Change default database prefix “wp_” WordPress

Krikke

Hi there

I could not find the option to change the default “wp_” prefix when creating a WordPress install.

It is considered good practice to do so. Is this feature considered?

Kristof

ivansalloum

Krikke Changing the default WordPress database prefix is a good practice, but it doesn't guarantee complete protection against SQL injection attacks. A determined hacker could still exploit vulnerabilities, even with a custom prefix. It might make their job slightly harder, but it's not a foolproof solution.

Personally, I change the prefix whenever possible during installation, but it's not a top priority if the option isn't available.

If you want to change it after installation with Enhance, you can use a plugin.

Krikke

Hi @ivansalloum

Thank you for the input. I agree it is not a guarantee for protection. It is a small & easy step that can decrease the bulk of automated attacks against a website for certain attack vectors.

Nothing will completely stop targeted attacks & this small thing can help in an overall healthy security practice for WordPress installations, in addition to many other measures.

We change the prefix on all our installs. It would be great if Enhance can support this out of the box. It is another couple of minutes saved per website.

mah1952

+1 for this

JohnB

-1

This is useless. As for automated bots, they are already coded to find the prefix if its not default and a SQL injection vuln is found. Its basic enumeration.

https://www.wordfence.com/blog/2016/12/wordpress-table-prefix

SELECT DISTINCT SUBSTRING(`TABLE_NAME` FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) )
FROM information_schema.TABLES WHERE
`TABLE_NAME` LIKE '%postmeta';

Changing the WordPress table prefix is what we refer to in the industry as ‘security theater’. In other words, it is busy-work that makes you feel more secure but does nothing to make you more secure. It only adds risk and complexity.

We have another cool sounding phrase that describes this: ‘Security through obscurity’. What this means is that you’re trying to secure yourself by making things harder for an attacker to find. In the security industry this is widely accepted as a pointless exercise.

Many sites and blogs will say its an important step but they also will recommend bluehost & godaddy...

kess

JohnB I couldn't write it better 👍️

cristianuibar

👎️

Please refrain from altering the prefix. It's always difficult to fix custom prefixes, and it's completely pointless. Nowadays, there's no added security benefit from doing so. Maybe it was beneficial 10 years ago, but there is no benefit today. It only causes issues when you want to migrate sites or make changes to the database.

JohnB

cristianuibar Sad how if you google "harden wordpress" or "improve wordpress security" its ALWAYS listed in the top 10 actions.

But on the other hand if a site lists that I know none of their advice should be trusted. I should make a script that grabs all the web for sites that recommend this and then add them to an exclude list for google searches.

cristianuibar

Prefixes are only useful if you have multiple installs using the same database, which most likely it's not the case here. So you could really use no prefix at all. It wouldn't make a difference in terms of security.

The real use-case of the prefixes is when using multisite.

JohnB

cristianuibar The real use-case of the prefixes is when using multisite.

Correct. And multisite its rarely the right option lol.