DISCLAIMER: this post is older than one year and may not be up to date with latest WordPress version.

Due to its popularity, WordPress is often the target of hackers. Today, let’s see how we can build a plugin that will check for malicious URL requests (Long request strings, presence of either “eval” and “base64” php functions, etc.) and use it to protect our blog.

Paste the following code into a text file, and save it as blockbadqueries.php. Once done, upload it to your wp-content/plugins directory and activate it like any other plugins. That’s all!

<?php 
/* 
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 || 
      strpos($_SERVER['REQUEST_URI'], "eval(") || 
      strpos($_SERVER['REQUEST_URI'], "CONCAT") || 
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || 
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
	@header("Status: 414 Request-URI Too Long");
	@header("Connection: Close");
	@exit;
    }
  }
} 
?>

Thanks to Jeff Starr for this great plugin! Do you know that Digging into WordPress, Jeff’s book, has just been updated? Click here for more info.

One Comment

  1. GD PressTools doing this same, but yours solution is simply

    Thanks

Leave a Comment

Your email address will not be published. Required fields are marked *