WordPress Database Security: Why Change the Database Tables Prefix
Submitted by Robert Abela on July 19, 2011 - 6:36 am 27 CommentsThe majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are securing your WordPress blog and website from zero day SQL injections attacks.
WordPress Database Security: The Prefix Guessing Game
By default, all WordPress database tables’ names start with the prefix “wp_” as shown in the screen shot below.
If a malicious user discovers a zero day SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the malicious user can easily guess the WordPress database table names and exploit the vulnerability against your blog or website. To make things worse, there are a myriad of scripts and automated scanners available on the internet that specifically scan and target WordPress blogs and websites. If a malicious user exploits such vulnerability against your blog or website, he can:
- Gain administrative access to your blog.
- Tamper your blog and website.
- Gain access to other sensitive databases on that server.
- Gain administrative access to your web server.
Therefore by renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names. We recommend to use difficult to guess prefixes, like long random strings which include both letters and numbers.
WebsiteDefender WordPress Security is the ultimate plugin created by WebsiteDefender to secure your WordPress installation, which helps you automate this process. Alternatively you can manually change your WordPress database table prefixes manually by following this step by step guide; How to manually change WordPress database table name prefix
27 Comments
Post a comment
Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS. Be nice. Keep it clean. Stay on topic. No spam.
To use your WP Security Scan tool to change the names of the table files I need to type in the names of the table files I want to change, is there a master list somewhere of what all the file names are?
I see 11 different files in your sample, is that all of them? How do I know which files are table file and files I need to rename?
Probably a dumb question…
Julie, it’s only asking you to change the prefix. There’s no need to do each table. Just change wp_ to rt_ (or something like it) and hit Start Renaming. You’re done.
What effect will changing the prefixes have on the database of the site?
Does changing the prefix effect SEO ?
Hi Debra,
If you change the database prefixes you will be making it more difficult for a malicious user to hack your site in case there is a 0 day SQL injection on WordPress.
Hi Erhan,
No it does not affect SEO. Such change is done in the “internals” of WordPress, therefore it is transperant to the public.
I have a wordpress install that has well over 40 subdomains membersite on a multisite install all using a central theme and so if I rename the wp_ to something else will it break the system and is there a way I can do the renaming so as not to break the site?
HI nueranet,
Thank you for showing interest in our products. Unfortunately the database table prefix renaming tool does not support multisite installs yet. We are working on a solution. Follow us on our blog or any of our social media networks to stay updated with our updates.
Seems wrong to me, because if there is a SQLi issue, the attacker also have access to information_schema.tables (MySQL), etc. so all of this just would be security by obscurity.
Let me know if I am wrong with that.
HI Gerrit,
Yes it is wrong presumption. It depends on what access the user being used to access the WordPress database has. If you use the root account, then yes, unfortunately the malicious user will have access to all other databases. If you use a specific user just for the WordPress database, then you are safe.
Erm. No?
The attacker can brute force the table names, so it’s still security by obscurity. Maybe you can delay the full access to the tables by some seconds, not even minutes.
As my job as developer I have tested some of these SQLi tools, to learn how they work. These tools automate the hole attack, after you gave them a vulnerable URL. As normal db user the table names were also determined quickly by brute force.
To change the prefix doesnt effect that much.
Hi Gerrit,
Thank you for your response.
From our experience, renaming the table prefixes helps a lot. Obviously, if you use a prefix like 123 is different than nf4u1Gn85Rg21n
Thank you.
Aren’t table names just a SHOW TABLES away anyway?
Once your installation is vulnerable to SQL injection, you’re pretty much an open target, no matter what table prefix you’re using.
By renaming the prefixes does that affect future upgrades of the theme or of WordPress itself?
I can’t see where I need to go or what button to hit to have this automated. Help?
Hi Bridget,
No it does not affect any of those in any way.
Hi Sue,
Please download our plugin WebsiteDefender WordPress Security plugin and navigate to the Database node.
If you have any queries, please post on our WebsiteDefender Forums.
Hi Alexandre,
The whole point of renaming the tables is to make it more difficult for malicious users to exploit a 0 day SQL injection against your WordPress installation, not to protect yourself when a user already exploited the SQL injection. Prevention is always better than cure.
What about integrations? Does the changing of the files impact any integrations done with other plugin tools – such as Paypal or 3rd party applications?
Hi Simonee,
Such change should in no way affect any kind of integration.
give us some examples of a good name. can we keep wp_ or should we not use wp_ at all?
does this effect upgrading wordpress or the speed at which the site loads? does it affect themes or other components of wp?
Hi,
Ideally you should have an 8 alpha numeric value instead of wp_.
It will not affect any WordPress or plugin upgrades and definitely does not affect the website loading speed.
thanks for the reply. appreciate it.
I have a WP e-commerce installation that I have spent the last few months setting up. Are there any potential problems with changing the table prefix? If there is even a risk then it may not be worth it at this time.
Hi Jesse,
There are no risks involved in renaming the WordPress database table prefixes. Though I always recommend to make a full backup in case the unexpected happens.
I have one question, i am using the default database prefix if I will change it then will my website will crash?
Hi Janyson,
If you follow the step by step procedure we have published, you should not have any problems. Else you can download WebsiteDefender WordPress Security plugin and it will do it automatically for you.