Protect WordPress against SQL Injections

This is a guest article by Melissa Dean. You too can be part of this great knowledge sharing community. Take a look at our guest blogging guidelines.

SQL injections are far more frequent than you would believe. An attack that stars with several thousand web sites has the potential to reach more than a million within days. The mechanism of infection itself remains unchanged. Only the scope of the damage is what changes. It is growing at an exponential rate, notwithstanding the fact that modern frameworks have built-in protection systems that frequently manage to thwart SQL injections. The injection inserts a random bit of HTML, which misdirects the user to a sham anti-virus site, where they learn they have been infected.

How to know you are at risk?

It takes a while to prepare SQL injection attacks. One was registered in October, but it took until December to show up on the radar. However, most infections have occurred recently. The sites that become infected generally use the same structure with a .php extension file. Only sites built on a Microsoft SQL Server 2003/2005 are affected. The type of sites affected is quite heterogeneous, including a large number of university and international government sites.

Know the enemy

To protect your site, you should know how the malicious script gets into a database. SQL attacks carry out a SQL loop, finding every normal table by searching in the system objects directory. Then every column is embedded with the harmful script, which relies on the system objects table in entirety. This is why it is usually just Microsoft SQL Server databases that are hacked.

Protect your site

So how do you protect yourself against these vicious attacks? You have the standard protection measures, such as using prepared statements, filtering, white- and blacklisting if it is possible to filter for control characters and if it is impossible, respectively. Server admins should check for files that materialize as if out of thin air on the httpdocs directory. This is how malware is embedded in your system. The attack is major and really vast in scope. It is very hard to get rid of this script. Users of security software firm CA, whose site was hacked, are being redirected to a Chinese-hosted malware site.

Urgent measures

How do you deal with a SQL injection? First, remove all infected pages on your web site by taking them offline at once. If you can, find out where, how, and when the system was hacked. Talk to (and by all means hire!) a professional, who will detect all the pages that are vulnerable to attacks via SQL injection. Get them fixed. Every single page should be fixed, because even one vulnerable page is enough to corrupt all your data. Then, what you must do is roll your database back to before it was hacked. Make sure you install the Real Player patch if your Real Player is vulnerable as to keep it from getting exploited. Get a reliable AV system, such as AVG. Keep in mind that even if you manage to contain the damage to your system, your clients will spread it because they will download the script as they browse your sites. This could be damaging if their Real Player is vulnerable. Your site is not working properly, and you are embarrassing yourself in front of your clients. Think about it and do not dawdle, waiting for things to fix themselves!

  • My site got hacked once by XSS injection in my contact form.It is very hard to remove .

  • Pingback: BizSugar.com()

  • Sue

    Well I sure didn’t know about this exploit , I just finished checking all the directories and DB tables , updated my DirectAdmin and WP installation to latest version and checked with few of security plugins , all seem to be okay so far. thank you for the warning.

  • I heard about SQL injection and XSS but I never knew it can be so dangerous. So far I didn’t have problems. I always updated my wordpress as soon as I could. Maybe that helped too.

  • I heard about SQL injection attacks several years ago, every since I started developing applications that consisted of a backend database. Such attacks are definitely dangerous, especially if sensitive data is stored in the database.

    As for XSS injection, that one is fairly new to me, and while I have heard of it, I haven’t done much research on it.

  • Thanks for enlightening us on this subject, Melissa.

    On the area of prevention which you also touched on, I was wondering if you’ve used the “WordPress Firewall Plugin” and what’s your view on how good it is. I am using it and it regularly sends email of attempted SQL injections blocked.

  • Thank you Melissa..really its to important to know about SQL injection. I appreciate your guideline. You can also applied these to protect your application from SQL injection, perform the following steps:

    1. Constrain input.
    2. Use parameters with stored procedures.
    3. Use parameters with dynamic SQL.

  • Pingback: oigel.com()

  • this article is awful, really no# returned article for ‘protect wordpress against sql injection’?? It has no detail, no substance, bits of it appear to be talking about one single infection whilst other bits are trying to talk about infections in general. It offers no wp specific detail about how to protect wp installations or clean them, just generic, very vague, db protection hints. Seriously, what was the point in Google returning this to me when it provides no information whatsoever just a waste of my time reading it.

  • this article is awful, really no# returned article for ‘protect wordpress against sql injection’?? It has no detail, no substance, bits of it appear to be talking about one single infection whilst other bits are trying to talk about infections in general. It offers no wp specific detail about how to protect wp installations or clean them, just generic, very vague, db protection hints. Seriously, what was the point in Google returning this to me when it provides no information whatsoever just a waste of my time reading it.

  • rnd technologies

    Good think.