I've been looking to sure up my defences on my Wordpress site. Unsurprisingly there is a huge amount of documentation on this subject. Two of the better guides seem to be here:
http://moz.com/blog/the-definitive-guide-to-wordpress-security
and obviously: http://codex.wordpress.org/Hardening_WordPress
I'd like to harden up my defences to SQL injection, as my previous site fell victim to such an attack and proved nearly impossible to clean again.
Judging by the comments posted on many other sites and similar guides there seems to be as many people disagreeing about every which way to achieve this as there are swearing by it.
I was thinking about adding the below (found on the first mentioned site) to my site but nowhere seems to talk about the dangers of doing such an action beyond the obvious dangers of editing your .htaccess file.
What functionality could I expect to loose or compromise by adding this, and, if none why isn't this kind of code included in a basic Wordpress Install? If there is no harm by adding this kind of thing why doesn't every install include it and allow developers who know what they're doing to remove it if necessary??
## SQL Injection Block ##
<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Given my limited SQL knowledge I'm worried about breaking database search functions such as URL based queries
(for example in wp-admin like users.php?s=rachel&action=-1&new_role&paged=1&action2=-1
In a nutshell:
.htaccess ie does wordpress, functions or plugins rely on being able to change the database through such actions. I have a custom theme and use custom php on quite a few pages but always use known wordpress functions to add data and never write as direct SQL queries or edits.and
Will it stop attacks used in this kind of instance "How can I prevent SQL injection in PHP?" (ie. to save reading -- modifying a form to inject SQL into the database, when you have coded this kind of POST.)
if (isset($_POST['Dropdownmenu'])) {
update_post_meta($postID , 'meta_value' , $thedropdownvalue );
This is not useful, for the following reasons:
It will be impossible to define rules to catch every possible injection. You will still need proper defenses in the application code (i.e. bound parameters) in order to be secure. If your code is properly secured, this URL filtering is unnecessary.
This only filters the URL. SQL injections are also likely to come through POST variables. As above, you need defenses in the application code to defend against that.
There is a significant probability that the rules will be so broad as to block legitimate traffic (for example, /article.php?title=us-declares-war would be blocked by one of the given rules).