Title: [Plugin: WordPress Firewall 2] SQL injection attack from localhost on live server
Last modified: August 20, 2016

---

# [Plugin: WordPress Firewall 2] SQL injection attack from localhost on live server

 *  [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/)
 * This is quite complex to explain but I keep getting injection attacks from another
   website by just clicking on a link. Oddly though it seems Google Chrome is the
   one generates it.
 * To elaborate, I have this site: [http://byassociationonly.com](http://byassociationonly.com)
   and I have this site: [http://dev.byassociationonly.com/example](http://dev.byassociationonly.com/example)(
   can’t name site as its a client site).
 * Whenever I click on any of the links on [http://byassociationonly.com](http://byassociationonly.com),
   in Google Chrome, on my machine, none of them work and I get an injection attack.
 * The notification I receive is this: [http://cl.ly/image/2U111T0m2X35](http://cl.ly/image/2U111T0m2X35)
 * I just don’t understand this error at all, Ive never had a problem before.
 * I’ve even removed the code within that page its referencing, which is from single.
   php, yet the problem still exists. I thought there were conflicts with my MAMP
   servers running locally but even if they are switched off, the problem still 
   exists but localhost:8888 isn’t referenced at all within wp_config.
 * However if I do this within Firefox, I don’t get any notifications at all and
   the links work fine.
 * Has anybody got any ideas how to identify where the problem lies and solutions
   to fix?
 * As requested here’s the code on the single.php page, that the error is reffering
   to: [http://pastebin.com/QKqtLXQi](http://pastebin.com/QKqtLXQi)
 * [http://wordpress.org/extend/plugins/wordpress-firewall-2/](http://wordpress.org/extend/plugins/wordpress-firewall-2/)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944931)
 * Your screenshot is missing most of the really interesting information about the
   purported attack– (full) URL, query strings, POST values, most of the headers…
   Do any of those links reveal those things?
 * That is Virgin Media IP in you screenshot. Is that your ISP?
 *     ```
       >> dig +short -x 82.25.224.201
       client-82-25-224-201.glfd.adsl.virginmedia.com.
       ```
   
 * You say that “Whenever I click on any of the links on [http://byassociationonly.com](http://byassociationonly.com),
   in Google Chrome, on my machine, none of them work and I get an injection attack.”
   Chrome does not complain when I visit [http://byassociationonly.com](http://byassociationonly.com).
   What happens if you log out from all sites on that server. Do you still have 
   a problem?
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944946)
 * Thanks for your reply @s_ha_dum, basically I tried logging in/out but still nothing
   happens. Although I must admit I can’t even get to the login.php screen (I keep
   getting redirected back to the homepage – followed by a bunch of notifications
   from WordPress Firewall2 saying there was an SQL injection hack).
 * Yes Virgin is my ISP but no, unfortunately clicking on any of those links in 
   the email are either dead links, links to turn email notifications off or a help
   page to find out more: [http://matthewpavkov.com/wordpress-plugins/wordpress-attacks.html](http://matthewpavkov.com/wordpress-plugins/wordpress-attacks.html)
 * It seems as though its just my machine, but what could be causing this issue?
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944954)
 * I really don’t know specifically what is causing it. I am fairly sure that there
   is a flaw in that firewall plugin’s logic, but without knowing which filter is
   tripping it is hard to say. It could be a number of things.
 * It could be an extension you have running in Chrome. Maybe something is sending
   an odd header or causing some malformed encoding issue. If that is the case, 
   it isn’t the plugin’s fault.
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944956)
 * Thanks for your response. I can accept if its a plugin problem but I just want
   to make sure that no other visitors are going to get this error and be denied
   access to [http://byassociationonly.com](http://byassociationonly.com). Although,
   its not ideal I don’t mind so much if its just me that gets the problem I was
   just concerned that this could be part of a wider issue.
 * @s_ha_dum did you look through the pastebin code? For a second opinion, can you
   rule out the code being the problem? I can’t see any odd characters within this
   code but i’m no PHP expert.
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944959)
 * I can’t promise you that no visitors will get the error. I don’t get an error,
   but without knowing why you get it I can’t tell you who will or will not see 
   that error.
 * I did look through the pastebin code. I didn’t spot anything but that is also
   probably not where the critical code would be. The code you will have to analyze
   is the plugin code. And that is assuming that the plugin is the problem. That
   is not 100% certain at this point.
 * Have you looked into your browser extensions as I suggested?
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944963)
 * @s_ha_dum Yeah, I have disabled all extensions but still the links on [http://byassociationonly.com](http://byassociationonly.com)
   don’t work. However, I have noticed one other strange thing, this is what I do:
    - I open Chrome go to [http://byassociationonly.com](http://byassociationonly.com)
      click on a link, links do not work
    - Keep Chrome open, I then open Firefox as well, go to [http://byassociationonly.com](http://byassociationonly.com),
      click Contact (for example), link works as expected
    -  I go to my already opened version of Chrome, click on Contact, link now works
      fine
    - Repeat for every other link and Chrome links on [http://byassociationonly.com](http://byassociationonly.com)
      now work…and I DON’T get the SQL injection email notification…Odd
 * If I close and then re-open Chrome, problem seems to disappear. I just don’t 
   get it!
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944964)
 * To add as well, because I don’t know if the notification is caused by a bug within
   the plugin I don’t want to chance disabling it because if it turns out to be 
   my machine and it is infact a genuine problem and its NOT the plugin then the
   site will break for everyone and will create a whole world of problems. Not sure
   what to do about it to be honest.
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944965)
 * That is really strange behavior.
 * You have a few errors: [http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fbyassociationonly.com%2F](http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fbyassociationonly.com%2F)
 * I’d clean those up. Browsers can choke on small things. And the couple that look
   like this `<label for"details" class="visuallyhidden" id="details-…` are particularly
   bad. (You are missing an equal sign after the “for”)
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944966)
 * Thanks for that although the [http://byassociationonly.com](http://byassociationonly.com)
   website has been going for well over a year now and has never had a problem…until
   I uploaded the dev.byassociationonly.com/example website to the dev subdomain.
 * Does that not mean there could be a problem with that example website?
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944967)
 * > …website has been going for well over a year now and has never had a problem.
 * But browsers get updated all the time.
 * Still, let’s pursue the idea that it is a configuration issue with your ‘dev’
   subdomain. How did you set that up? I don’t think it would be a problem with 
   the ‘example’ site itself since you should be loading anything from there (unless
   something is misconfigured).
 *  Thread Starter [egr102](https://wordpress.org/support/users/egr102/)
 * (@egr102)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944968)
 * Ive added HTML pages/sites to the dev domain and never had a problem but when
   I come to think of it, this is the first time I’ve put a WordPress installation
   on the dev domain.
 * Its on MediaTemple and again this domain got setup about 9-10 months ago now.
   Specifically this ‘example’ WP installation is using its own database with its
   own login etc.
 * Prior to pushing this example site live, when developing locally on localhost,
   my database name was ‘wp_hb’, I then exported the database to create a sql file,
   found all my [http://localhost:8888/wp_hb](http://localhost:8888/wp_hb) URL’s
   and replaced them with the [http://dev.byassociationonly.com/example](http://dev.byassociationonly.com/example)
   URL. I then imported that sql file into my live DB which is called ‘db111134_example’.
   Would any references to the ‘wp_hb’ db within that sql file cause this problem?
   Conflict possibly with the standard ‘wp_’ table prefixes?
 * Could my code within functions.php affect anything? Here it is: [http://pastebin.com/r7Xe4bwu](http://pastebin.com/r7Xe4bwu)
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944969)
 * > I then imported that sql file into my live DB which is called ‘db111134_example’.
 * You don’t need to post your actual DB name. I’d remove it. That is a minor to
   moderate security issue.
 * > Would any references to the ‘wp_hb’ db within that sql file cause this problem?
 * If there were references to the old table it might cause a problem.
 * > Conflict possibly with the standard ‘wp_’ table prefixes?
 * It shouldn’t. No.
 * I don’t see anything in your functions.php. That is no guarantee. Things are 
   easy to miss.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘[Plugin: WordPress Firewall 2] SQL injection attack from localhost on
live server’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wordpress-firewall-2.svg)
 * [WordPress Firewall 2](https://wordpress.org/plugins/wordpress-firewall-2/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordpress-firewall-2/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordpress-firewall-2/)
 * [Active Topics](https://wordpress.org/support/plugin/wordpress-firewall-2/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordpress-firewall-2/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordpress-firewall-2/reviews/)

## Tags

 * [sql](https://wordpress.org/support/topic-tag/sql/)

 * 12 replies
 * 2 participants
 * Last reply from: [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * Last activity: [13 years, 9 months ago](https://wordpress.org/support/topic/plugin-wordpress-firewall-2-sql-injection-attack-from-localhost-on-live-server/#post-2944969)
 * Status: not resolved