How to avoid attacks on Wordpress- SQL Injection

Many people exist who are capable of breaking security barriers on websites, either through injecting SQL or even because they saturate certain barriers and can entre freely into the website, in some cases they erase the content, in others, they just restart the system which blocs itself to stay offline until you fix it.

The most common attack with Wordpress is called “Defacing”, in which database is manipulated through a contact form or parameters in the URL, which can change the page of a website from writing in the database.

To avoid these attacks, you can follow this advice:

  1. Keep a safe copy of your website: you can create safe copies of your website. For more information, visit
  2. Create your Wordpress in the most updated version available: Wordpress constantly launches updates to the markets, the majority with the idea of maintaining your website to its optimum function and most of all, making it more secure. Update it, it will mark it harder to infringe, because the updates alone usually correct the violations, through which your Worpress can be affected.
  3. Use safe passwords and change your password often: We suggest you use a combination of upper case and lower case, with a combination of special characters that will make it particularly hard to access your Wordpress. Change your access at least once every three months. This will hinder the access if for some reason someone more unwanted has managed to get it.
  4. Use WordPress Keys on wp-config.php: These “keys” or security keys. Are a code that you can put in your file wp-config.php to better encrypt your users’ cookies, you can use this Keys generator, copy the code and paste it in your configuration file.

-          Make sure to use a safe plugin: There are free plugins such as “Limit Login attempts”, that will automatically block an IP, if you get a certain amount of failed attempts to your WordPress, place it in your blacklist. This will be particularly useful if someone is trying to guess your password, however, you must be sure to keep yours safe, as you could block your own IP, if you forget your password.

  1.  Install WP Security Scan
  2. Change the database code: By default, the code of the tables in the WordPress database is _wp, whereby the hackers can easily guess the name of your tables, you must use a code at random to improve the security of your website.


  1. Modify the file Robots.txt: To prevent the indexation of your admin folders in the search engines, you can modify or create a file robots.txt, and include the following code: 


User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*


  1. Protect your .htaccess file: using the following code, protect all access to the .htaccess file, you must paste it and keep it at the end of the file:

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

  1. Disable the directory search: you must avoid your users seeing the content of your directories, modify your .htaccess file and add the following code:

# disable directory browsing
Options All –Indexes

  1. Protect the file wp-config.php: Avoid access to the Wordpress configuration file, adding the following code to you .htaccess file:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

  1. Limit the access to the wp-content directory: Add the following code to the file .htaccess into the wp-content directory:

 Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all

  1. Limit access to the wp-admin directory: Add the following code to the .htaccess file in to the directory wp-admin:

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

  1. Avoid script injection: Add the following code to the .htaccess file in the root directory:

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


In case you have any questions or concerns you can contact our live chat via whatsapp :

  • 7 Users Found This Useful
Was this answer helpful?

Related Articles

How to protect your data from the Ransomware Wanna Cry virus?

In May 2017, a new Ransomware virus called Wanna Cry attacked Windows users all over the world...

How to stop referred Spams

Referred spams have become a problem again. If you are not familiar with referred Spam, basically...

What is spoofing and how can I prevent it?

Your ClickPanda account can suffer from spoofing if you receive bounced messages from emails that...