How to prevent your WordPress Site from being SQL Injected

09 Nov

Posted by Sherif as Security | | Print This Post

I found it the hard way, that some customer site were attacked by “SQL Injection”.

This left me feeling disheartened, depressed, and extremly disappointed by what happened.

I went ahead and setup lately a test WordPress site with the default installation from fantastico and sure enough the site was hacked.

Unfortunately, a default install of WordPress is not secure as anyone would wish, therefore the need for extra preventive measures is essential.

What happened here is that the hackers updated 2 records in the options table. These records show a blog name and the site’s url.

To fix the issue, I just updated these 2 records and sure enough the site was normal again.

To avoid this you need to make sure, no one has access to the wp-admin directory.

Here is how you can do it:

Create a new file and call it .htaccess ( hyper text access ) and store it in the wp-admin folder under your main WordPress installation.

.htaccess files provide ways to control access on a per folder basis, so you can create a copy in every folder you wish to control and secure access.

Add the following and save the file:

# allow requests for images, CSS and some JavaScript files only
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

# allow only from your ISP
Order deny,allow
Allow from 00.000.00.000 #That’s your static IP
Deny from all

Substitute 00.000.00.000 with you ip address. You can easily find it by going to http://showip.net.

This will allow only from your browsing location. If you want to have the flexibility widening the range to access the admin area, just enter 00.000.00. instead of 00.000.00.000

Test by going to the Site Admin and log into your admin area.

You should get in with no issues.

Log out, log in again from a proxy site. You should go to a file not found error page.

Please do yourself a favor and do it. If you need any help, let me know.

Popularity: 14% [?]

Last Related Posts

WordPress 2.6.2 Released

WordPress ‘Wordprew Plugin’ Security Vulnerability and What You Can Do About It

What you Ought to Know About Fantastico?

Beware downloading WordPress Themes.

6 Simple Steps to Change Your Table Prefix in WordPress

12 Responses

Alex Yeo

November 10th, 2007 at 4:01 am
1

Hi Sherif,

You mean you set up a new WP blog recently and got hacked? That’s fast! There are millions of blogs and why did the hackers target you?

I have got 2 ip address. One is from my ISP host ip and one is for me. I don’t really know how to explain. Cos’ in showip.net and checkip.org shows 2 different results and my ip seems to keep changing. How should I adjust the htaccess file?

Thank you
Sherif Elsisi

November 10th, 2007 at 11:21 am
2

Thanks for writing.

Yes, it got hacked by the same loser Cybr3king

I would add both ip address each one on a separate line.
Allow from ip address 1
Allow from IP address 2

You can also enter a domain instead of an ip address.
alex lee

November 14th, 2007 at 8:44 pm
3

hi sherif

great work!

i really appreciate what you have done.

tdothost is definitetly a great web hosting company. no other web hosting provide such dedicated personalized service.

kudos to you. if you need testimonials, i’m more than happy to give.

my wp blog is also hacked by the same guy. anyway not so much harm as i have back it up. those hackers are wasting their own time instead maybe they should try internet marketing. maybe they will make lots of money instead. then again, maybe they are too lazy looking for quick get rich hacked accounts.
Sherif Elsisi

November 14th, 2007 at 11:06 pm
4

Alex, Thank you so much for writing, your kind words mean the world to me.

You are right, hackers should be trying internet marketing or maybe anything productive that will be rewarding and fulfilling.
eggie

December 1st, 2007 at 1:31 pm
5

Sherif,

please tell me how to make htpasswd in my wp blog, so that everyone that try to accesing /wp-admin/ folder directly through browser url address column, will be prompted a password box. i’ve tried some ways (read form articles) that i found on google, but still can’t do it
Sherif

December 1st, 2007 at 11:12 pm
6

eggie,
Thanks for writing. The simplest way to do it is using cpanel’s “Password Protect Directories” option. Use this option to place a password on any one of your site’s folders.
nuip

December 6th, 2007 at 12:54 pm
7

hello, i’ve read about Mod Security conf on blogsecurity.net paper. my wp blog hosted on a hosting provider. my question, can i use that Mod Security conf on my blog, please tell me how to do that.
Sherif

December 6th, 2007 at 11:59 pm
8

Mod Security configuration is a server wide configuration, meaning if you have a dedicated server you can make the change anytime. However, if you just have a shared account, then you have to check with your provider and see if he can do it for you.
ahmad el sherif

January 6th, 2008 at 5:32 am
9

Man i love reading your blog, interesting posts !…
avi

March 23rd, 2012 at 6:29 am
10

thanks for this information…
avi

March 23rd, 2012 at 6:58 am
11

How to store this this code. i have no idea.. in word press or in cpanel? please help sir. i want to save my site. my site has hacked 3 or more than 3 times.. :’(
Sherif

March 23rd, 2012 at 8:40 am
12

Hi Avi, to access the file mentioned, you need to go to cpanel and file manager. I think, you should try to re-install wordpress and make sure you are using the latest version. Also check all your plugins as some plugins could not be safe. Read about the plugins to make sure they applied security measures. Find if someone complained about them, and if so, then don’t use them.
Thanks for reading my post.

RSS feed for comments on this post · TrackBack URI

Have your say, your comments are very welcome.

I appreciate you taking the time to comment, please consider the following when commenting:
- Use your real name or a pseudonym you frequently use.
- Be relevant and contributive to the post.
- If you want to ad a link, pick a relevant link to the post.
Please note: I reserve the right to edit, censor, and/or delete any comment.

(About)

Welcome ...

Welcome to my blog! I believe that non techie people should be able to create a web presence affordably and with minimal effort!
My name is Sherif Elsisi and on this blog I share my knowledge, discovery and experience with hosting issues, Webmaster tools, security and usability.

About Me | Free blog setup | Value added Web Hosting