When it comes to WordPress security, there are certain best practices you follow in order to keep your site and everyone who comes in contact with it — safe. But do you know what kinds of threats are lurking out there and why it’s so important to have a well-developed security plan for your website?
In the following post, I’m going to zero in on SQL injections: what they are, why they happen, and what you can do specifically in terms of WordPress security to keep them out of your site.
SQL Injections Explained
There are many ways in which a hacker can breach a WordPress site. Although the name “SQL injection” might not ring a bell for many WordPress users, it’s actually a fairly simple concept.
How the WordPress Database Works
To understand how this works, let’s quickly break down what happens inside of the WordPress database:
- Each WordPress site has a database.
- WordPress installations use MySQL as the default database management system.
- WordPress uses SQL queries to retrieve data from a website’s database and generate content on the frontend.
- Developers use PHP and these queries to view, add, retrieve, change, or delete code inside the database.
But you don’t always need access to WordPress or the control panel to make contact with the database.
How Hackers Breach the WordPress Database
A SQL injection can happen anywhere that your site has a form element:
- Generic contact forms
- Login portals
- Blog comment forms
- Subscription pop-ups
- eCommerce checkout pages
- Search bars
- And so on
Just one vulnerability in a form element can open a database up to outsiders. This is because the database captures each entry made on a WordPress site. And when hackers want to do serious harm to a website, all they have to do is enter malicious SQL commands instead of valid form entries.
Take, for instance, a field like a phone number.
Realistically, this should be configured to accept only numerical entries that follow the structure of phone numbers in the country of your target user. However, if you haven’t configured your fields to accept only exact responses or the plugin isn’t working correctly, a hacker could enter anything they want in the plain text field.
What Happens During a SQL Injection?
There are two ways in which we classify SQL injections:
Classic SQLi
These kinds of SQL injections will return data to the hacker’s browser. Basically, they use forms to query the website’s database, just as you or WordPress might.
These kinds of queries can reveal information about what’s inside the database for the purposes of stealing sensitive information. They can also reveal the structure of the database itself, which makes launching an attack against a website much easier.
Blind SQLi
These kinds of SQL injections don’t return any data at all. That’s why these are “blind” attempts. Instead, the hacker will use this injection to execute various actions within the database (like to delete all data).
Needless to say, it’s important not only to maintain a strict WordPress security protocol but to ensure that your forms are properly secured, too.
Is There Anything WordPress Can Do About This?
Seeing as how SQL injections happen at the database level, you would think that WordPress would’ve developed a way to fight them. In fact, WordPress already has.
WordPress uses a system of validating, sanitizing, and escaping data:
- Validation ensures that the inputted data matches the criteria laid out for it. In the phone number example, this would mean that a 10-character number would be the only entry accepted (for U.S. visitors, that is).
- Sanitization enables developers to use the
sanitize_text_field()
function to remove any excessive or disallowed characters from an entry before adding it to the database. - Escaping is the process you use to secure any data you present to users on the front end of the site.
As effective of a system as this is, there are a couple of problems with it.
To start, WordPress itself is not 100% safe from SQL injections.
In October 2017, WordPress pushed out the 4.8.3 security release. It patched a SQLi vulnerability detected within WordPress. While the core was not affected, plugins or themes hooked into WordPress certainly could have been.
Then, there’s the general matter of WordPress plugins and themes. Developers of contact form plugins, or themes that utilize them, have to be very careful about how they’re coded. Just one mistake in a form element could introduce all their users to a SQL injection vulnerability.
But since we can’t control what WordPress does, or how developers code their products, we have to take matters into our own hands. This means including certain WordPress security measures to help stave off SQL injections on our websites.
How to Prevent SQL Injections for Better WordPress Security
Here is what you need to do to protect your site from SQL injections and to improve overall WordPress security:
1. Use Trusted WordPress Plugins and Themes
You have to start with the contact form elements that introduce the possibility of SQL injections in the first place. If you haven’t vetted the WordPress plugins or themes that your form functionality comes from, do so now.
2. Keep Everything Updated
WordPress was quick to resolve the issue of the SQL injection risk found within the CMS. However, for users that disabled automated WordPress updates and who weren’t diligent about manually implementing them on their own, their site would still have been vulnerable to such an attack.
Whether it’s WordPress, your plugins, your theme, or even the version of PHP or MySQL you use, all software in your website’s ecosystem needs to be kept up-to-date. If a developer has taken the time to update it, then there’s good reason for you to do the same on your end. Now, if you are worried about spending too much time updating your websites daily, using a single dashboard from where you can update all your sites could be a solution.
WordPress plugins that offer security features like ManageWP, MalCare, and others enable you to update all your WordPress websites from the dashboard itself. This means you don’t have to log in to each one of your websites to monitor and update plugins, themes, or WordPress core. You can invest this saved time in growing your business while your site remains secure.
3. Restrict Field Entry Types
Review each form on your website. Is each field configured for a specific entry type? In other words, does the “Name” field only allow for alpha entries? Does the phone number or credit card field ask for a certain format string? If your entries allow for any plain text entry but could be further restricted, make those changes now.
4. Sanitize Form Fields
Use the sanitize_text_field() function to automatically reject incorrect or harmful entries found in your forms. WordPress provides a number of ways to do this.
5. Change the Database Prefix
You could make it much harder on hackers if you were to change your database’s prefix. If you change the default “wp-” naming convention, hackers who’ve located credentials to your database may struggle to execute SQL queries if they don’t know where to launch their attacks.
6. Use a WAF
A web application firewall (WAF) will prevent known hackers from ever getting onto your site and into a position where they can launch SQL injections. GoDaddy’s Deluxe and Express Website Protection plans include a WAF if you don’t have one yet.
7. Log All Database Activity
Be very careful about who you give MySQL database access to, in general. This will cut down on the chances that human error or a misplacement of login credentials cause issues in your database.
That said, regardless of who has access, it’s a good idea to keep a log of all database activity. That way, any time an unwarranted change is made, you’ll know about it right away. A security check tool like the one from ManageWP can help with this.
Wrapping Up
There’s a reason why SQL injections are one of the most common forms of attack on WordPress sites. However, because they’re mostly targeted at the WordPress forms and fields, there is a simple enough action plan to fend them off.
If you would like assistance in implementing these WordPress security tips or want general assistance developing a WordPress security plan, take a deeper dive at our ManageWP blog. We make managing, maintaining, and securing WordPress websites easy.
Shubham Saha
Amazing article written over there,
Didn’t knew that there are types of SQL attacks,
I will definitely now keep in mind of these to improve my website’s security.