- 1
Update or remove the vulnerable component
Update all plugins, themes, and core immediately. SQLi is critical — if a component is vulnerable with no patch, remove it now.
- 2
Always use prepared statements
In custom code, never concatenate variables into SQL. Use $wpdb->prepare() with placeholders so values are safely escaped.
$wpdb->get_results( $wpdb->prepare( "SELECT * FROM {$wpdb->posts} WHERE post_author = %d", $author_id ) ); - 3
Validate and cast input
Cast IDs with absint(), whitelist expected values, and reject anything unexpected before it reaches a query.
- 4
Put a WAF in front of your site
A Web Application Firewall blocks common SQLi patterns at the edge, buying you time to patch. Cloudflare, Sucuri, and Wordfence all offer one.
Related concept: SQL Injection
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Block ?author= scans, restrict the users REST endpoint, and use generic login errors.