Prevent Script Injection In WordPress – Stop Hackers With WordPress Security

Published on May 28, 2015

Grab Your Free 17-Point WordPress Pre-Launch PDF Checklist:
Download our exclusive 10-Point WP Hardening Checklist:…
Prevent Script Injection In WordPress – Stop Hackers With WordPress Security | WP Learning Lab

# BEGIN Protect Against Script Injections

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ((left pointy bracket)|%3C).*script.*((right pointy bracket)|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# END Protect Against Script Injections

You doesn’t allow the pointy brackets (Shift period and Shift comma) so make sure they match what you see in the video.

In this tutorial you’ll learn how to prevent hackers from tapping into the PHP GLOBALS and _REQUEST variables to inject malicious scripts into your website.

The goal of script injection is to trick the target server into running an attackers script or code.

On a dynamic PHP website it’s important to protect specific variables because they can be used to inject scripts. Most developers do a good job of protecting the GET and POST variables, but the GLOBALS and _REQUEST variables are usually left wide open.

That’s where the Apache command above comes in. Simply copy and paste the code above into the .htaccess file in the root of your website folder and slam the door on would-be script injectors.

So let’s put that code into your .htaccess file.

First login into your hosting account cPanel. Then find and click on the File Manager icon and choose the Document Root for the website that you are hardening. This will open the root of the website in another tab.

You can also log into the website root using FTP if you are more comfortable with that.

If you do not see a .htaccess in the website right then you can make one by clicking Add New File in the File Manager or right-clicking and choosing Create New File via FTP.

Open the .htaccess file and paste the code from above into it. There is no need to make adjustments to the code. Once pasted in just save the file and you’re done.

I hope this information helps you! If you have any questions leave a comment below or ping me @WPLearningLab on Twitter.


If you want more excellent WordPress information check out our website where we post WordPress tutorials daily.

Connect with us:

WP Learning Lab Channel:…



Google Plus: