Top 3 Techniques to prevent SQL injection attacks in WordPress
WordPress is by far the most commonly used platform for all kinds of web sites. But it is also, one of the most vulnerable to hacking. While a blog getting hacked does not sound too problematic, what we shouldn’t overlook is that most WordPress plugins have an interaction with the database.
The user input is sent to it for either storage or modification and even sometimes used as part of a SELECT statement. If this user input is not validated as per proper norms, an attacker can replace it with commands they can directly send to the database, thus rendering your website haywire.
This what an SQL injection can do! There are two kinds – the “classic” and the “blind”. While the classic SQL injection vulnerability will see an unfiltered user input allowing an attacker to send commands to the database and having the output received by the attacker; the blind SQL injection enables the attacker to send commands to the database but they don’t see the database output in reality.
An SQL injection can generate a list of databases which the hacker has access to as well as gives the viewership of tables in the database and enables the hacker to download a range of sensitive personally identifiable information.
Here are top 3 techniques to prevent SQL injection attacks in WordPress:
1. Focus on sanitizing and escaping anything that you may send to the database: The easiest way to do this on WordPress is by using the technique of prepare() and going ahead with using placeholders in your SQL.
2. Restrict the database user privileges: If you check your database user privileges, you would find a sheer range of them. However, quite understandably not all are required for day to day use of WordPress related activities like-
1. Creating new WordPress users
2. Posting blog posts
3. Uploading media files
4. Posting comments
5. And installing WordPress plugins
For the above, the MySQL database user needs only read and write privileges – i.e. SELECT, INSERT, UPDATE and DELETE. Other MySQL database structures and a plethora of administration privileges, such as, for example DROP, ALTER and GRANT can be revoked. Thus, you put a strong containment policy in place and prevent SQL injection attacks to a considerable degree.
3. Data Backup and obscurity: Encrypt & Backup are your two mantras for this move. This technique relies on the following steps:
1. Encrypt the backup
2. Keep an independent record of MD5 hashes for each
3. Place backups in read only media
4. Keep a set of screenshots of the WordPress installation in entirety at regular intervals
5. Ensure the screenshots cover all WordPress core files and your database
So if the site suffered an SQL injection attack on April 5th, you would have backup and screenshots to build it back right thereafter.
Besides data backup, it is a handy tip to obscure your administrative account either by changing the user name or the table prefix. This can block pre-programmed SQL injection attacks.Together, these 3 techniques make life easy for web developers and are sure to help you manage your WordPress plugin safer and better.