Login close
 

WordPress Database Security: Why Change the Database Tables Prefix

Submitted by Robert Abela on July 19, 2011 - 6:36 am 44 Comments

The majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are securing your WordPress blog and website from zero day SQL injections attacks.

WordPress Database Security: The Prefix Guessing Game

By default, all WordPress database tables’ names start with the prefix “wp_” as shown in the screen shot below.

If a malicious user discovers a zero day SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the malicious user can easily guess the WordPress database table names and exploit the vulnerability against your blog or website.  To make things worse, there are a myriad of scripts and automated scanners available on the internet that specifically scan and target WordPress blogs and websites. If a malicious user exploits such vulnerability against your blog or website, he can:

  1. Gain administrative access to your blog.
  2. Tamper your blog and website.
  3. Gain access to other sensitive databases on that server.
  4. Gain administrative access to your web server.

Therefore by renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names. We recommend to use difficult to guess prefixes, like long random strings which include both letters and numbers.

WebsiteDefender WordPress Security is the ultimate plugin created by WebsiteDefender to secure your WordPress installation, which helps you automate this process. Alternatively you can manually change your WordPress database table prefixes manually by following this step by step guide; How to manually change WordPress database table name prefix

2 Trackbacks/Pingbacks

  1. Pingback: How To Change Default wp_ Table Prefix in WordPress - WPSpeak.com on May 8, 2013
  2. Pingback: How To Change Default wp_ Table Prefix in WordPress | A Pressed World on May 16, 2013

42 Comments

  1. Julie October 22, 2011

    To use your WP Security Scan tool to change the names of the table files I need to type in the names of the table files I want to change, is there a master list somewhere of what all the file names are?

    I see 11 different files in your sample, is that all of them? How do I know which files are table file and files I need to rename?

    Probably a dumb question…

  2. Just Johnny October 27, 2011

    Julie, it’s only asking you to change the prefix. There’s no need to do each table. Just change wp_ to rt_ (or something like it) and hit Start Renaming. You’re done.

  3. Debra November 25, 2011

    What effect will changing the prefixes have on the database of the site?

  4. Erhan November 27, 2011

    Does changing the prefix effect SEO ?

  5. Robert Abela November 28, 2011

    Hi Debra,

    If you change the database prefixes you will be making it more difficult for a malicious user to hack your site in case there is a 0 day SQL injection on WordPress.

  6. Robert Abela November 28, 2011

    Hi Erhan,

    No it does not affect SEO. Such change is done in the “internals” of WordPress, therefore it is transperant to the public.

  7. nueranet December 27, 2011

    I have a wordpress install that has well over 40 subdomains membersite on a multisite install all using a central theme and so if I rename the wp_ to something else will it break the system and is there a way I can do the renaming so as not to break the site?

  8. Robert Abela January 2, 2012

    HI nueranet,

    Thank you for showing interest in our products. Unfortunately the database table prefix renaming tool does not support multisite installs yet. We are working on a solution. Follow us on our blog or any of our social media networks to stay updated with our updates.

  9. Gerrit January 9, 2012

    Seems wrong to me, because if there is a SQLi issue, the attacker also have access to information_schema.tables (MySQL), etc. so all of this just would be security by obscurity.

    Let me know if I am wrong with that.

  10. Robert Abela January 9, 2012

    HI Gerrit,

    Yes it is wrong presumption. It depends on what access the user being used to access the WordPress database has. If you use the root account, then yes, unfortunately the malicious user will have access to all other databases. If you use a specific user just for the WordPress database, then you are safe.

  11. Gerrit January 9, 2012

    Erm. No?

    The attacker can brute force the table names, so it’s still security by obscurity. Maybe you can delay the full access to the tables by some seconds, not even minutes.

    As my job as developer I have tested some of these SQLi tools, to learn how they work. These tools automate the hole attack, after you gave them a vulnerable URL. As normal db user the table names were also determined quickly by brute force.

    To change the prefix doesnt effect that much.

  12. Robert Abela January 16, 2012

    Hi Gerrit,

    Thank you for your response.

    From our experience, renaming the table prefixes helps a lot. Obviously, if you use a prefix like 123 is different than nf4u1Gn85Rg21n ;)

    Thank you.

  13. Alexandre Simard January 18, 2012

    Aren’t table names just a SHOW TABLES away anyway?

    Once your installation is vulnerable to SQL injection, you’re pretty much an open target, no matter what table prefix you’re using.

  14. Bridget Irving January 20, 2012

    By renaming the prefixes does that affect future upgrades of the theme or of WordPress itself?

  15. Sue January 21, 2012

    I can’t see where I need to go or what button to hit to have this automated. Help? :)

  16. Robert Abela January 25, 2012

    Hi Bridget,

    No it does not affect any of those in any way.

  17. Robert Abela January 25, 2012

    Hi Sue,

    Please download our plugin WebsiteDefender WordPress Security plugin and navigate to the Database node.

    If you have any queries, please post on our WebsiteDefender Forums.

  18. Robert Abela January 26, 2012

    Hi Alexandre,

    The whole point of renaming the tables is to make it more difficult for malicious users to exploit a 0 day SQL injection against your WordPress installation, not to protect yourself when a user already exploited the SQL injection. Prevention is always better than cure.

  19. Simonee January 28, 2012

    What about integrations? Does the changing of the files impact any integrations done with other plugin tools – such as Paypal or 3rd party applications?

  20. Robert Abela January 30, 2012

    Hi Simonee,

    Such change should in no way affect any kind of integration.

  21. more info please February 20, 2012

    give us some examples of a good name. can we keep wp_ or should we not use wp_ at all?

    does this effect upgrading wordpress or the speed at which the site loads? does it affect themes or other components of wp?

  22. Robert Abela February 22, 2012

    Hi,

    Ideally you should have an 8 alpha numeric value instead of wp_.

    It will not affect any WordPress or plugin upgrades and definitely does not affect the website loading speed.

  23. more info please February 26, 2012

    thanks for the reply. appreciate it. :)

  24. Jesse March 14, 2012

    I have a WP e-commerce installation that I have spent the last few months setting up. Are there any potential problems with changing the table prefix? If there is even a risk then it may not be worth it at this time.

  25. Robert Abela March 20, 2012

    Hi Jesse,

    There are no risks involved in renaming the WordPress database table prefixes. Though I always recommend to make a full backup in case the unexpected happens.

  26. Janyson April 14, 2012

    I have one question, i am using the default database prefix if I will change it then will my website will crash?

  27. Robert Abela April 17, 2012

    Hi Janyson,

    If you follow the step by step procedure we have published, you should not have any problems. Else you can download WebsiteDefender WordPress Security plugin and it will do it automatically for you.

  28. Ray Cassidy July 20, 2012

    In response to the comment about brute force hacking of the obscure prefix. No plugin shuts all the doors on its own. In addition to this rather neat scripot I also use something like Limit Login Attempts. This does at least slow the hacker’s access to a crawl unless he’s got unlimited proxies ;-)

  29. Azubuike July 31, 2012

    Changing the prefix Wp_ into something else, won’t it harm my data?

    Thanks

  30. Ryan August 8, 2012

    Hello,

    Will changing the prefix break all the links to pictures and other things I have in my posts? Thanks!

  31. Phil Hoover August 9, 2012

    In WSD it state:

    Before running this script:

    - Make a backup of your database.
    - The wp-config.php file must be set to writable before running this script. (Yes)
    - The database user you’re using with WordPress must have ALTER rights. (Yes)

    The (Yes) items above are in green, HOWEVER when viewing my wp-config file the permission is set to 644.

    So the question is, can I go ahead and put in a different table prefix and hit “Start Renaming” OR do I still need to change the wp-config file to 777?

    Thanks
    Phil

  32. Ben Lacey August 14, 2012

    Why would changing the prefix stop a hacker? It wouldn’t.
    If they can gain access to the wp-config.php file and connect to the database using a plugin or similar method then all it would take is a simple show tables mysql command to see the table names.

    Security through obscurity is risky and leads people into a false sense of security. You’re probably better off securing / locking down portions of your site to prevent abuse.

  33. Andrew James August 30, 2012

    @Azubuike – No, changing the prefix won’t harm your data. If you are worried about making any changes, make a backup of your site first.

  34. Robert Abela August 30, 2012

    Hi Ryan,

    No it will not break anything. Such change is done in the “internals” of WordPress and is unnoticeable from the outside.

  35. Robert Abela August 30, 2012

    Hi Phil,

    To be on the safe side I would recommend you to change the wp-config.php file permissions to 777. Once the change is done, revert back the permissions.

  36. Robert Abela August 30, 2012

    Hi Ben,

    This security precaution is not a protection for when a hacker gains access to your wp-config file and neither is security through obscurity. This procedure will only protect you from zero day SQL injections. So if a hacker manages to exploit a zero day SQL injection against your WordPress site, he cannot simply predict the table names and retrieve all the data from your database but have to guess the table names. As you can see this is an extra precaution you can take for making sure your WordPress is bullet proof :)

  37. SF December 23, 2012

    What is a “zero day” SQL injection? I have seen this term used a number of times with regard to this plug-in, but am not sure what it means. Thanks.

  38. Chrysostomos Daniel January 2, 2013

    Hi SF

    A zero day SQL Injection attack exploits an SQL Injection vulnerability that exists on a web application and of which there was no awareness of it before. That means no security measures were applied against it. Thus, in case this vulnerability is exploited, by changing the table prefix of the WordPress database the attacker will have to guess the table names before accessing them. So, even if the attacker exploits the vulnerability to gain access to the WordPress database, the attacker has to guess the table names as well before gaining access to the database data.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  39. Naresh March 30, 2013

    It is my understanding that Google and Word Press have had or are in heated discussions/disagreements with each other.

    And as such Google have downgraded most if not all WordPress sites (including mine) through their Panda and Penguin updates to search engine obscurity, that is traffic to our websites have greatly reduced!

    Would installing the WebsiteDefender plugin which allows the wordpress database tables with the “wp_” prefix to be changed to something else increase our website rankings as well as securing our websites from malicious attacks ?

    I apologize in advance if this is a childish/naive question

  40. Chrysostomos Daniel April 2, 2013

    Hi Naresh

    The WebsiteDefender database table prefix change feature is used as a security measure against Zero-Day SQL Injection attacks and is not related in the ranking process of a website.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  41. Lorenzo May 2, 2013

    Hi,
    I’ve been renaming my db prefix to something like wp_jndk8hen48_
    Would it be safer to simply drop the wp_ altogether and name it something like: jndk8hen48_ ?

    If so, I’d be curious why that is the case. Thx

  42. Nicholas Sciberras May 2, 2013

    @Lorenzo,

    That should be fine, as long as you change the names which are used by wordpress by default. Attackers will try to guess the names of the databases using the default names. The ‘random’ characters you inserted in the names of the tables should stop such attacks.

Sorry, comments for this entry are closed at this time.