Secure Your WordPress Blog Against Malicious URL Requests

, , 9 Comments

0 Flares Filament.io 0 Flares ×

As I continue the series of techniques to secure and protect your WordPress blog, today I will be showing you how to protect your WordPress installation specifically against Malicious URL Requests that inject code to exploit your theme’s files and MySQL database.

If you missed my previous security articles, you may view: 5 Extreme Steps to Secure Your WordPress Blog and 10 Simple Steps to Secure & Protect your WordPress Blog.

Since last year, thousands of sites have been hit by SQL attacks where malicious code is injected into the site. This type of attack completely disables the site’s permalink structure thus making blog post URLs inactive.

The Awesome Solution

We all know that prevention is better than cure, so below you will find the code that will be used to secure your site and prevent the injection. If you are tech savvy, you can create a new .php file, copy and save the code below and give it the file name: block_injections.php.

The code:

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
} ?>

Source: Perishable Press

If you would prefer not to dabble in any code, you may download the plugin here: Block Bad Queries Plugin

Save the file above and upload it to your plugin directory, /wp-content/plugins/, or use the Add New feature in your plugin section in the WordPress dashboard. This plugin will check for excessively long request strings (greater than 255 characters) as well as the presence of base64 code in the request URI which hides the malicious code.

Once the plugin is activated, it will silently and effectively close any connections for this type of injection attack.

Start Protecting Your Blog

This type of injection attack is extremely common in unprotected WordPress installations and the malicious code is often found hidden within free WordPress themes that are downloaded from questionable websites.

Always remember that prevention is better than cure and your site is your valuable investment.

Discussion

Please share your experiences with securing your blog and the problems that you have overcome. Also, if you require further assistance with implementing the code, please don’t hesitate to ask.

Leave a Reply, Join the Community

(*) Required, Your email will not be published

 

9 Responses

  1. Rob

    04/20/2010, 10:04 am

    Whilst I voted you up on BlogEngage for this post, I think the key thing people need to remember is keeping your WordPress installation and plugins up-to-date is the number one way by which you can keep your site secure.

    There are a number of plugins that can help secure your installation in less aggressive manner. I covered some of these on a post I wrote recently (that I won’t link to right here since that would be blatant self promotion – if you are interested, then please let me know and I’ll forward over details).

    I personally would worry about false positives when using code such as that detailed above. Looking forward to seeing more content from you and great theme.
    .-= Rob´s last blog ..Visual Voicemail: An open letter to Vodafone UK =-.

    Reply
    • Sam

      04/21/2010, 01:44 pm

      Hey Rob,

      Thanks a lot for visiting and your awesome input.

      The script is really in direct response to many sites being exploited by malicious code injections last year. Though, I do agree that the method is pretty aggressive, but useful nonetheless. As for false positives, after doing some further investigation, there have been rare cases where the alarms went off but no true “threat” existed. I would love for you to share your knowledge on the subject and you are free to link as long as it is relevant. Its all about sharing information that proves to be useful for all.

      Thanks again for commenting, hope to see you here again. :)

      Reply
  2. Rob

    04/22/2010, 06:47 am

    Thanks for the warm welcome! In terms of the WordPress Plugins I wrote about, you can find the article here:
    http://lastplaceonthe.net/10-wordpress-plugins/

    (Specifically #4, #3 and #2 are security related.)

    I used to use the plugin Bad Behaviour; however I’ve since removed it since it was incorrectly shutting some users out. On one occasion it even locked me out!

    When I read your post it made me think about the necessity of such code. So much so that I had a DM conversation with one of the WordPress developers on Twitter. Their response reads, “It’ll protect from a narrow subset of attacks for sure but the best thing is to keep s/ware up to date!”.

    I’m no coder and I’m cautious at the best of times when adding additional code to my WordPress sites. I applaud your contribution and made my earlier comment to suggest that people should feel encouraged to use several solutions and not just one. Something you did in fact cover in your article which I missed originally, “Once the plugin is activated, it will silently and effectively close any connections for this type of injection attack.”
    .-= Rob´s last blog ..How to: Use Twitter to get better customer service =-.

    Reply
  3. Keith

    08/03/2010, 10:48 pm

    I’ve been using your site to configure my WordPress CMS (yeah I know, I’m asking for it) but can’t figure out why this code doesn’t work. I use .htaccess files in other directories just fine, but for some reason when I put this code in with my home IP address I always get a 500 error when attempting to access the admin side of things. Any ideas?

    Reply