With only one small mistake in the code of a WordPress theme or plugin, a hacker can gain access to your website and deface it, steal information about your users or even delete the content from your website. Hackers are most successful with WordPress sites using a method called SQL injection, where the hacker tricks the WordPress program into running commands on the database server in its native structured query language. All SQL injection attacks can be prevented using a programming technique that's built in to WordPress.
WordPress: A Hacker's Target
WordPress powers one out of every six websites on the Internet. A primary reason for its popularity is the ability to easily customize the design and extend the functionality of a WordPress website using community-developed themes and plugins. The immense popularity of WordPress makes it an automatic target for hackers. What makes it even more attractive is the potential that the themes and plugins developed by less experienced programmers will make a website easier to hack, and that those who host their own WordPress websites -- about one-half of all WordPress websites -- won't have adequate security on their Web servers to guard against hackers.
SQL Injection Attacks
The most common way a WordPress website is hacked is by using SQL injection, even though it's entirely preventable. With SQL injection, a hacker tricks the system into running SQL commands on the WordPress database by attaching them to user input data. Programmers create SQL injection risks by writing code that accepts input from a user and passes that input verbatim to the database in an SQL command. The risk can be eliminated by using the "prepare" function in WordPress whenever you mix SQL database commands with user input.
Automated Detection of Vulnerabilities
You can use software that tests your WordPress site for SQL injection vulnerabilities when you're just getting started with a security audit to help find and eliminate SQL injection vulnerabilities. The Open Web Application Security Project recommends two tools: OWASP's own SQLiX and SQLMap, an open source penetration testing tool (links in Resources). After you download a tool, refer to the OWASP's instructions for it. Both programs have many command-line parameter options that control how the software tests your WordPress site.
What to Audit
The only way to be certain that your WordPress site isn't vulnerable to a SQL injection attack is to audit the source code. Because of the vigilance with which WordPress developers monitor the core source code for vulnerabilities, it's probable any weaknesses are in code you've authored or in the source code for a theme or plugin you're using. Use the editor in the Themes module to review the source code for each program file in your theme. Pay particular attention to any customizations that you have written. Use the editor in the Plugins module to review the source code for each plugin you've activated.
How to Audit
Perform a case insensitive search in the source code for each of the following SQL commands: "CREATE," "ALTER," "DROP," "SELECT," "UPDATE," "DELETE," "INSERT" and "TRUNCATE." If the command incorporates data from a variable containing data that could have come from user input, replace the command with a version that uses the "prepare" function provided by WordPress.. The prepare function sanitizes data and prevents malicious SQL commands from being run on the database. For example, replace: "$wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id=$user_selected_post");" with "$wpdb->query(prepare("DELETE FROM $wpdb->postmeta WHERE post_id=%d", $user_selected_post));" (no quotes).
Staying Current on Releases
One of the most important tasks to guard against SQL injection and other types of attacks from hackers is to ensure that your system is up to date. If a security vulnerability is discovered in the core WordPress system or in a theme or plugin that's actively maintained, the author will release a new version. Whenever a new WordPress release becomes available, you should back up your database and install the new release. When the theme you use or the plugins you've activated issue updates, you should back up your database and install the updates. Your WordPress dashboard clearly indicates when WordPress, themes and plugins have new releases you haven't installed.
- Open Web Application Security Project: Testing for SQL Injection (OTG-INPVAL-005)
- Open Web Application Security Project: OWASP Top 10
- TroyHunt.com: OWASP and the Top 10
- Forbes: With 60 Million Websites, WordPress Rules The Web. So Where's The Money?
- eSecurity Planet: Top 5 WordPress Vulnerabilities and How to Fix Them
- Photo Credit Flying Colours Ltd/Photodisc/Getty Images