SQL Injections

SQL injections: Attacks on the heart of your website

In addition to brute force attacks, SQL injections are always on the list of the biggest threats to WordPress websites. These are relatively easy manipulations of your website's database. This allows you to access sensitive data or set up admin accounts yourself and manipulate a website at will. We show how the attack works and why it is so dangerous.

In March 2008, 134 million credit card details were obtained from the American company Heartland Payment Systems, among others by a true mastermind. This attack is based on a relatively easy-to-execute hack called SQL injection. In this attack, access is gained to the database of a website and thus to all the data on a website. In fact, SQL injections are therefore considered one of the biggest threats to websites - even and especially for people who mainly work with WordPress.

And since WooCommerce in particular has made it possible to operate larger and more complex stores with WordPress without any problems, it is important to understand how high the risk of a WordPress SQL injection is and how it works.

WordPress SQL injections - how dangerous are they?

The question of the "dangerousness" of a WordPress hack cannot be answered in the form of a single indicator. Instead, you need to consider at least two aspects: Firstly, the probability with which your own WordPress project can fall victim to such an attack, as well as the damage that a hack can cause.

In the case of brute force attacks, the number of monthly attacks is so high (in some cases over 1 billion measured attacks + number of unreported cases) that you can actually say that this is the case: Every WordPress website is targeted by such an attack sooner or later. The damage that can be caused by a successful hack is manifold. Brute force attacks are usually used to hijack websites and integrate them into a botnet. Cross-site scripting, on the other hand, occurs much less frequently, but is mainly used to infect websites with malicious code.

The non-profit organization Open Web Application Security Project (OWASP) regularly publishes a top 10 list of the biggest security risks for web applications. And SQL injections have consistently ranked first here in the past; since 2021, they have "only" been in third place.

In fact, SQL injections are here to stay. The hack has been known for over 20 years now. The frequency of SQL injections has also increased over time.

Wordfence, manufacturer of security software for WordPress, has come to the conclusion that SQL injections pose a major threat to WordPress websites in particular. An analysis of almost 1,600 security vulnerabilities in plugins reported over a period of 14 months clearly shows that SQL injections are the second most common security risk for WordPress websites.

WordPress SQL Injections Wordfence Analysis
The graphic shows that SQL injections are the second most common security risk for WordPress websites.

With all these figures, you must of course bear in mind that the number of unreported cases is much higher - SQL attacks are often not even noticed and do not appear in any statistics.

The figures show that WordPress SQL injections are one of the most common types of attack after brute force attacks and XSS vulnerabilities. In addition, SQL injections target a particularly sensitive area of your website: your database. For stores in particular, these hacks are therefore an existential threat. It is therefore important to understand how they work and what you can do about them.

WordPress SQL injections target the heart of your website

To understand how an SQL injection works, you need to understand the basic structure of WordPress. If you already know this, you can safely skip this section.

The database is the basis for every WordPress installation: all content is stored here. The CMS itself then makes it possible to display and edit this content. WordPress uses a MySQL database. SQL stands for Structured Query Language, a programming language with a full range of functions that can be used to create structures in a database and insert, change and delete data.

Every time you write an article, create a new category, change your password or write a comment, this new data is saved in the database. This is where every single piece of content on your website is stored.

Whenever your website is accessed and certain content is requested, WordPress pulls the relevant data from the database, merges it with PHP and creates an HTML document that is finally transferred to the client's browser. The client is unaware of all the processes that take place up to this point.

SQL injections inject external code into the database

Even if you never interact directly with the database, but only with the WordPress backend, the database is the heart of your website.

However, as mentioned above, users are also able to enter data into the database. Writing a comment, creating a user account, filling out and sending a contact form - all these actions generate data that is saved in the database.

But what if someone uses this indirect access to your database to smuggle malicious code into the database? This is known as an SQL injection.

The idea behind it is not even particularly complicated: If there are no security precautions, the SQL code only needs to be entered in a form field (for example when writing a comment). This contains characters that have a special function for the SQL interpreter - which is responsible for executing SQL commands in the database. Such special characters, called meta characters, are for example ; " ' and \.

The CMS believes that this is harmless data and transfers the input to the database as usual with the request to save it. The SQL interpreter recognizes the code as an action request based on the meta characters and executes the database command.

Incidentally, the same applies to SQL injections as to brute force attacks: there is practically never one person sitting alone at the computer and manually entering SQL codes into forms. These attacks also run via automated botnets that scan thousands of websites simultaneously for vulnerabilities and strike where they discover one.

What can happen now?

  • Any authentication mechanisms are bypassed or the identity of an existing user is used to gain access. If, for example, a new admin account is created, this is also referred to as a privilege escalation exploit.
  • In this way, data can be spied on, changed or deleted. This is particularly critical if you run an online store and have payment data.
  • You can also take control of your entire website and your web space. This is possible by logging in as an admin. Full control over your website is gained via the backend - and so it can be misused as a spam sling or inserted into a botnet, or simply malicious code can be introduced.

"*" indicates required fields

I would like to subscribe to the newsletter to be informed about new blog articles, ebooks, features and news about WordPress. I can withdraw my consent at any time. Please note our Privacy Policy.
This field is used for validation and should not be changed.

Conclusion: WordPress SQL injections are very dangerous precisely because of automation

WordPress SQL injections are among the most dangerous hacks of all. They are easy to carry out, usually automated and can cause massive damage: For stores in particular, the danger posed by SQL injections is existentially threatening due to the data in the database.

It is therefore important to protect your website accordingly: Any external input must be checked and cleaned. You should also mask data to prevent the execution of malicious code. This process is called data sanitization and validation and is covered in detail in the WordPress Developer Guide, for example.

Comprehensive security plugins can also help here: they are particularly capable of blocking automated attacks on your websites, which are the basis for many hacks.

Did you like the article?

With your rating you help us to improve our content even further.

One comment on "SQL injections: Attacks on the heart of your website"

  1. Great Article Tobias, now as a web manager of stores How can I ensure the security of the website. And most important you asked to check user input... Can you please explain what kind of inputs need to be checked?

Write a comment

Your e-mail address will not be published. Required fields are marked with *