WordPress Security: How to stop SQL injections – Plesk Tips

Elvis Plesky

5-min read

We all know that WordPress has historically been very vulnerable to hacks of all sorts. So most good web hosts will practice good WordPress security measures to avoid falling  victim to hacking. However, it can be hard to keep track of all the risks and develop a security solution that really protects your website.

Here, we’ll discuss how one of the most dangerous intrusions may occur. Code injections via SQL. Read on to discover what a SQL injection is, how it happens and what actions you can take to ensure your WordPress site isn’t a victim of an injection attack.

Understanding database injections

Hacks that occur with a hacker injecting code into a database is not uncommon. In fact, pushing rogue code into a WordPress SQL database is a frequently-used method for gaining unauthorised access to a site. It all comes down to WordPress’ reliance on SQL databases, and this has a big effect on WordPress security.

How WordPress stores content

It is really easy to understand how WordPress uses databases to store content. Every single WordPress site has a dedicated MySQL database, which is the standard DBMS used by WordPress websites. Whenever a page is requested, WordPress generates a SQL query, consulting the database for the content and plugging the database content into a page theme to render a user-friendly version of the content.

With the help of PHP SQL queries are served to the system in order to make changes to the WordPress database, including adding, deleting or changing the database itself. However, hackers do not necessarily connect with a database via WordPress or a control panel. In fact, code can be inserted into a WordPress database in a lot of different ways.

What hackers do to inject code into a WordPress SQL database

Forms. Yes, hackers utilize your website forms to inject code into your WordPress SQL database. Anything that receives user input such as a contact form, login box, sign-up box or even the search bar can be the gateway to a WordPress security issue in its worst form: an SQL injection.

The problem with forms is that in many instances the form submission is captured in the database. Include rogue code in the submission and the code is stored in the SQL database. So, all a hacker needs to do is to enter this rogue SQL code into a form instead of bona fide form responses.

One example is a form field that is supposed to accept only valid telephone details. Yes, you should restrict form responses to be in the format of, say XXX-XXX-XXXX,  however if you leave the field as free-form a hacker could easily inject SQL code using that field.

So, what happens with a SQL hack?

There are two ways in which a hacker can insert code into your SQL database. Classic method of doing so involve returning data to the web browser used by the hacker. It’s just the same way you use a form on a website, really.

A query like this can result in your database returning information inside the database and the purpose of this WordPress security hack is to steal information that is sensitive, including SQL structure which can lead to further hacking attempts.

Another way of inserting code is using a blind SQL injection. Here the injection does not involve the return of data but instead, the hacker will use the inserted code to run code on your database. This code could do all sorts of damage, including deleting all your database data.

Shouldn’t WordPress security be able to prevent it?

Yes, WordPress has gone to lengths to try and prevent these attacks given that SQL injections are so common. WordPress does have a number of ways in which it mitigates SQL injections.

The way WordPress security is handled by the CMS involves validating and cleaning data which is submitted via forms. For example, validation makes sure that data that is received on a form fit the criteria that are specified – e.g. matching the data entered into a phone number field against the nature of a real phone number.

Another example is the way in which WordPress removes excess and restricted characters from input.

Nonetheless, there are some issues that current WordPress security tactics do not account for, which means that WordPress is not fully secured against database injections that manipulate SQL code.

For example, in late 2017 WordPress published a security update which fixed a known SQL exploit that was detected by the WordPress team. This protected the core of WordPress, the update however did not protect vulnerable themes and plugins.

Overall, themes and plugins are vulnerable to exploitation whenever they make use of a form and the developers of these WordPress add-ins need to be very much on top of WordPress security practice to ensure that database injections do not cause terrible problems for website hosts.

In essence, it is best to take additional mitigating measures because fully managing what WordPress or add-in developers do is simply not possible. Let’s take a look at what you can do to manage your WordPress security to avoid hacks due to SQL exploits.

Preventing SQL exploits

WordPress itself has a few tricks up its sleeve, as we explained, but in the end good sysadmins will add additional measures to make sure their WordPress sites do not suffer from an SQL attack. Here is a short list of practices you need to implement:

1. Trust is the key

There is a whole range of reasons why you should take the utmost care when utilizing plugins and themes, but SQL injection risk is one of the biggest. Only make use of plugins and themes that are sourced from reliable, qualified and trusted developers.

2. Update regularly

Remember that 2017 WordPress fix we mentioned earlier? It didn’t work for a lot of people, for a simple reason: these users had disabled automatic WordPress updates, so the update never rolled out to their WordPress instance.

When it comes to updates you need to be really alert, as it is not only the WordPress core that needs frequent and regular updating. Also, ensure that your MySQL database software is updated and always keep your PHP on the latest version. Often your website management console can make it easy to keep all these aspects of your site up to date.

It can be difficult to manage updates across multiple sites, but you can try something like the WordPress Toolkit that can manage updates across a lot of sites via a dashboard interface that automates the update process. As such you don’t need to log into hundreds of websites to manage updates for sites, plugins, and themes.

3. Control field entries and data submissions

We explained earlier how a SQL injection works, and you can do a lot to thwart SQL injections by practicing a simple WordPress security trick: controlling the types of data that can be submitted via a form field.

For example, a name field should only allow alpha entries, there is no reason for numeric characters to be included in a name field. Likewise, telephone or payment card data should not contain alphabet letters or special characters.

Also, consider deploying sanitize_text_field() so that entries that are not correct or simply dangerous can be blocked.

4. Don’t use the default WordPress database name

This is a really simple WordPress security trick: change the standard WordPress database name. By default your WordPress database will have the prefix of “wp-“, and this makes it easier for a hacker to make use of the credentials to your database if found. Change this default name and you will make it more difficult for a hacker, especially where hacking involves bots on automated scripts.

5. Keep track of database use

You should never easily give access to your MySQL credentials, but sometimes it simply can’t be avoided and for this reason, you should log the use of credentials, and log overall SQL activity. If changes are made that should not have been made you can more quickly detect the problem. WordPress security tools including WordPress Toolkit can help you do this.

6. Utilize a website application firewall

Yes, you can get a firewall for your website. A website application firewall or WAF can detect SQL injection attempts by analysing form inputs on your behalf. WAFs will also block known-bad IPs from your site so they can never even make an attempt. There are plenty of WAFs on the market, check them out.


Database injections are an incredibly common way to hack into a website but they are preventable. As much as website relies on forms to work, good WordPress security practice can make it difficult for even the most determined hacker to inject code into your database.

You have several tools that can help you, one of these is Plesk WordPress Edition which can assist you in your WordPress security efforts. It also provides a range of other WP tools which makes it much easier to manage and maintain WordPress applications.

Guard your WordPress security: Understand SQL injections2019-01-09https://www.plesk.com/wp-content/themes/plesk/images/plesk_logo_144x144_black.pngPleskhttps://www.plesk.com/wp-content/uploads/2019/01/header-blog_1920x400-wordpress-security-sql-injection-explained.png200px200px

Plesk is available in Cloud Server Plesk.Contact us to find out our latest offers!

Comments are closed.