Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

Protect WordPress Against Malicious URL Requests

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
Protect WordPress Against Malicious URL Requests

In early September, many WordPress sites were infected with Malicious codes. We wrote a quick fix for that issue which you can see in this post, but recently Jeff Starr from Perishable Press has come with a solution to protect WordPress from future attacks as well.

Simply open a new php file and paste the following codes:

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
} ?>

Codes updated on Jan. 10, 2010.

Save this file and upload it in your plugin directory /wp-content/plugins/ and your work is done. This script will check for long strings as well as base64 code which was in the last attack and the eval( code which could be a threat in the future.

Once active, this plugin will silently and effectively close any connections for these sorts of injection-type attacks.

Source: Perishable Press


Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »

Comments

  1. Emily says:

    Hello there, simply turned into aware of your blog via Google, and found that it’s really informative. I am gonna be careful for brussels. I’ll appreciate for those who proceed this in future. Many folks might be benefited from your writing. Cheers!

  2. davidj says:

    How do I open a new Php file? I’m completely new to technical side of Word Press >.<.. is it via FTP?

  3. nurulimam says:

    Thanks for simple plugin but fowerfull

  4. bhagu says:

    Thnaks for such a great plugin and of course for sharing to world… God bless you..

  5. Lior Gradstein says:

    Hmm, you can get the same thing using the plugin named “wordpress firewall”. I get a nice email each time there’s a (hopefully blocked) tentative.

  6. Keith Davis says:

    How easy is that?
    Start to finish… 10mins.
    Thanks for posting.

  7. Trisha says:

    uh oh, getting a double header error.
    (already sent by pluggable.php)

    any ideas?

  8. Trisha says:

    Wow, thanks for a great fix! I just installed and activated and no problems so far. Since I got an injector virus a while back, on every WP install, I immediately plug in secure wordpress and user locker. This is also going in my security bag! Thanks again!!!

  9. Jenna Molby says:

    Great article, thank you!

  10. Herrin says:

    Always good to get easy to implement WordPress security tips, just wondering something:

    What should we call the php file? Does it matter?

    Ok thanks, look forward to more of your articles.

  11. Simon Petry says:

    Thanks for the timely fix.

  12. Jake Rocheleau says:

    Man I’m glad I ran into this article, I am always afraid of having my blog compromised to some degree and this article really sets aside a lot of fears. Security is my #1 concern with all of my websites, so naturally WordPress security is high up there!

  13. DeKo says:

    Great Tip, thanks

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.