 1.
This comparison would disable the rest of the query on the left and would provide a true logical operation that, as a result, would bring us the values of the database, giving final access to the application.
⚠️ How Does SQL Injection Attack Works?
SQL injection attacks are well known and feared for having a tremendous impact on the security of an application, as well as being the most common vulnerability, according to the OWASP Top Ten.
Hacks occur when hackers discover a vulnerability by which they enter your website. In SQL injection attacks, hackers use vulnerabilities login forms to access the database.
They can use anything from contact forms to registration forms, login forms or even the search bar.
Depending on the purpose of the attacks, there are two types of SQL injection attacks –
- In-band SQL injection attacks – This is where hackers attempt to steal information from the database, such as user credentials.
- Blind SQL injection attacks – In this type of attack, the hacker prefers to exploit your website to carry out malicious activities such as sending spam, redirecting visitors to different websites.
When we think of a SQL injection, we immediately relate it to information leakage or theft of credentials, because the most common attack is to dump tables from the database used by the vulnerable application.
A method to exploit an SQL injection vulnerability: skip a login form, being able to authenticate without knowing credentials.
Let us start with a typical example: a form with a user field and a password field. The application will make a query to the database very similar to the code below:
[...] $ user = $ _ POST ['user']; $ pass = $ _ POST ['password']; $ query = "SELECT * FROM users WHERE user = '$ user' AND password = '$ pass'"; [...] If you enter as a pepe user and password potato1, the resulting query would be: SELECT * FROM users WHERE user = 'pepe' AND password = 'potato1' The initial way to know if a form is vulnerable to SQL injection is to add a quotation mark in some field, so that the resulting statement is badly formed. So, if the user is pep'e, the query would be: SELECT * FROM users WHERE user = 'pep' e' AND password ='potato1'
The highlighted text stays outside the user field, and would be part of the logic of the SQL statement. Since what has been left out makes no sense, the application will most likely show a badly formed SQL statement error.
In short, SQL injection attack is a powerful weapon to skip a form of authentication in a web application, without having to launch brute force attacks, as long as the developer has not filtered the input parameters.
Some of the most parts of the WP installations which are prone to sql hacking are:
- Login/Signup forms.
- Contact forms.
- Feedback forms.
- Search parameters.
- Generic contact forms
- Login portals
- Blog comment forms
- Subscription pop-ups
- eCommerce checkout pages
- Search bars
Instances Of SQL Hack
Over the past twenty years, numerous SQL injection attacks have targeted large websites, companies and social networks. Several of them resulted in significant data leaks. Here we present some of the most remarkable examples:
- In 2008, two Russian hackers used SQL injection techniques to attack Heartland Payment Systems, a leading provider of payment processing solutions at that time. Considered the biggest credit card breach at that time, this attack had allowed hackers to obtain details of more than 150 million credit cards and cost companies more than $300 million. The two attacking pirates were sentenced to a combined sentence of 16 years in 2018.
- In 2016, a group of hackers took advantage of flaws in vBulletin, a popular online messaging software, to attack 11 gaming messaging platforms, most of them in Russian. During this attack, hackers successfully stole the credentials of more than 27 million accounts.
- Also in 2016, hackers used SQL injection methods to launch a cyberattack against the Qatar National Bank and stole more than 1.4 GB of data, which they immediately released to the public. The data contained details of the accounts of thousands of customers, including members of the Qatari royal family, intelligence agents, religious leaders and several British, and American citizens who were marked as spies in the bank’s database.
⚠️ Exploiting SQL Injection: Examples
Because fragile database servers are easy to spot and SQL injection attacks are just as simple, attackers around the world often use this method. The attackers thus act according to different models and exploit new flaws in the data management processes of the applications but especially those which are more familiar to them.
To explain how SQL injection works, we have listed the most common methods as an example.
Example 1: Access through insufficiently masked user input
To access a database, a user must first authenticate himself. To authenticate, existing scripts which present in a login form with username and password. The user fills in the form and the script checks whether a corresponding entry exists in the database. Typically, databases are tabulated with “user” columns as well as “username” and “password”. For importing the Web application, the script lines (pseudo-code) for accessing the Web server can be as follows:
uname = request.POST['username'] passwd = request.POST['password'] sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd + "'" database.execute(SQL)
An attacker can now manipulate the password field using SQL injection, for example by entering password ‘OR 1 =’ 1, which leads to the following SQL request:
sql = "SELECT id FROM users WHERE username='' AND password='password' OR 1='1'
By doing so, he can access all the user tables in the database, the password is always valid (1 = ‘1’). If he logs in as an administrator, he can make any changes he wants. Otherwise, it is the “username” field which can also be handled in this way.
Example 2: Computer spying by ID manipulation
Soliciting information from a database by ID authentication is a common method. However, this is a gateway for SQL injections. A web server then knows, by means of the ID data transmitted by the URL, which information from the database it must call. The corresponding PHP script looks like the following:
<? php #Request on database using an ID $ id = $ _REQUEST ['id']; $ result = mysql_query ("SELECT * from tab WHERE id = $ id"); # Result display... ?>
The expected URL has the form… / script.php? Id = 22 . In this case, the array entry is called with the ID 22. If an external user has the opportunity to manipulate the requested URL and instead sends the request to the web server… / script.php? Id = 22 + or + 1 = 1, the called mysql_query result will not only read the entry with ID 22, but all the data as well.
SELECT * FROM table WHERE id=22 or 1=1
⚠️ Types of SQL Injection Attack
SQL injection involves inserting malicious code into websites and web applications in order to compromise the targeted site and collect user data. As the name suggests, SQL injection attacks SQL databases (Structured Query Language), the backbone of a website. Read on to learn more about the top five types of SQL injection attacks.
SQL injection attacks are classified into five types depending on their technique.
Boolean Blind SQL Injection
Boolean Blind SQL Injection is an inferential injection technique very similar to the Time-based SQL Injection. Specifically, hackers will send an SQL request each time, with the intent of listing the database. Based on the response you get, it will evaluate if your cargo has been sent correctly. However, instead of measuring their requests, they will combine the expressions TRUE and FALSE. As with the Time-based SQL Injection, these attacks can be very slow, especially when a hacker is attacking a large database.
Error-Based SQL Injection
Another type of SQL injection attack within the band, Error-Based SQL Injection is a technique that allows hackers to take advantage of error messages returned by the server to get information about the structure of the attacked server. Hackers make invalid requests on purpose to trigger error messages.
SQL injection based on union
In this technique, the user combines requests using the SQL UNION command and retrieves the result as a partial HTTP response. The binding SQL injection is a type of SQL injection attack within the band that a UNION SQL operator uses to easily extract the requested information from the attached database. The UNION operator allows the user to simultaneously extract data from multiple tables consisting of the same number of columns and the same type of data. Hackers can collect the information they need if they inject the SELECT statement, but for the attack to be successful, they have to know the exact number of the table, the number of columns and the type of data.
Time-Based Blind SQL Injection
Blind SQL Time Injection is a technique that involves the measured sending of SQL requests to the database to evaluate the result of the request. The query in question will force the database to wait before returning a result, which will be TRUE or FALSE. Based on the waiting time as well as on the response itself, the hacker can evaluate if his load has been sent correctly. The biggest drawback of this SQL injection is its duration since the hacker has to list one character in the database each time.
Out of band SQL injection
When an attacker exploits the SQL injection, the Web application sometimes displays error messages from the database, showing that the syntax of the SQL query is incorrect. The blind SQL injection is almost identical to normal SQL injection, the only difference being how the data is retrieved from the database.
When the database does not return data to the web page, an attacker is forced to steal data by asking it a series of true or false questions. This makes it more difficult, but not impossible, to exploit the SQL injection vulnerability.
Notice that the example has been simple but devastating. There are more complex SQL injections, but with the following advice you can knock them out in a simple way.
⚠️ SQL Injection Vulnerability in WordPress
To reduce the vulnerability of SQL injection in your WordPress application, the foremost condition is that you must use existing WordPress functions while accessing your database. These functions are subjected to comprehensive tests for the mitigation of SQL injection vulnerabilities during the development of WordPress application. To highlight an example, you should use the existing function wp_insert_comment() while adding a comment to a post and not add data directly into the wp_comments table.
Though most of the functions are flexible, there may be a requirement to perform an unusual query, so in that case, you should use the $wp_db set of functions. You can use $wpdb->prepare() function to avoid user input until the query is created.
Although WordPress itself is secure, issues such as outdated core software and nulled plugins can lead to vulnerabilities. While there is no alternative but to carefully check the SQL injection vulnerability of your WordPress site, the complexity of a website can make this task difficult.
Handling SQL Attacks in WordPress
WordPress have measures in place to protect wordpress site from SQL attacks.
These mainly comprises of two steps:
- Data validation: It ensures that the data is received in a specific format
- Data sanitization: It ensures that you are not entering more than what is required. For instance, in the phone number field, WordPress will prevent you from entering over say 10 digits.
Still website can easily be hacked. Since WordPress website consists of plugins and themes, these plugins may contain SQL vulnerabilities. Below we will talk more about WordPress plugin SQL vulnerabilities in detail.
Consequences: SQL Injection Attack in WordPress
Even if you don’t see anything weird, your website may be infected. One of the big problems of SQL injection infected pages is that this infection goes unnoticed by the webmaster. Although many times it is very difficult to realize that your website has been hacked, it is important to know how to read between the lines. An infected web page can give us some clue –
- The browser warns you of the danger of visiting your website. Normally, browsers will display a message similar to this: “Attention: this page may damage your device”
- Your antivirus detects that your page is not secure
- Files are downloaded automatically
- Some link to your page redirects to a website you don’t know
- When you search your website, strange sites appear as offers of products that are not your own
The consequences of SQLi vulnerabilities are severe. These are just some of the basic consequences you’d have to face once your site is hacked –
- The exploitation of Sensitive Data: Sensitive information stored in databases like user credentials, medical records, transaction records can be stolen. [🔥Related Read – Prestashop Hacked, WooCommerce Hacked]
- Loss of Data: The hacker ends up deleting a critical piece of information.
- Declining Performance: Malicious activities carried out by hackers tend to make your site slow and unpopular. You are likely to experience a decline in traffic too.
- Falling SEO Rankings: The search engine detests slow WordPress websites and ranks them low if they are infected with Japanese Keywords hack.
- Tainted Reputation: Hacked WordPress sites could be used to redirect visitors to a different website using WordPress malware redirect . Often the second website is found pulling off malicious activities riding on your reputation.
- Being Blacklisted and Suspended: Google wants to ensure a safe browsing experience for its users, therefore, the search engine giant blacklists hacked wordpress site. (🔥 See – Remove Google blacklist warning message)
SQL injection attacks will have a negative impact on your business, especially if you rely on your website for earnings. Indeed its impact on your website is frightening, but don’t worry, if your site has been hacked it can be cleaned with the help of WPHH experts.
⚠️ WordPress Plugin SQL Injection Vulnerabilities
WordPress is the most preferred Content Management System (CMS), and is considered to hold close to 61% market share, which fairly indicates that it is being used in about 34% of all the websites.
52% of associated vulnerabilities highlighted relates to WordPress plugins. Such a whopping number signifies that targeting WordPress plugins is one of the preferred territories for cyber criminals. The SQL injection method is being used by cyber criminals for quite some time now, and it casts grave security threats to web applications and web servers. Below we have listed some of the discovered sql vulnerabilities found in plugins.
SQL Injection in AdRotate Plugin through 5.2 for WordPress
[CVE ID: FG-VD-19-092]
This vulnerability is a typical SQL injection which is found in the AdRotate plugin through v5.2, and can be traced in both the FREE and PRO versions. The effect of this vulnerability can be exposed in dashboard/publisher/adverts-edit.php, at line 25.
Above image indicates that the SELECT statement in adverts-edit.php is used to fetch advertisements from the DB.
The SELECT statement in adverts-edit.php is used for getting advertisements from the DB.
The variable $ad_edit_id is used to create a SQL query. This variable is retrieved from $_GET, in the adrotate_manage function:
In this image, $ad_edit_id is controllable by users.
Since esc_attr only escapes HTML attributes and $ad_edit_id is not escaped with double quotes in the SQL query, we can execute an arbitrary SQL statement by injecting payloads into $ad_edit_id.
Even though only Administrators are authorized to access the management interface, an absence of CSRF token facilitates unauthenticated attackers to hijack information remotely, (this includes session tokens), with bare user involvement by deploying this SQL injection vulnerability to cause an XSS:
Above image shows XSS caused by SQL Injection.
The patch created by the developers is simply adding quotes to $ad_edit_id in the query.
See above image with AdRotate SQL injection vulnerability patch in version 5.3.
SQL Injection in Impress Give Plugin through 2.5.0 for WordPress
This vulnerability can be found in the get_order_query function in includes/donors/class-give-donors-query.php.
As highlighted in the comment, the get_order_query attempts to eliminate non-existing columns for the ORDER BY clause, and arrange values by applying the esc_sql helper function.
The removal does not happen as desired because once a non-existing column is unset in line 467, an escaped value is reinserted in line 470. It’s a common notion that esc_sql is not effective in preventing a SQL injection attack within the ORDER BY clause.
So, the constructed query still remains vulnerable. The similar Blind-SQL injection technique can be deployed to exploit this vulnerability.
A plain single line patch from Impress team facilitates the filter to work as desired, making the query absolutely safe.
Above figure shows the patch from the Impress team for Give Plugin.
Other vulnerabilities demonstrated the same vulnerable code pattern, and the corresponding patches are fairly similar.
SQL Injection in NextGEN Gallery Plugin through 3.2.10 for WordPress
The downside happens in an AJAX API, which enables users to attach or upload photos from galleries at the time of writing posts.
Above image indicates, user-supplied input being processed in get_displayed_gallery_entities_action.
The function get_displayed_gallery_entities_action in modules/attach_to_post/package.module.attach_to_post.php is responsible for displaying photos in selected galleries. A keyed array param displayed_gallery is retrieved via the POST method to create a gallery object in line 119. Attributes of the object are escaped by the esc_sql helper function. Then get_entities is called in line 130, which leads us to the get_entities function in modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php.
get_entities call a corresponding function based on a return request.
In this figure, get_entities call a corresponding function based on a return request.
Since the return request has a value of both, the _get_image_entities in line 832 is called.
In the above image, _get_image_entities gets all images in the displayed gallery.
This function simply constructs a query that fetches all images in the displayed gallery. As evident in line 1041, it applies a sorting order procedure constructed on $sort_by and $sort_direction, which are extracted from the created gallery object.
An authorized user with requisite permission to access NextGen Gallery can alter the params to create this gallery object.
Even though all attributes of the object are escaped with esc_sql, the attackers actually do not have to escape quotes to perform an SQL injection attach within the ORDER BY clause. As a result, esc_sql is not able to avoid the NextGEN Gallery from being exploited.
It shows , Blind-SQL injection in NextGEN Gallery.
- A true case returns all images in a selected gallery.
- A false case will return an empty result.
Resembling the same pattern, the security experts were able to identify seven additional plugins that were also vulnerable to SQL injection attack. One such plugin, in fact, attempted to whitelist the sort values but was unsuccessful because of a small coding error.
How To Detect & Fix WordPress SQL Injection Attack?
One can take the help of WordPress Vulnerability Scanners like WPScan or ThreatPass . Existing plugins should be periodically checked for their performance and functionality, more so where their development is suspected to be sluggish or stopped. For plugins whose development and support are not happening, they should not be deployed on your WordPress application.
Apart from that, be sure to follow these checks:
- Avoid using the root user to connect the SQL database
- Limit accesses of the SQL user to sensitive directories
- Update PHP, WordPress core, and MySQL
- Block SQL keywords using your server
- Keep backups of your site off-site in case of irreversible damage
- Update third-party plugins and themes
However, if there is still a necessity to use such plugins, their syntax and performance should be thoroughly tested. Here is a detailed post on WordPress Security and an exhaustive list of checks. Besides, one should take care of the below mentioned checks to augment WordPress Security. Also, you may take advantage of these top security plugins for WordPress. Here’s what you should do if your WordPress site is compromised despite following all the safety measures.
Another of the options that we can use to perform an analysis of our code is the use of tools that our applications test in search of vulnerabilities by SQL injection. Some of these tools are:
SQLI Hunter v1.2: This is an application whose objective is to facilitate the extraction of information from databases using SQL injection techniques. Once the URL that we want to analyze is indicated, the application will make requests by injecting SQL code in order to check if it is really vulnerable.
Pangolin: This is a payment tool that offers more possibilities than the one seen in the previous point and is designed to discover vulnerabilities of both SQL injection and blind SQL injection.
SQLMap: This is an open-source testing tool that automates the process of detecting and exploring SQL injection errors
WP Hacked Help: It has one of the most powerful scanners to detect suspicious codes available today for WordPress. It will allow you to monitor your blog in real-time, it will notify you of any changes to your administration files, it will detect suspicious codes and SQL injections, will automatically block repeated connection attempts or spammers.
WP Hacked Help also allows you to perform a complete scan of your blog in order to detect a possible hacking. It will detect intrusions, be able to quarantine them and even perform a backup and restore your database. The detection system works in real-time.
After you have detected SQLi, proceed with further steps given below:
- Disable admin privileges to the database.
- Clean the UDF files used by the attacker to obtain OS shell.
- Change the encrypted passwords to strong values.
- Check for port 3306.
Perform DB cleanup:
show tables;. Check for a table titled Sqlmap.
Step2: If present, Delete the table using
Drop table Sqlmap;.
Step3: Now, look out for new users using the following code.
Select * from users as u
AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('Oct 15 2018', '%M %d %Y '));.
Step4: Delete the rogue user using the following command.
DROP USER 'malicious'@'localhost';.
Step5: Change your passwords to a secure one. Use the following code for it.
WordPress SQL Injection Protection
Proper WordPress site maintenance makes it easy to avoid SQL injection attacks. Such maintenance includes continuous monitoring of SQL commands for all applications related to the database, regular updating of databases and patches, as well as the purchase of reliable firewall software to protect the database.
As these attacks target websites using dynamic SQL, you must take the necessary measures to minimize user action in the construction of your orders. Where possible, provide users with ready-made commands and a list of options from which to choose rather than the ability to enter their own command. It is also important to use input validation to avoid problems with escape characters. Also, don’t forget to enable context data filtering. For example, only allow digits for phone numbers.
In a few rare cases, hackers can also use SQL injection attacks to compromise trusted sites with malware & ransomware. As soon as you visit an infected site, the malware downloads without your consent. Once installed, hackers can access your browsing history, personal information and even your keystrokes. To avoid such a situation, be sure to use the best antivirus software that will protect your data from viruses, malware, and other possible threats.
SQL injection attacks account for more than a quarter of the hacks recorded on the Web. Find out how to avoid this type of attack.
🛡️Don’t use cracked WordPress extensions:
There are thousands of pirate plugins and themes on the Internet. Users can download them for free from various Warez or torrent sites. Unfortunately, most of them are infected with malicious codes.
If you want a healthy site, stop downloading cracked extensions as you will end up paying more for a seasoned developer to clean up your website! Official sites offer you forums where you post queries on the plugin or the theme you have purchased. And queries are usually resolved by software developers.
🛡️ Clean requests for special characters:
As you have seen before, the injection has canceled the query of the password field by adding a single quote, although we could also have used a double quote. There are several ways to escape these special characters, for example, in PHP we have the mysql_real_scape_string () function that enables these types of characters not to interfere with the purpose of the query itself.
🛡️Always verify the data sent:
Check that there are no strange characters. If the field is an email, check that the sent one has the same format as an email. If it is a phone number, check its length and format as well. If what the user has to enter is an integer, validate that this is so. That is, verify that the data received is of the correct type and you will save yourself a lot of trouble.
Be very vigilant at all levels of your website, never trust the data entered by the user. Each connection form, search form, URL parameters (for pagination in particular) are all risks of attack by SQL injection.
🛡️ Check all your variables:
With PHP in particular, it is now possible to use libraries that will “prepare” your requests before their execution. The “preparation” of the requests consists in particular in the validation of the data and the escape of the special characters which can compromise the request.
The best known of these libraries is called PDO, but recently with PHP, this function is included as a base in the new MySQLi class.
🛡️ Install WordPress updates
Since a large part of the web is managed by WordPress, it is a lucrative target for hackers and they constantly find and exploit vulnerabilities either in the main code or in the code of plugins and themes. Fortunately, the entire WordPress developer community is actively updating its code, closing any holes found by hackers, often within hours.
But if you don’t run the updates, you won’t get the benefit of these fixes. There is no excuse for not keeping your site up to date. WordPress has automatic and one-click update features that allow you to update all plugins, themes, and main code for your site in one go.
🛡️ Perform regular backups
Of course, it’s a good idea to make a backup first, just in case something unfortunate happens during the update.
It is not difficult to make a backup of your WordPress site. There are a bunch of free plugins out there, and you can even do that by just copying files and backing up your database. There are also many excellent plugins and services that automate the process for you.
🛡️ Hide error messages:
Error messages can give valuable information to hackers on your database, in particular: Name of the database, table name, etc. It is important not to make this information accessible, so it is advisable to hide the error messages. likely to appear on your site. On our shared hosting, you can manage this directly from your customer area in the PHP configuration by setting the configuration variable display_errors to Off.
🛡️ At the database level:
Whenever possible, your site or application should not connect with root rights to the database server, otherwise, a hacker could take control of the entire database server. To create a specific user for your site.
Encrypt sensitive data in your database such as user passwords. This will not protect you directly against SQL injection but it will limit the damage in the event of attacks. Even today, many attacks reveal systems where passwords are stored in the clear in the database.
How To Prevent SQL Injection Attack In WordPress?
When developing an application, it is very complicated to create a completely safe tool at the first change. The lack of time and the intervention of several programmers for their development are factors that play against security. Despite these inconveniences, security measures can always be taken to help us develop more robust applications, outside these types of problems.
Here are some tips to avoid suffering the attack by injection of SQL code in our developments:
🚧 Escape the special characters used in SQL queries
When talking about “escape characters” we are referring to adding the backslash “\” in front of the strings used in SQL queries to prevent them from corrupting the query. Some of these special characters that are advisable to escape are double quotes (“), single quotes (‘) or characters \x00 or \x1a as they are considered dangerous as they can be used during attacks.
Different programming languages offer mechanisms to escape these characters. In the case of PHP, we can opt for the mysql_real_scape_string () function, which takes as a parameter a string and modifies it avoiding all special characters, making it completely safe to be executed within the SQL statement.
🚧 Delimit the values of the queries
Although the value of the query is an integer, it is advisable to always enclose it in single quotes. An SQL statement of the type:
SELECT name FROM users WHERE id_user = $ id It will be much more easily injectable than: SELECT name FROM users WHERE id_user = '$ id' Where $ id is an integer.
🚧 Always verify the data entered by the user
If in a query we are waiting to receive an integer, do not trust it to be so, but it is advisable to take security measures and make the verification that it is really the type of data we are waiting for. To do this, the programming languages offer functions that perform this action, such as ctype_digit () to know if it is a number or ctype_alpha () to know if it is a text string in the case of the PHP language.
It is also advisable to check the length of the data to rule out possible SQL injection techniques since if for example, we are waiting for a name, an extremely long string can assume that they are trying to attack us by this method. In the case of PHP, we can use the strlen () function to see the size of the string.
🚧 Assign minimum privileges to the user who will connect to the database
The user we use to connect to the database from our code must have the right privileges to perform the actions we need. Never use a root user with access to all databases because in this way we will be giving hackers facilities so they can access all the information.
🚧 Use Secure WordPress Theme & Plugins
Always use a theme/plugin that updates frequently. Most of the vulnerabilities including SQL Injection in WordPress were discovered in the plugins and themes. Keep an eye on the updates, fixes and adapt accordingly. If you are using nulled themes, make sure to scan wordpress theme for malware. WordPress theme security is an importent step in preventing sql injection in wordpress. To narrow down your search, we have compiled a list of Secure Multipurpose WordPress Themes in 2020
Same goes for plugins as well. Make sure to download plugins which are secure and trusted especially contact form plugins and subscription boxes plugins. Make sure to install WordPress security plugin. We have compiled a list of best wordpress security plugins for 2020 here.
🚧 Hide WordPress Version
To hide Wothe rdPress version, just copy and paste below the line of code into the functions.php file of your active theme.
- remove_action(‘wp_head’, ‘wp_generator’);
🚧 Schedule well
Although it may seem silly, there is no better measure to avoid these types of attacks than to make good programming, putting into practice the basic needs and interest to develop a totally secure application.
In addition to the measures we can take when implementing the code, we can always go to code audits to ensure that we have not left any type of doors open, although they are usually expensive processes carried out by third parties.
Sql Injection WordPress Exploits are very powerful attacks and knowing how to protect them has become essential. With what is explained in this article you will be able to face the vulnerabilities of the web projects that you develop in the future against SQL injections. We hope it has helped you. Have you ever had a problem with SQL injection? If you ever faced any kind of WordPress SQL Injection attack, Get in touch with us HERE.
Useful Resources for developers – SQL injection cheat sheets