Previously shown how to use the hacking tools like sqlmap to test own WordPress for SQL Injection in White Hat way. We also talked about SQL Injection. Here is how to remove query strings from WordPress for security specially to avoid MySQL injections via PHP files for server running Apache2. For Nginx, we talked about how to remove ?utm_source like query strings in older article. Query strings also affects page loading speed but that is only important for static files. We are actually talking about the PHP files aka WordPress main installation.
How To Remove Query Strings From WordPress For Security
Actually .htaccess is secondary choice for performance over Apache2 main server config file. However, in many cases, we need to depend temporarily or permanently on .htaccess. If you want to remove all query strings and then redirects to the home page without query string (Not recommended at production site) :
1 2 | RewriteCond %{QUERY_STRING} . RewriteRule ^$ /? [R,L] |
Check your server access log file, error logs for URLs with parameters seeking query strings. If a bad request is like :
---
1 | http://server.com/something.php?arg |
And you are willing form:
1 | http://server.com/example/arg |
Now, the .htaccess rule will be :
1 2 | RewriteEngine On RewriteRule ^/example/(.*) /something.php?$1 [PT] |
.php? is removed in above example. But if the above case involves too many URLs at log then :
1 2 3 4 | something.php something.php?arg1=one something.php?arg1=one&arg2=two something.php?arg1=one&arg2=two&arg3=three |
If you use :
1 2 3 | RewriteEngine On RewriteRule ^/something/?([^/]*)/?([^/]*)/?([^/]*)/?([^/]*)/? \ /something.php?arg1=$1&arg2=$2&arg3=$3&arg4=$4 [PT] |
then you’ll get :
1 2 3 4 | /something/ /something/one/ /something/one/two/ /something/one/two/three/ |
For WordPress actually there are many common ways including using WordPress plugin and a common method to add this stanza in directory not following WordPress permalink direction :
1 2 3 4 | RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] |
after the directive line :
1 | RewriteBase / |
RewriteBase / is the main domain, if it is subdirectory, then append the subdirectory name instead of only /. Also, instead of redirecting to remove query string, you can block some files with password.
