X

How to Protect WordPress Against Malicious URL Requests

Last updated on by Debjit Saha
LinkedInPinShares0
Snippets by IsItWP

Are you looking for a way to protect your WordPress site form malicious URL requests? While there’s probably a plugin for this, we have created a quick code snippet that you can use to protect WordPress against malicious URL requests in WordPress.

Instructions:

All you have to do is add this code to your theme’s .htaccess file.


$request_uri = $_SERVER['REQUEST_URI'];
$query_string = $_SERVER['QUERY_STRING'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];

// request uri
if (	//strlen($request_uri) > 255 || 
	stripos($request_uri, 'eval(') || 
	stripos($request_uri, 'CONCAT') || 
	stripos($request_uri, 'UNION+SELECT') || 
	stripos($request_uri, '(null)') || 
	stripos($request_uri, 'base64_') || 
	stripos($request_uri, '/localhost') || 
	stripos($request_uri, '/pingserver') || 
	stripos($request_uri, '/config.') || 
	stripos($request_uri, '/wwwroot') || 
	stripos($request_uri, '/makefile') || 
	stripos($request_uri, 'crossdomain.') || 
	stripos($request_uri, 'proc/self/environ') || 
	stripos($request_uri, 'etc/passwd') || 
	stripos($request_uri, '/https/') || 
	stripos($request_uri, '/http/') || 
	stripos($request_uri, '/ftp/') || 
	stripos($request_uri, '/cgi/') || 
	stripos($request_uri, '.cgi') || 
	stripos($request_uri, '.exe') || 
	stripos($request_uri, '.sql') || 
	stripos($request_uri, '.ini') || 
	stripos($request_uri, '.dll') || 
	stripos($request_uri, '.asp') || 
	stripos($request_uri, '.jsp') || 
	stripos($request_uri, '/.bash') || 
	stripos($request_uri, '/.git') || 
	stripos($request_uri, '/.svn') || 
	stripos($request_uri, '/.tar') || 
	stripos($request_uri, ' ') || 
	stripos($request_uri, '<') || 
	stripos($request_uri, '>') || 
	stripos($request_uri, '/=') || 
	stripos($request_uri, '...') || 
	stripos($request_uri, '+++') || 
	stripos($request_uri, '://') || 
	stripos($request_uri, '/&&') || 
	// query strings
	stripos($query_string, '?') || 
	stripos($query_string, ':') || 
	stripos($query_string, '[') || 
	stripos($query_string, ']') || 
	stripos($query_string, '../') || 
	stripos($query_string, '127.0.0.1') || 
	stripos($query_string, 'loopback') || 
	stripos($query_string, '%0A') || 
	stripos($query_string, '%0D') || 
	stripos($query_string, '%22') || 
	stripos($query_string, '%27') || 
	stripos($query_string, '%3C') || 
	stripos($query_string, '%3E') || 
	stripos($query_string, '%00') || 
	stripos($query_string, '%2e%2e') || 
	stripos($query_string, 'union') || 
	stripos($query_string, 'input_file') || 
	stripos($query_string, 'execute') || 
	stripos($query_string, 'mosconfig') || 
	stripos($query_string, 'environ') || 
	//stripos($query_string, 'scanner') || 
	stripos($query_string, 'path=.') || 
	stripos($query_string, 'mod=.') || 
	// user agents
	stripos($user_agent, 'binlar') || 
	stripos($user_agent, 'casper') || 
	stripos($user_agent, 'cmswor') || 
	stripos($user_agent, 'diavol') || 
	stripos($user_agent, 'dotbot') || 
	stripos($user_agent, 'finder') || 
	stripos($user_agent, 'flicky') || 
	stripos($user_agent, 'libwww') || 
	stripos($user_agent, 'nutch') || 
	stripos($user_agent, 'planet') || 
	stripos($user_agent, 'purebot') || 
	stripos($user_agent, 'pycurl') || 
	stripos($user_agent, 'skygrid') || 
	stripos($user_agent, 'sucker') || 
	stripos($user_agent, 'turnit') || 
	stripos($user_agent, 'vikspi') || 
	stripos($user_agent, 'zmeu')
) {
	@header('HTTP/1.1 403 Forbidden');
	@header('Status: 403 Forbidden');
	@header('Connection: Close');
	@exit;
}

Note: If this is your first time adding code snippets in WordPress, then please refer to our guide on how to properly copy / paste code snippets in WordPress, so you don’t accidentally break your site.

If you liked this code snippet, please consider checking out our other articles on the site like: 18 best WordPress comments plugins and how to create a popup form in WordPress.

LinkedInPinShares0

Comments   Leave a Reply

  1. Na Playing dice September 22, 2013 at 10:31 am

    thanks

    Reply
  2. Paul June 29, 2012 at 5:15 am

    He Kevin, is this the same stuff what Secure WordPress (http://wordpress.org/extend/plugins/secure-wordpress/) does, see list item 11?

    Reply
  3. Drew Jaynes February 24, 2012 at 9:22 am

    User levels were deprecated in WP 3.0, you should use actual capabilities or roles in your current_user_can check, e.g.
    if ( ! current_user_can( 'administrator' ) ) {

    Reply
    1. Kevin Chard February 24, 2012 at 12:17 pm

       Very true Drew, ill update the snippet thanks!

      Reply
  4. Ty February 22, 2012 at 4:24 pm

    Can I just add this code to my functions.php plugin?

    I’d also like to see code for POST protection.

    Reply
    1. Kevin Chard February 24, 2012 at 12:16 pm

       the best way to include this I find it to place it within the mu-plugins/ folder if you don’t have one you can create one. This will force the plugin to run as a must use plugin. Download the zip above that is the best way to run it,

      Reply
  5. SB February 22, 2012 at 11:33 am

    This will only protect a GET request, like index.php?name=eval(base64_decode(EVIL+CODE

    But in the WordPress Forum a lot of people are getting hacked via Post requests, and then this code will not protect.

    Do you have something similar but for POST?

    Reply

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WordPress Launch Checklist

The Ultimate WordPress Launch Checklist

We've compiled all the essential checklist items for your next WordPress website launch into one handy ebook.
Yes, Send Me the Free eBook!
Copyright © 2015 - 2024 WPBeginner LLC. All Rights Reserved. Managed by Awesome Motive Inc.

EDITORIAL NOTE: Opinions expressed here are author’s alone, not those of any hosting company, plugin provider, theme company, Syed Balkhi or WordPress Foundation, and have not been reviewed, approved or otherwise endorsed by any of these entities.

DISCLAIMER: We make great efforts to maintain reliable data on all offers presented. However, this data is provided without warranty. Users should always check the provider’s official website for current terms and details. The product offers that appear on the website are from respective hosting companies, plugin companies, and theme companies from which IsItWP receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear). This site does not include all WordPress products or all available product offers.