Previously, SQL Injection was the most basic and widely used hacking technique to manipulate the WordPress database. Nowadays, Cross Site Scripting (XSS) is popular and become the number one method to hack a WordPress site.
In this guide, I will be covering the basics of WordPress SQL Injection and how one can get rid of it. In the next part, I will be covering Cross Site Scripting. Let’s get started!
- What Is SQL Injection?
- Entry Points for SQL Injection Attacks
- Why Are SQL Injection Attacks Common?
- How SQL Injection Works?
- Ways to Prevent SQL Injection in WordPress
What Is SQL Injection?
SQL Injection is the result of loopholes in the backend coding. An attacker can easily abuse the input fields by inserting malicious code that could execute SQL commands and can Create, Retrieve, Update, and even Delete the data in the database.
SQL is the short-form for Structured Query Language — the most widely used language for the database in the web development. Here are the few most popular database engines that use SQL.
Databases Using SQL
- MS SQL Server
As you can see, MySQL is at the top of the list because it powers more than 70% of the World Wide Web (WWW). WordPress that uses SQL alone has contributed to more than 29% of WWW and has become the most attractive target for attackers.
Entry Points for SQL Injection Attacks
All input fields are considered as the most common entry points for SQL Injection attacks. In the Layman’s term, we can say:
- Sign up forms
- Login forms
- Contact forms
- Site searches
- Feedback fields
- Shopping carts
Why Are SQL Injection Attacks Common?
There can be the multiple reasons for this, but, here are the most common that I recall while writing the guide.
- Most of websites database are based on SQL
- WordPress – the most widely used CMS uses SQL for database
- Nearly all websites have input fields to collect information from their visitors
- All websites have at least one of the SQL Injection entry points
- SQL Injection scanning tools are readily available online
- It does not require any technical complexity to exploit
How SQL Injection Works?
For instance, you have a contact us form where one needs to enter a phone number. There should be certain criteria like one should enter the limited numbers only with a proper format.
Most of the developers that do not know the input validations might set this field as the plain text meaning one can enter any string that can be the malicious code too. By using some altered SQL queries, one can request the admin username and password.
Few Examples of WordPress SQL Injection
You can find a lot of SQL Injection vulnerabilities with a simple Google search. But, today, let me share the recent vulnerability in the WordPress reported back in Sep 2017. WordPress Core was not directly affected by this vulnerability, however, a patch (WordPress 4.8.3) was released to prevent from affecting WordPress plugins and themes.
Anthony Ferrara – the man behind above vulnerability wrote an extensive guide on WPBD SQL Injection, how it can affect a WordPress site and the precautions to every WordPress user.
There is no foolproof way to secure a WordPress site. In fact, even WordPress security plugin was affected in the past. In 2014, one of the most popular security plugins demonstrated TWO vulnerabilities that allowed for SQL injection.
Ways to Prevent SQL Injection in WordPress
As said earlier, there is no way to completely get rid of hacking attempts. However, one can minimize the risk of getting hacked. Here are some of the most common practices that can help to prevent such attacks.
– Scan for SQL Injection Vulnerabilities
You can find a number of online tools to scan your WordPress site. I have shortlisted the top rated, all you need to do is just enter the WordPress site URL and start scanning for discovered vulnerabilities.
- WordPress Security Scan – Checks for basic vulnerabilities on your WordPress site. Advanced scans are available with a premium upgrade.
- Sucuri SiteCheck – Your WordPress site can be checked for known malware, blacklisting status, errors and if your site is out-of-date.
- WPScan – A self-hosted vulnerability scanner that is free for personal use. You can also get a paid license for commercial use.
By running a scan report, you can see exactly which areas need to be focused to improve WordPress security.
Update, Update, Update!
The most important for every WordPress user! Keep everything updated including WordPress core, theme, and plugins.
– WordPress Core
According to the official WordPress stats, only 42.3% of WordPress sites are using the latest version (4.9.x). All previous versions can be vulnerable and might result in getting hacked. In the above example of SQL Injection vulnerability, you see, all the sites that are below the latest version are vulnerable to the discovered vulnerability. If your site got hacked, I hope, you know who will be the responsible!
– PHP Versions
PHP, the backend of WordPress has been improved a lot over the last few years. A lot of patches and performance oriented changes have been made. But still, more than 40% of WordPress users are using PHP 5.6 that can be one of the factors for SQL Injection in WordPress.
Note: If your WordPress hosting does not support the latest versions of PHP, it’s time to switch the host immediately to a managed WordPress hosting that supports latest versions of PHP like Cloudways.
– WordPress Theme & Plugins
Most of the vulnerabilities including SQL Injection in WordPress were discovered in the plugins and themes, not the WordPress core. Keep an eye on the updates, fixes and adapt accordingly.
If a theme and plugin are not updated regularly, that can be a question mark on your WordPress site. Always use a theme/plugin that updates frequently.
Note: Before performing an update, check the compatibility between the WordPress core, themes, and plugins to make sure your site is working as it should be. To test, you can make a copy of your live website, and then check the compatibilities in WordPress staging environment.
– Use Trusted Form Plugins
If you run a business or even a simple blog, you must know the importance of forms like Registration Forms, Login Forms, Contact Forms etc. With a number of plugins available in the WordPress repository, it’s hard to find the best one. Therefore, to narrow down your search, we have compiled a list of best WordPress Form plugins.
Note: Don’t forget to check out the previously discovered vulnerabilities and its resolution before choosing any plugin.
– Hide WordPress Version
It is always suggested not to display the WordPress version publicly. Having this information publicly available can make the way easier for attackers to exploit known vulnerabilities on a particular version.
To hide WordPress version, just copy and paste below the line of code into the functions.php file of your active theme.
– Change Database Prefix
When you install WordPress, by default, the database prefix sets to “wp_”. Most of the WordPress users ignore and just install with the default settings. Guessing the database tables become easier to exploit using SQL Injection techniques.
Do not worry, if you already have WordPress installed. There is an excellent guide on how you can change database prefix in WordPress.
Backups may not be directly related to SQL Injection. But, it can help you to recover a hacked site. WordPress backups can be stored in two ways:
- Local Backup: The backup that is generated automatically and/or manually and is located on your hosting provider. It is not suggested to keep a local backup if you are with a shared hosting, once a server is compromised you may also lose the backups. However, if your server is in good hands like Cloudways, then you can keep local backups for WordPress.
- Offsite Backup: Automated and/or manual backups will be generated and sent to the desired off-site storage location like Google Drive, Dropbox, Amazon S3 etc. We have written an extensive guide to back up WordPress site.
– Keep Logs
Dre Armeda, the co-founder of Sucuri once said:
People Are And Will Continue To Be The Biggest Security Issue With WordPress.
Meaning, you have to do your share. Keep an eye on the changes and you should keep a log of everything that is happening on your WordPress site. It will help you to track the changes done by You and/or an attacker so that you can act accordingly.
There is an excellent WordPress security audit log plugin that will surely help you out! Additionally, your hosting provider also keeps logs of everything. Keep reading the logs occasionally.
As said earlier, there is no foolproof way to protect a WordPress site. There is always a possibility to get hacked, this can be because of the vulnerability in the core, theme, and plugins. That’s why it is always suggested to be UPDATED! SQL Injection has been controlled a lot in the last few years.
If you ever faced any kind of WordPress SQL Injection attack, share your experience and also how you get rid of it. I’m sure, it would help other WordPress users.