I’ve never seen SQL injection explained really well, until one of my coworkers did just that. I’m going to try to repeat his explanation here, because SQL injection is something that everyone seems to expect everyone else to just know.
SQL injection (sometimes abbreviated SQLi) is the technical term for getting a form in a web site to run SQL commands when it shouldn’t. Here’s what it is and how and why it works.
The other day, this showed up in my e-mail:
A file change was detected on your system for site URL http://dfarq.homeip.net. Scan was generated on Tuesday, November 3rd, 2015 at 5:25 am
A summary of the scan results is shown below:
The following files were removed from your host:
/var/www/wordpress/wp-content/cache/supercache/dfarq.homeip.net/wordpress/index.html (modified on: 2015-11-03 03:23:52)
The following files were changed on your host:
/var/www/wp-content/themes/twentyfourteen/functions.php (modified on: 2015-08-19 22:24:04)
/var/www/wp-content/themes/twentyfourteen/header.php (modified on: 2015-08-19 22:24:04)
Login to your site to view the scan details.
I didn’t make those changes. Fortunately fixing it when changes appear in functions.php and header.php that you didn’t make is pretty easy.
There’s some nasty WordPress malware circulating right now. I haven’t fallen victim to that one, but I caught the very early stages of infection myself all too recently. WordPress itself was just updated to close some vulnerabilities, but the biggest problem is the plugins. Unfortunately, the plugins are the main reason to run WordPress.
At my day job, I’ve had the pleasure of working with a very security-conscious webmaster for the last couple of months, and he and I talk about WordPress security frequently and look into what we, or anyone for that matter, can do to make the best of the situation. Here’s what he and I have found in the last week or so.
Aug 2016 update: Back in 2015, some kind of spam bot wormed its way into my site. I quickly cleaned it up, then decoded the attack and posted details here. Not long after, the spambot started directing traffic to this post, because it contains enough of the magic words, I guess. Only instead of serving up spam, it’s serving up my analysis. I’d rather you read this than spam, so I’ve left this page up.
On to the original post…
A few minutes ago I received an alert that some files had changed on my site (thanks to All-In-One WP Security). But I hadn’t changed anything and WordPress hadn’t updated itself.
Here’s what I found, and how I fixed it.
I wasn’t surprised people were trying to hack my blog. What surprised me were how many people were trying to hack my blog–there was a time when I probably had more hacking-related traffic than I had reader-related traffic.
If you have a WordPress blog, you’re probably in a similar situation.
I got the white screen of death last week, but it was odd—it only happened if I tried to edit posts that were in draft or scheduled status. Already-published content would edit fine. Here’s my experience fixing white screens in WordPress.
Clearing my cache helped temporarily, but the problem would come back as soon as I saved a post. I ended up doing two other things as well, and then the problem went away. I emptied my spam, which also greatly sped up the site, and I also deleted a mobile plugin that I was no longer using but was disabled. Disabled plugins can still affect behavior sometimes. Read more
Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.
The lesson, as with many security tools, is to proceed with caution.
I took some steps this weekend to make the site more mobile-friendly. I get a lot of traffic from tablets and phones, so I figure the better their experience, the more likely they are to stay around. Fortunately it’s not hard to make WordPress more mobile-friendly.
First, I switched to a 2-column format. On small screens, two columns display better than three.
Next I installed a plugin called definitely-allow-mobile-zooming. This forces your page to allow zooming on mobile devices, since some CSS disallows it. On some devices my page worked fine without it, but Google’s tools flagged me as mobile-unfriendly until I installed it.
Google is going to start tweaking search results based on whether the searcher is on a desktop or a mobile device and favor sites that render well under the searcher’s conditions, so these adjustments are worth making if you value search engine traffic.
WordPress occasionally suffers from the dreaded “white screen of death,” where you visit an admin page and, instead of being able to do what you want to do, you get a blank white screen. Meanwhile, the blog continues to function. If you have scheduled posts, they keep going. But with no admin access, the blog essentially becomes a ghost ship.
Several of the causes are pretty well documented, so I’ll talk about mine instead of rehashing old advice you can easily find elsewhere. Read more
Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.
If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done. Read more