In the last few years, WordPress has become the largest Content Management System, powering 33% of the entire web. WordPress popularity is based on it’s ease of use, flexibility and scalability. On the other hand, the platform plugins and themes are vulnerable to one of the easiest forms of attack, an SQL injection (SQLi).
In an SQLi, attackers exploit vulnerabilities in web applications, stealing, deleting or modifying data. Several large companies have become victims of these attacks, including Equifax, Epic Games, LinkedIn and Sony Pictures, to name a few.
What Is SQL Injection?
An SQL injection is a code injection method to attack data-driven applications such as databases. Put simply, an attacker submits a modified input code to obstruct the application’s interaction with back-end databases. Using this code, an attacker can retrieve data or execute commands on the database server itself.
There are Three Types of SQL Injection Attacks:
- Union-Based SQL Injection—the most popular type of SQL injection. This attack integrates two select statements via the UNION statement to retrieve data from the database.
- Error-Based SQL Injection—causes an application to show an error when trying to extract from the database. This method runs only with MS-SQL Server.
- Blind SQL Injection—this is the hardest type of attack to execute (and detect). No error messages are received from the database, obtaining the data in the database by asking a question (Boolean-based SQL injection), or provoking a time delay (Time-based SQL injection). The attacker aims to run code on your database, manipulating and even deleting data.
How Attackers Use SQL Injections in WordPress Websites?
The attacker usually enters the malicious code into the web forms of a vulnerable website. Thus, your website forms are a weak spot through which attackers can inject malicious code into your WordPress SQL database. Every WordPress site has a dedicated MySQL database.
When a user requests a page, WordPress generates a SQL query that search the database for the requested content, plugin the content into a page theme to deliver a user-friendly interface. Thus, queries can be used to make changes to the WordPress database.
Anything like a contact or sign-up box can be used by an attacker to inject the modified code, since the submission is stored in the database. Therefore, all an attacker needs to do is enter this modified SQL code into a form instead of form responses.
SQL injections are the most common type of attack since they are so easy to execute. You only need to leave a form cell in free-form format to leave a gate open for malicious code injection. Most WordPress users are not so tech-savvy enough to protect themselves without a security solution. Thus, it is important to have an incident response plan and solution in place. You can learn more about the core elements of an effective incident response plan here.
How to Protect WordPress from SQL Injections
SQL injection is a common threat, as SQL is the most popular language for web databases. Since WordPress database is based on SQL, that makes the CMS so attractive a target for attackers. There are ways to reduce the threat of SQL injections in WordPress—some of them are listed below.
#1. Scan for Vulnerabilities and Malware
There are a number of tools to scan your WordPress website for malware and SQL injection threats, such as WP Antivirus Site and Wordfence. These plugins highlight the areas with security gaps and allow you to tighten security settings according to your needs.
#2. Update
This is probably the most important tip to enhance the protection of your WordPress site from SQL injections. Running older versions of PHP than 5.6 can be a factor of vulnerability for SQL injection and DNS hijacking. While it can be difficult to manage updates when you run multiple sites, there are tools that automate the updates via a dashboard interface.
#3. Don’t Use the Default Database Prefix
WordPress assigns your database a default prefix “wp-”, therefore, making easier for an attacker to steal your database credentials. Changing the name when you install WordPress is the best, to prevent vulnerabilities.
#4. Keep Your WordPress Version a Secret
If your WP version is hidden, the attackers cannot easily discover the vulnerabilities and exploit them. You can use this code to hide your WordPress version:
remove_action(‘wp_head’, ‘wp_generator’);
Into the function.php file of the active theme.
#5. Separate Your Backups
Do not store your database backup with the rest of the data. Instead, use third-party tools to store the backups separately to ensure you can recover the website data easily in the case of an attack.
#6. Check Plugins and Themes
Plugins and themes are two of the most vulnerable components in a website,because there are very easy to alter and use them as hidden vehicles to insert malicious code. Thus, it is a good rule of thumb to only use plugins and themes coming from trusted and qualified developers.
#7. Control Data Submissions
A simple tip for more severe SQL injections is to simply limit the type of data that can be entered on a form field. For example, a name field shouldn’t allow numeric characters, a phone field should only allow numbers.
#8. Control Access to the Database
Limit the access to the MySQL credentials on a least privilege principle basis. You should log the overall SQL activity as every time the database is changed. This can help you detect unauthorized changes attempts.
#9. Use a Website Firewall
Although not that common, a website application firewall can analyze form inputs, thus detecting SQL injection attempts. In addition, it can block known malicious IPs from accessing your website.
Wrap Up
Database or SQL injections are an increasingly common way to attack a website. The large attacks of recent years have shown that no website is invulnerable to this apparently simple to block an attack. Moreover, WordPress is becoming more attractive to attackers because of the combination of vulnerabilities and lack of expertise of many WordPress website owners. Implementing good WordPress security practices can effectively obstruct attackers attempts to inject code into your database.