After monitoring more than 1500 WordPress plugins over the course of 14 months, Wordfence reported that SQL injection is the second most common vulnerability found in WordPress websites. The goal of this post is to understand how SQL injection attack work and how can one prevent it.

What is SQL Injection?

Whenever someone is leaving a comment or filling up the contact form of your WordPress site. They are inputting data that is being stored in the database (a storage place where all information regarding your WordPress site is stored in a structured manner). If the input field doesn’t follow a specific format that anyone can insert a bad code into your website. For instance, on your website, you use a plugin that enables you to have a contact us form to your site. The form requires the phone number of the person trying to reach out. The phone number field has a specific format. One can only insert numerical and 10 characters. Suppose the format no longer exists due to an error in the plugin.

In the WordPress ecosystem, a vulnerability in a plugin becomes public knowledge soon. As soon as hackers come to know of vulnerability like the ones we mentioned in above, they sent out bots to attack the contact us page of hundreds of thousands of WordPress sites, hoping to find one that uses the vulnerable plugin. When they come across such a site, they insert malicious code in the field of a phone number that tricks the site into running the bad code. The code commands the site server to create a new set of credentials for the hacker. And in this way, the hackers have access to the WordPress site.

When it comes to web security, on the golden rule is to expect all data coming from outside the system as malicious. A silver rule on the other hand advocates leniency and tell us to filter the data, control what goes inside the system. The process of filtering data is called whitelisting. Take the instance of a contact form. Suppose instead of banning all inputs other than numerical; we compile a list of inputs that can be trusted, like letters, numbers, and strings. For instance, if someone inserts ‘**********’ (10 stars) in the phone number field, the system takes it because it’s not harmful. User inputs are validated based on how well they comply with your whitelisted.

WordPress Core follows the silver rule, and it’s extremely effective. It makes sure that user input is checked to see if they are following the format that they are supposed to follow before storing the input in the database. It also sanitizes the input data to make sure it contains only safe characters as in like only numerical in the phone number field, no special characters. It’s an effective way of preventing SQL injection, but it’s not foolproof. One can always find loopholes.

SQL injection

A visual representation of how an AQL injection works.

In the past, we had come across an SQL vulnerability in the WordPress plugin called Booking Calendar. The vulnerability would have allowed hackers to enter SQL queries (bad codes) that will eventually allow the attacker to view the database of the site. Fortunately, the vulnerability was patched before any damage could be caused.

SQL injection one of the most common hack attacks made on WordPress sites because of the widespread havoc it can create. When plugins exhibit SQL injection, it means if the plugin it comes bundled with a theme, then the theme too will be vulnerable. After a vulnerability is discovered in a plugin, developers quickly release a patch via an update. A user may update the vulnerable plugin, but others are not aware that the plugin is part of the theme they are using. They might think only people who are using the standalone plugin are at risk. Therefore, one exploit open doors for another, and in this way, SQL injection is able to wreak great havoc.

Types of SQL Injection?

SQL Injections can be divided into three major categories: In-band SQLi, Inferential SQLi and Out-of-band SQLi. Let’s take a look at how they are different from each other.

In-band SQLi

(i stand for injection) is the most common type of SQL injection. It’s easy to carry out and offers good results. In this attack, the hackers use the same communication channel to both launch the attack and retrieve information. SQL injection attacks are generally carried out so that the attacker can gather information from the database.

In-band SQLi can be further sub-divided into Error-based SQLi and Union-based SQLi. In the former, hackers throw a command at your site database and the database returns an error message. The message enables hackers to obtain information about the structure of the database. Database error messages are very useful during the development of an application as it informs the developer what is going wrong so that he can fix the problem.

Inferential SQLi

Inferential SQLi is also known as Blind SQLi and they take longer to execute and exploit. In this particular attack, hackers don’t receive the result of the attack as quickly. Which is why the attack is referred to as blind injection. The database will not give you any output not even an error message so the hackers find another way to retrieve data. It takes days to receive information, therefore, hackers often use automated tools to carry out Inferential SQL injection attack.

Out-of-band SQLi

Out-of-band SQL injection attack is an uncommon attack. To execute this attack the hackers need to make sure that certain features are enabled in the website database. These features are essentials because they’ll enable the hacker to communicate with the hacker website. This precondition makes the hack harder to execute. Also, Out-of-band SQLi occurs when hackers can’t carry out an in-band SQL or interferential injection.

SQL injection is one of most common types of attacks made on WordPress websites. We hope that after reading this post you have a better understanding of how the attack works. In the next post, we’ll discuss another very common hack attack made on WordPress sites – Cross-Site Scripting (XSS). Stay tuned.