Title: False Positive SQL Injection
Last modified: February 28, 2020

---

# False Positive SQL Injection

 *  Resolved [nicegamer7](https://wordpress.org/support/users/nicegamer7/)
 * (@nicegamer7)
 * [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/)
 * Does WordFence block any SQL query it detects? I’ve been able to trigger a 403
   using this href, [/wp-admin/admin-ajax.php?test=UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL#](https://wordpress.org/wp-admin/admin-ajax.php?test=UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL#)(
   it doesn’t actually do anything. try it on a site with WordFence installed).
 * The reason I’m asking is because I received an email telling me WordFence has
   blocked 130 SQL Injection attacks. But I’m pretty sure they’re all false positives.
    -  This topic was modified 6 years, 3 months ago by [nicegamer7](https://wordpress.org/support/users/nicegamer7/).

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/#post-12492147)
 * Hey [@nicegamer7](https://wordpress.org/support/users/nicegamer7/),
 * Wordfence does not block all SQL queries.
 * Can you please share screenshots of blocks in Wordfence > Live Traffic? Please
   share the expanded Details, this will give us a better idea of if they’re false
   positives or not.
 * Please let me know.
 * Thanks,
 * Gerroald
 *  Thread Starter [nicegamer7](https://wordpress.org/support/users/nicegamer7/)
 * (@nicegamer7)
 * [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/#post-12494559)
 * For example: [https://i.imgur.com/tc1ptNg.png](https://i.imgur.com/tc1ptNg.png)
    -  This reply was modified 6 years, 3 months ago by [nicegamer7](https://wordpress.org/support/users/nicegamer7/).
 *  [wfdave](https://wordpress.org/support/users/wfdave/)
 * (@wfdave)
 * [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/#post-12510074)
 * Hi [@nicegamer7](https://wordpress.org/support/users/nicegamer7/),
 * It is true that the query you wrote does nothing – however, it has the potential
   to reveal to the attacker that your site is susceptible to SQL injection.
 * For example, another type of attack, directory traversal is also blocked by Wordfence.
 * `/?file=../../../some_file` – even if some_file does not exist, your site could
   spit out a message that indicates that it is reading out sensitive files.
 * The point is to prevent the attacker from even being able to test if your site
   is vulnerable.
 * Dave
 *  Thread Starter [nicegamer7](https://wordpress.org/support/users/nicegamer7/)
 * (@nicegamer7)
 * [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/#post-12510122)
 * Ok, thank you, that answers my question.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘False Positive SQL Injection’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 4 replies
 * 3 participants
 * Last reply from: [nicegamer7](https://wordpress.org/support/users/nicegamer7/)
 * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/false-positive-sql-injection/#post-12510122)
 * Status: resolved