If your WooCommerce cart sometimes freezes, checkout spins forever, or your hosting shows CPU spikes — especially when your logs contain weird stuff like sleep(15) or waitfor delay — you may be getting hit by a time-delay SQL injection probe. A 15-line "must-use" plugin (MU plugin) can block the most common junk before WordPress does any heavy lifting. It works alongside Wordfence and other security tools.
Why This Post?
I recently helped a store that looked "down," but the cause wasn't a server outage. Bots were hammering the site with junk like:
/?add-to-cart=x") if(sleep(15),null,null)--
/?s=1691702283&post_type=product&type_aws=x") waitfor delay '00:00:15' --Even with a security plugin, these payloads can slip far enough into WordPress to eat resources. The fix we used was tiny, safe, and reversible — and it can help non-developers.
What's a "Time-Delay SQL Injection" Probe?
Attackers send requests designed to force the server to pause (e.g., sleep(15), waitfor delay). Even if your database isn't actually exploited, attempting to parse this junk can still waste CPU and make the site feel slow.
Do You Need This?
Symptoms:
- Add-to-cart or checkout intermittently stalls or times out
- Hosting shows CPU/memory spikes with no traffic surge
- Wordfence (or your host's logs) show URLs containing
sleep(,waitfor delay,union select, etc.
Where to look: Wordfence → Tools → Live Traffic (or your host's access logs)
What This Tiny Fix Does
- Blocks non-numeric "add-to-cart" requests. WooCommerce expects a product ID like
?add-to-cart=123. The guard 403s anything else. - Tidies a common search parameter used by some product search plugins (e.g., Advanced Woo Search).
- Rejects obvious time-delay injection keywords (
sleep(,waitfor delay, etc.) early.
It does not replace Wordfence or a WAF. Think of it as a seatbelt — small, fast, and tuned to your store's routes.
Step-by-Step: Add the "Query Guard"
- Go to your site files:
wp-content/ - If it doesn't exist, create a folder named
mu-plugins(exactly that). - Inside
mu-plugins, create a file namedccms-query-guard.php - Paste the code:
<?php
/**
* Plugin Name: CCMS – Query Guard (add-to-cart & aws)
* Version: 1.0.0
*/
add_action('init', function () {
foreach (['GET','POST'] as $m) {
$src = ($m === 'POST') ? $_POST : $_GET;
if (isset($src['add-to-cart']) && !preg_match('/^\d+$/', (string)$src['add-to-cart'])) {
status_header(403); exit;
}
}
if (isset($_GET['type_aws'])) {
$val = strtolower((string) $_GET['type_aws']);
$allowed = ['product', 'products'];
if (!in_array($val, $allowed, true)) { unset($_GET['type_aws']); }
}
$qs = isset($_SERVER['QUERY_STRING']) ? strtolower((string)$_SERVER['QUERY_STRING']) : '';
if ($qs && preg_match('/(sleep\(|waitfor\+?delay|benchmark\(|union\+?select|information_schema|sysobjects|\bxor\b)/', $qs)) {
status_header(403); exit;
}
});How to Test (Safe)
- Try adding a normal product to the cart → works as usual.
- Visit
https://yourstore.com/?add-to-cart=xyz→ you should get a 403. - If you use a product search plugin with
type_aws, do a normal search → still works.
To remove: Just delete the file.
Doesn't Wordfence Already Do This?
WooCommerce can't assume every store uses only numeric add-to-cart routes. Wordfence and WAFs are great — keep them. But some junk gets far enough into WordPress to hurt performance before being blocked. This MU plugin acts inside WordPress, at the very beginning of the request.
Bottom line: This is defense in depth.
Edge WAF/CDN → NGINX/Apache rules → MU plugin guard → WooCommerce. Each layer reduces risk and server load.
Will This Break Anything?
- Standard WooCommerce: No. Normal add-to-cart uses numeric product IDs.
- Custom flows: If you have a plugin that intentionally uses non-numeric add-to-cart, tweak the numeric check to allow your pattern.
- Search plugins: If you don't use the
type_awsparameter, that section is harmless — or delete it.
