critical risk

How to Fix SQL Injection in WordPress

SQL Injection (SQLi) lets an attacker manipulate your database queries — reading user data, dumping password hashes, or taking over the site. In WordPress it comes from plugins/themes that build queries by concatenating unsanitized input.

  1. 1

    Update or remove the vulnerable component

    Update all plugins, themes, and core immediately. SQLi is critical — if a component is vulnerable with no patch, remove it now.

  2. 2

    Always use prepared statements

    In custom code, never concatenate variables into SQL. Use $wpdb->prepare() with placeholders so values are safely escaped.

    $wpdb->get_results( $wpdb->prepare(
      "SELECT * FROM {$wpdb->posts} WHERE post_author = %d",
      $author_id
    ) );
  3. 3

    Validate and cast input

    Cast IDs with absint(), whitelist expected values, and reject anything unexpected before it reaches a query.

  4. 4

    Put a WAF in front of your site

    A Web Application Firewall blocks common SQLi patterns at the edge, buying you time to patch. Cloudflare, Sucuri, and Wordfence all offer one.

Related concept: SQL Injection

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides