SQL Injections: Attacking the Heart of Your Site

Tobias Schüring Updated on 15.01.2020
6 Min.
SQL injections

Besides Brute Force Attacks redive WordPress SQL injections on the list of major threats to WordPress sites on. These are relatively simple manipulations of the database of your sites . Hackers can access sensitive data or set up admin accounts themselves and manipulate yours site at will. We show how the attack works and why it is so dangerous.

March 2008: Hacker (including, by the way, a real mastermind) get hold of 134 million credit card data at the American group Heartland Payment Systems. Mid-2016: Presumably Russian hackers will get their hands Access to the database of registered voters of the Illinois State Board of Elections. Something similar happens in Arizona. February 2017: The American arms dealer Airsoft GI will be Data stolen from 65,000 user accounts. March 2017: Alleged Chinese hackers get hold of the personal data of 4,000 customers of a Korean app and send partly obscene text messages to the victims.

All these attacks have one thing in common: behind them is a relatively simple hack called SQL injection. This attack gives hackers access to the database and thus to all user data of a site . In fact, SQL-Injections are therefore considered one of the greatest dangers for website operators. Also and especially for webmasters who mainly work with WordPress .

And since larger and more complex shops in WooCommerceparticular have been able to WordPress operate without any problems, it is important to understand, how high the risk of an WordPress SQL injection is and how this work.

How "dangerous" are WordPress SQL injections?

The question of the "danger" of a WordPress -hack cannot be answered in terms of a single indicator. Instead, at least two aspects must be considered: One is the probability of the hack being successful... WordPress -WordPress -projects can fall victim to such an attack, as well as the damage that a hack can cause.

At Brute Force Attacks for example, the number of attacks per month is so high (partly more than 1 billion measured attacks + estimated number of unreported attacks) that one can actually say that every WordPress -WordPress -projects sooner or later is the target of such an attack. The damage that can be caused by a successful hack is manifold. Most Brute Forceattacks are also used to hijack websites and integrate them into a botnet. Cross-site scripting on the other hand, occurs much less frequently, but is mainly used to create websites with Infect malicious code.

The non-profit organization Open Web Application Security Project (OWASP) regularly publishes a top 10 list of the greatest security risks for web applications. And SQL-Injections occupy here permanently the first place, also on the (although provisional) List for 2017.

You can see a graph of the Top 10 list of the greatest security risks for Web applications, which is regularly published by the non-profit organization OWASP. SQL injections occupy the first place here.
The non-profit organization OWASP regularly publishes a top 10 list of the greatest security risks for Web applications. SQL injections regularly occupy the first place here.

In fact, SQL injections have come to stay. The hack is known for over 15 years. And according to the Akamai State of the Internet Security Report for 2017 the frequency of SQL attacks has increased by 28 percent since the first quarter of 2016. In the first quarter of 2017, SQL injections were the most frequently performed hacks, accounting for 44 percent of attacks. 

It is illustrated here that in the first quarter of 2017 SQL injection is the most frequently performed hack, with 44% of attacks.
According to the Akamai State of the Internet Security Report 2017, SQL injection was the most frequently performed hack in the first quarter of 2017, with 44% of attacks.

Wordfence, Producer of a security software for WordPress comes to the conclusion that SQL injections are specifically for WordPress -Users are a great danger. A Analysis of almost 1,600 security vulnerabilities in Pluginsreported over a period of 14 months, clearly shows that SQL injections are the second most common security risk for WordPress sites are.

The graph clearly shows that SQL Injections is the second most common security risk for WordPress  sites  are.
The graph shows that SQL Injections is the second most common security risk for WordPress sites are.

With all these numbers you have to keep in mind that the number of unreported cases is much higher - often SQL attacks are not noticed at all and do not appear in any statistics.

The numbers show that WordPress SQL Injections are performed according to Brute Force Attacks and XSS gaps are one of the most common types of attacks of all. SQL injections also target a particularly sensitive area of your site database. Especially for shop owners these hacks are an existential threat. It is therefore important to understand how they work and what you can do about it.

WordPress SQL Injections aim at the heart of your site : The Database

To understand how an SQL injection works, you need to understand the WordPress basic structure. If you already know this, you can skip this section confidently.

The database is the basis for every WordPress installation: all contents are stored here. The CMS itself then makes it possible to display and edit this content. This WordPress is a MySQL database. SQL stands for Structured Query Language, a full-featured programming language that can be used to create structures in a database and to insert, modify and delete data.

Every time you write an article, create a new category, change your password or even when your users post a comment, this new data is stored in the database. So here is every single content of your website.

WordPress every time a user calls yours site and requests certain content, it pulls the appropriate data from the database, merges it with PHP and creates an HTML document that is finally sent to the user's browser. The user doesn't notice anything of all the processes that take place until then.

SQL Injections inject external code into the database

Even if you never interact directly with the database, but only with the WordPress backend: The database is the heart of your website.

But as I said, users are also able to enter data into the database. Writing a comment, creating a user account, filling out and sending a contact form - all these actions generate data that is stored in the database.

But what if someone uses this indirect access to your database to smuggle malicious code into the database? This is called an SQL injection.

The idea behind it is not even particularly complicated: If no security measures are in place, the hacker only needs to enter SQL code into a form field (e.g. when writing a comment). It contains characters that have a special function for the SQL interpreter, which is responsible for executing SQL commands in the database. Such special characters, called metacharacters, are for example ; " ' and \.

The CMS believes that the data is harmless and passes the input to the database with the order to save it, as usual. The SQL interpreter recognizes the code by means of the meta characters as an action request and executes the database command.

By the way, the same applies to SQL injections as to Brute Force attacks: there is hardly ever a hacker sitting alone at the computer and manually enters codes into forms. These attacks also run via automated botnets that scan thousands of websites simultaneously for vulnerabilities and strike where they find one.

What can happen now?

  • The hacker bypasses any authentication mechanisms or hides behind the identity of an existing user to gain access. For example, if a hacker creates a new admin account, one also speaks of a Priviledge Escalation Exploit.
  • In this way he can spy out, change or delete data. This is especially critical if you run an online shop and have the payment data of your customers at your disposal.
  • He can take control of your entire website and webspace, for example by logging in as an admin and gaining access to your backend. This way a hacker has full control over yours site and can abuse it as a spam-slinger, introduce malicious code or insert it into a botnet.

Conclusion: WordPress SQL injections are very dangerous because of the automation

WordPress SQL injections are among the most dangerous hacks of all. They are easy to perform, mostly automated and can cause massive damage: Especially for shop owners the danger of SQL injections is existential.

So it is important to protect yours site accordingly: User input must be checked and cleaned up. You should also mask data to prevent malicious code from executing. This process is called Data Sanitization and Validation and is used for example in the WordPress Codex in detail. However, in one of the following articles we will go into the subject in more detail and show you how to prevent malicious code from becoming active in your database.

Comprehensive securityPlugins is also of fundamental help here: they are especially capable of blocking automated attacks on yourssites , which are the basis for many hacks.

Related articles

Comments on this article

Aman Singh

Great Article Tobias, now as a web manager of shops How can I ensure the security of the website. And most important you asked to check user input. Can you please explain what kind of inputs need to be checked?

Write a comment

Your email address will not be published. Required fields are marked with * .