Protecting blog from script injection

Posted on March 11th, 2011

Dynamic websites is to be protected and is essentially important. Developers usually protect their GET and POST requests, but this will not enough in many times. We have to protect our blog from script injections and attempts to modify the PHP GLOBALS and _REQUEST variables.
Script injections and attempts to modify the PHP GLOBALS and _REQUEST variables can be blocked with the following code. Paste this in your .htaccess file (located in the root of your WordPress installation). Be sure that you have back up of the .htaccess file before modifying it every time.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

The requests can be checked using the .htaccess. What we’ve done here is check whether the request contains a and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.