How to prevent your Wordpress Site from being SQL Injected

09 Nov

Posted by SE as Security | | Print This Post

I found it the hard way, that some customer site were attached using “SQL Injection”.

This left me feeling disheartened, depressed, and extremley disappointed by what happened.

I went ahead and setup lately a test Wordpress site with the default installation from fantastico and sure enough the site was hacked.

Unfortunately, a default install of Wordpress is not secure as anyone would wish, therefore the need for extra preventive measures is essential.

What happened here is that the hackers updated 2 records in the options table. These records show a blog name and the site’s url.

To fix the issue, I just updated these 2 records and sure enough the site was normal again.

To avoid this you need to make sure, no one has access to the wp-admin directory.

Here is how you can do it:

Create a new file and call it .htaccess ( hyper text access ) and store it in the wp-admin folder under your main Wordpress installation.

.htaccess files provide ways to control access on a per folder basis, so you can create a copy in every folder you wish to control and secure access.

Add the following and save the file:

# allow requests for images, CSS and some JavaScript files only
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

# allow only from your ISP
Order deny,allow
Allow from 00.000.00.000 #That’s your static IP
Deny from all

Substitute 00.000.00.000 with you ip address. You can easily find it by going to http://showip.net.

This will allow only from your browsing location. If you want to have the flexibility widening the range to access the admin area, just enter 00.000.00. instead of 00.000.00.000

Test by going to the Site Admin and log into your admin area.

You should get in with no issues.

Log out, log in again from a proxy site. You should go to a file not found error page.

Please do yourself a favor and do it. If you need any help, let me know.

Popularity: 21% [?]

Last Related Posts

Beware downloading Wordpress Themes.

What you Ought to Know About Fantastico?

What is “403 Forbidden error was encountered”?

Easy Steps you Should Follow to Secure Your WordPress Site Update

WordPress 2.3.3 has an ‘Urgent Security Update’

9 Responses

Alex Yeo

November 10th, 2007 at 4:01 am
1

Hi Sherif,

You mean you set up a new WP blog recently and got hacked? That’s fast! There are millions of blogs and why did the hackers target you?

I have got 2 ip address. One is from my ISP host ip and one is for me. I don’t really know how to explain. Cos’ in showip.net and checkip.org shows 2 different results and my ip seems to keep changing. How should I adjust the htaccess file?

Thank you
Sherif Elsisi

November 10th, 2007 at 11:21 am
2

Thanks for writing.

Yes, it got hacked by the same loser Cybr3king

I would add both ip address each one on a separate line.
Allow from ip address 1
Allow from IP address 2

You can also enter a domain instead of an ip address.
alex lee

November 14th, 2007 at 8:44 pm
3

hi sherif

great work!

i really appreciate what you have done.

tdothost is definitetly a great web hosting company. no other web hosting provide such dedicated personalized service.

kudos to you. if you need testimonials, i’m more than happy to give.

my wp blog is also hacked by the same guy. anyway not so much harm as i have back it up. those hackers are wasting their own time instead maybe they should try internet marketing. maybe they will make lots of money instead. then again, maybe they are too lazy looking for quick get rich hacked accounts.
Sherif Elsisi

November 14th, 2007 at 11:06 pm
4

Alex, Thank you so much for writing, your kind words mean the world to me.

You are right, hackers should be trying internet marketing or maybe anything productive that will be rewarding and fulfilling.
eggie

December 1st, 2007 at 1:31 pm
5

Sherif,

please tell me how to make htpasswd in my wp blog, so that everyone that try to accesing /wp-admin/ folder directly through browser url address column, will be prompted a password box. i’ve tried some ways (read form articles) that i found on google, but still can’t do it
Sherif

December 1st, 2007 at 11:12 pm
6

eggie,
Thanks for writing. The simplest way to do it is using cpanel’s “Password Protect Directories” option. Use this option to place a password on any one of your site’s folders.
nuip

December 6th, 2007 at 12:54 pm
7

hello, i’ve read about Mod Security conf on blogsecurity.net paper. my wp blog hosted on a hosting provider. my question, can i use that Mod Security conf on my blog, please tell me how to do that.
Sherif

December 6th, 2007 at 11:59 pm
8

Mod Security configuration is a server wide configuration, meaning if you have a dedicated server you can make the change anytime. However, if you just have a shared account, then you have to check with your provider and see if he can do it for you.
ahmad el sherif

January 6th, 2008 at 5:32 am
9

Man i love reading your blog, interesting posts !…

RSS feed for comments on this post · TrackBack URI

(About)

Welcome ...

Welcome to my blog! I believe that non techie people should be able to create a web presence affordably and with minimal effort!
My name is Sherif Elsisi and on this blog I share my knowledge, discovery and experience with hosting issues, Webmaster tools, security and usability.

About Me | Free blog setup | Value added Web Hosting