Stats: 3,165,507 members, 7,861,446 topics. Date: Saturday, 15 June 2024 at 12:31 PM |
Nairaland Forum / Science/Technology / Webmasters / Wordpress Vulnerability: The Sql Injection (709 Views)
SQL Injection: Complete Tutorial / How To Secure Web Applications Against SQL INJECTION / Is This Strong Enough To Prevent SQL Injection? (2) (3) (4)
(1) (Reply)
Wordpress Vulnerability: The Sql Injection by todhost(m): 7:54am On Oct 07, 2015 |
A large number of websites run on WordPress. Estimates put WordPress ahead of Microsoft SharePoint, Blogger, Joomla and Drupal. It also means that WordPress is a large target for hackers. Half of the WordPress sites out there are self-hosted, which means that the WordPress administrator carries the lion's share of responsibility for a secure installation. Out of the box, there are several ways that WordPress security can be tightened down, but only a fraction of sites actually do so. This makes WordPress an even more popular target for hackers. In this post, we examine the issue of sql injection in WordPress and how to cope with it. SQL Injection & URL Hacking. WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these characteristic can make WordPress vulnerable to malicious URL insertion attacks. Commands are sent to WordPress via URL parameters, which can be abused by hackers who know how to construct parameters that WordPress may misinterpret or act on without authorization. SQL injection describes a class of these attacks in which hackers embed commands in a URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site. Many of today's web site defacement attacks are accomplished by some form of SQL Injection. Other versions of URL hacks can trigger unintended PHP commands which, again, can lead to injecting malware or revealing sensitive information. The defense: Most WordPress installations are hosted on the popular Apache web server. Apache uses a file named .htaccess to define the access rules for your web site. A thorough set of rules can prevent many types of SQL Injection and URL hacks from being interpreted. The code below represents a strong set of rules that you can insert into your web site's .htaccess file that will strip URL requests of many dangerous attack injections: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{|| ![]() RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> https://www.todhost.com/knowledgebase/10/WordPress |
Re: Wordpress Vulnerability: The Sql Injection by ubiquitousade(m): 11:42pm On Oct 07, 2015 |
todhost: Impressive 1 Like |
Re: Wordpress Vulnerability: The Sql Injection by unphilaz(m): 8:26pm On Oct 15, 2015 |
todhost: |
(1) (Reply)
What Are The Features Of Bulk Sms Software!!! / Designing A Wordpress Site / Webmasters\ Programmers Needed
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 32 |