WordPress.org

Ready to get started?Download WordPress

Forums

How to secure the wordpress search form? (6 posts)

  1. wattt
    Member
    Posted 4 years ago #

    A friend of mine told me that my search form is vulnerable and you can run scripts through it. I know that it's supposed not to accept characters like "< > =" etc and replace them with "\" or something. But I don't know how to do that.

    I don't use the search widget, but the search form file in my theme's directory. I can see the wp_specialchars in the file, wasn't it supposed to do the thing I want?

    Please help. Thanks in advance!

  2. Roy
    Member
    Posted 4 years ago #

    I believe I asked that question in my early WP days, but I don't know the answer. A thing that helps is to change the table prefix (which is wp_ almost by default), so that a hacker cannot easily guess your tables to read from or write to. Other than that... I'm interested in options too.

  3. Pinoy.ca
    Member
    Posted 4 years ago #

    First of all, SQL Injection is VERY common. Both WordPress programmers and plugin programmers need to be very defensive when formulating SQL requests, especially when parts come from user input or another table's data. One slip-up on a popular plugin and, because of one-click update, thousands of blogs are vulnerable.

    If all your form does is turn the search request into a URL like http://example.com/blog?s=search+term , then there's nothing more you can do to your form to make it more or less vulnerable.

    What happens to the s parameter? WordPress has code built-in to handle the s parameter, and many people inspect and test the WordPress core code for vulnerabilities. (See http://wordpress.org/development/category/security/ .) Indeed they catch some from time to time. C.f. WordPress 2.8.4.

    Your favourite plugins don't have this much attention.

    Since WP's architecture is very open and has dozens of hooks, your WordPress installation is only as secure as its least vulnerable plugin.

    And I'm not only talking about search plugins, here, because plugins can say one thing and do another. Any plugin could be fetching the s parameter and be doing a lousy job and thus open you up to SQL injection attacks.

    I've seen many plugins whose admin screens have absolutely zero defensive programming. I use some of them, actually, because I cross my fingers nobody gains admin access to my blog.

    I hope this answers some questions.

    After the commercial break, we'll talk about cross-site scripting.

  4. wattt
    Member
    Posted 4 years ago #

    Although you say I can't do anything, thank you for the info. :)

    Indeed, my search url is: link.com/index.php?s=key+word . But hell, I don't think there's nothing I can do to fix it.

    Also, how can someone benefit from this security risk? What can a hacker do in this case? Steal cookies?

  5. Roy
    Member
    Posted 4 years ago #

    That, but mostly your site is edited with links so a certain website gets a high Google ranking, many visitors, etc. Perhaps these high-ranking sites have a virus to get to visitor's computers, etc. It appears that hacking websites can be a profitable income.

  6. wattt
    Member
    Posted 4 years ago #

    And really there's nothing I can do to fix it? lol

Topic Closed

This topic has been closed to new replies.

About this Topic