Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?

As suggested by @Jeff Mattson, hours of research and testing suggest that this is probably due to mod_security. I also investigated the likelihood of it being due to Suhosin, but I don’t think it’s to blame.

Here’s the deal. It doesn’t really help if we verify that the problem is due to mod_security. We don’t control the servers that run our plugin and our efforts to disable mod_security via .htaccess have failed.

Fortunately, there’s light at the end of the tunnel. Regardless of what is causing the problem, a fix that is nearly guaranteed to fix the problem is to simply modify our POST data.

The solution I plan to implement is to Base62 encode the data that we’re sending to our plugin. Base64 would probably work as well, but I’d like to solve this problem once and for all, and due to its limited character set, Base62 is the safer bet when dealing with a neurotic beast like mod_security.

This should work because mod_security looks for certain “trouble” strings in submitted data. I doubt the module is sophisticated enough to attempt applying a bunch of different encodings to submitted data (plus, doing so would adversely affect performance), so this is nearly guaranteed to fix our problems.

Yay!

Related Posts:

  1. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. I found this in a plugin. What does it do? is it dangerous?
  5. Disabled plugins are they security holes – rumor or reality?
  6. What could a hacker do with my wp-config.php
  7. How to eliminate weird 404 errors in wp-admin?
  8. Why “Contact Form 7” doesn’t update PHPmailer library?
  9. What does a security risk in a plugin look like?
  10. WordPress Capabilities: edit_user vs edit_users
  11. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  12. Some plugins adding full server path after url (with custom wp-content folder)
  13. Disabled plugins are security holes – rumor or reality?
  14. Should I use RIPS tool to test my themes and plugins?
  15. Why users disable the WordPress update?
  16. How many security plugins are too many? [closed]
  17. Will WordPress username displayed somewhere in the site?
  18. Upgrading WordPress 4.0 asks for FTP password
  19. Is revealing just the AUTH_KEY a security issue?
  20. How Restrict access to admin dashboard by specific static ip?
  21. When is it useful to use wp_verify_nonce
  22. Protecting against malicious code in WordPress plugin updates
  23. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  24. How to limit WordPress pages during updates?
  25. rms_unique_wp_mu_pl_fl_nm.php
  26. How can we deal with unmaintained plugins with vulnerabilities?
  27. Security issues with WP sites
  28. Security checking in meta_box save is reluctant?
  29. Show a special message for private page?
  30. Escape when echoed
  31. What causes an Unexpected HTTP Error within install plugins?
  32. Error 404 using wpml plugin
  33. Custom Post Type Plugin not loading category template and loading 404 instead
  34. How can I make uploaded images in the editor load with HTTPS?
  35. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  36. The safest way to automate WordPress backups
  37. wp_create_nonce function doesn’t work inside a plugin?
  38. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  39. Headers Content-Security-Policy CSP Major Issue
  40. Nonce failing on form submission
  41. Why can’t I access my Intranet LDAPS with NADI?
  42. Reoccurring 404 Errors on all subpages
  43. URL parameters causing 404 on home page, but nowhere else
  44. Hack-Proof OR Security in WordPress — is it real?
  45. Some one is trying to hack my website, Need guidance [closed]
  46. I should enable automatic updates?
  47. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  48. Is Timthumb still broken? What security measures should be taken?
  49. Prevent direct access to WordPress plugin assets?
  50. Specific way to allow WordPress users to view their current password? And edit it?
  51. Too many login attempts
  52. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  53. How to prevent plugins from sniffing/stealing other plugins’ options?
  54. Website show Google Ads when we have no Google Ads linked to our website
  55. Custom API plugin to execute 3rd party API to retrieve data
  56. wp-admin send 404 error
  57. How to deal with Slow HTTP POST (slowloris) vulnerability
  58. Running multiple security plugins
  59. how do I secure my WP website from hackers? [closed]
  60. Which filter/action should I use to serve content for “virtual” files
  61. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  62. Huge number of 404 pages getting spawned
  63. Webservice credential storage [duplicate]
  64. Regarding plugin security
  65. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  66. Is this plugin safe to run?
  67. Is the Block Bad Queries Plugin Still Relevant?
  68. WP Insert Post If user refreshes override new post
  69. Hide plugins and theme from public
  70. WordPress search shows protected content
  71. Security of a WordPress Plugin
  72. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  73. WordPress disable direct access of files in WordPress installation path
  74. prevent anonymous access to WordPress site (non-admin site)
  75. Bing/msn bots is heavily requesting random of my website
  76. “Fire Secure” menu item
  77. Securing a plugin pop-up window
  78. https rewrite not working for All in one security Brute force > rename login url
  79. All Post WordPress Page Error
  80. WordPress website dont load CSS, JS and images
  81. WordPress website giving 404
  82. Being hacked. Is there a list of WordPress security holes I can check against?
  83. How can i see/log all requests coming from a registration form (not from the UI)?
  84. Write mysql credentials in plugin
  85. Site is continuously accessing by several IPs
  86. using .htaccess only for wordpress security no plugins
  87. SWF in wordpress post
  88. Unwanted Links and Spam WordPress Pages and Posts
  89. 404 Page when emptying spam or deleting a plugin
  90. File permissions for wp-minify plugin
  91. What is the recommended way to be notified of security updates to my plugins? [closed]
  92. How I can hide my wp folders from Inspect Element (Developer Tools)
  93. How to Find WordPress site has backdoor login Codes
  94. How to delete Password Protected posts cookies when a user logged out from the site
  95. How to rename files during upload to a random string?
  96. Plugin Icon does not work correctly
  97. 404 Error on a WordPress Website, Error disappears for a while and again appears
  98. /wp-admin/plugins.php takes ages to load, and then 404s
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes

Leave a Comment