Is WordPress really safer by changing the prefix of the database? • WordPress Help

One of the most common advice given (me too) about WordPress security is do not use the default WordPress prefix for database tables but does this change really improve WordPress security?

 protect wordpress

Either from installation or later (see link in previous paragraph) ), using a different prefix for the database tables is a basic WordPress security tip to avoid SQL injections .

As you already know, WordPress by default uses the prefix wp_tablename but is it really a security improvement to use another one like mistablas_nombretabla ? Let's see arguments

What is an SQL injection?

 sql injection

To begin with it's good to know what exactly is an SQL injection . To summarize, a SQL injection offers the attacker the possibility of injecting SQL code through some input path that is available to visitors (visible or not) and that can be executed from the database server, which in the case of WordPress would be the MySQL server where it is hosted.

For example, imagine that instead of entering an email address in a registration form the attacker enters SQL code that makes a list of all the records in the table wp_users which is where all the data of registered users of a WordPress is saved. It gives miedito no?

If so, once sent the form, instead of rejecting the SQL code, the web runs it and the database server would deliver the contents of the table wp_users to the attacker.

An SQL injection, that is, the execution of code through an entry path to a web is the typical result of a problem with the code of a form, a plugin, the theme or any other component of the WordPress installation. And it is possible almost always because the gateway for visitors has not been sanitized so it allows the introduction of SQL code.

It's basically that. In a typical installation of WordPress the attacker will also be able to write to the database, which is even more dangerous as we will see later.

As in everything, there are many variants of possible SQL injections some really gimmicky, but it's good that you have an overview of how an SQL injection works, the impact it can have if it is carried out (read or write in the database) and, above all, how it can be avoided. [19659005] Now let's see how this affects a typical installation of WordPress and if a change in the prefix of the database influences the time to avoid SQL injections, do you think?

Names and tables in the database of WordPress

We have already seen on several occasions which are the tables of the WordPress database and what each table is for, but there is never a new review, and what we are talking about today is a reminder comes from pearl. [19659005] Basically, WordPress installs by default 11 tables that, if you do not modify it, will have the prefix wp_ so if you have not made any changes they will be:

  • wp_commentmeta
  • wp_comments
  • wp_links
  • wp_options
  • wp_postmeta
  • wp_posts
  • wp_terms
  • wp_term_relationships
  • wp_term_taxonomy
  • wp_usermeta
  • wp_users

If you understand some English, just by looking at the names of the tables you can guess easily what is stored in each table. For example, it is easy to imagine that in the table wp_comments comments are stored or that in wp_options is where the settings are right?

Exploiting an SQL injection in WordPress

]  insecurity wordpress

Let's get into the realms of Mordor so choose your best weapon and trust the ring community (or the WordPress community) hehe

Imagine that one of the plugins that you have installed in your WordPress is vulnerable to an SQL injection, something that is not uncommon, it is the most frequent way of vulnerabilities. An attacker who wants you the first thing you would do would be to scan your WordPress installation with tools like WPScan to have the list of the plugins you have installed, even those that are disabled. If when looking at the list it detects that one of them is vulnerable to injections SQl will already have half the work done, if not the most.

The next thing he would do is exploit the SQL injection for what he would execute some codes like Next, the usual ones to manually create an administrator in the WordPress database, there's nothing:

What do those codes do? As nothing more and nothing less than the attacker can create a WordPress user with administrator privileges on your website, which will immediately get access to your WordPress desktop with full access.

On other occasions the attacker not only creates an new admin user but also changes the current password and, by the way, leaves you without access, a symptom that when you see it and is slow to react.

Why the attacker can create an administrator?

Knowing in advance that your website is made with WordPress and that it is vulnerable to SQL injections due to some vulnerable plugin or whatever you may have seen, the attacker only needs basic configuration knowledge of the WordPress database, something fully documented in the same website

Guessing database table names

If the prefix of the WordPress database on the site is the default one, that is wp _ the attacker can easily execute code and read or write information in the tables.

If you change the prefix of the WordPress database, for example to MordorX25_ the attacker can not Read or write in the database so easily since you do not know the names of the tables. This is true even if you have done the SQL injection and the code is exploitable, because they would not have any effect when you did not find an objective to act on.

Yes, changing the prefix of the WordPress database tables improves WordPress security

The – good – idea of ​​changing the prefix of the WordPress database tables is old, in fact from the first versions of WordPress, to avoid SQL injections that could create users and inject spam or malware The only way to quickly stop them was to change the default names of the tables.

Does this mean that I'm safe just by changing the prefix of the WordPress database tables?

Of course not. Changing the prefix of the tables in the WordPress database is a very good security measure, and it stops an infinity of attacks on the database, but it's not the only way they can enter your site.

Most of the time the culprits of a WordPress attack are badly programmed or not updated plugins, the reality is that you can get access to a WordPress installation in other ways, for example through social engineering, stealing passwords and any other method that imagine Everything will depend on the interest that your site provokes in the possible attackers, and with the plague of spammers that invades us, nobody is 100% sure.

So, in addition to changing the prefix of the tables in the database apply these 15 rules to have a bomb-proof WordPress you'll be happier.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

Massive attack of "malware" to WordPress sites

A couple of days ago an attack was mainly directed against sites created with WordPress whose intention is to break the infected websites and to inject spam in them.

Does your WordPress enter any of the previous points ?. If you meet the conditions 2 and 3 and it takes to fix it before receiving attacks that you could easily get rid of.

It tries to infect WordPress installation files, either from the kernel or from plugins and themes, and an easy way to detect it are visible errors that are displayed instead of the site, such as …

Parse error: syntax error, unexpected ')' in / home / user / public_html / site / wp-config .php on line 91

Well the solution is not comfortable but it's simple: reinstall a clean version of WordPress and all the plugins and susceptible themes, as well as the WordPress configuration files .

Plugins that you should NOT install

 guitar burning

Plugins are a big part of the huge success of WordPress but as with everything, there are good ones, bad ones , regular and just the opposite. Today we will see some that, and not precisely because they are bad plugins, you should avoid as much as possible.

I mean plugins that, despite their virtues, are detrimental to the performance of your site , that slow it down, and you already know that this is not good, not only because Google can penalize you, but because you do not want your visitors to abandon you for having a slow site?

Let's go to it …

 wordpress slow

Google XML Sitemaps

This plugin is a wonder it not only creates a site map that is updated only each time you publish something but it has so many settings that it is absolutely impossible not to have a file sitemap.xml perfect and thus help search engines index your site.

Now this plugin is a enormous resource devourer because precisely the process that must be done of revision of and all your database to create correctly the map of the site means that in many servers (shared of course) there are times when you will not even create the map due to lack of memory.

Are there alternatives? bad is not, at least as good. There is one that is not bad, Better WP Google XML Sitemaps but personally I did not like its operation, not even the map it generates. But come on, that's a personal opinion, make the site map and quite complete.

Another option is Google Sitemap this is weaker unless you opt for the payment options, but it can be

The other possible alternative is using the plugin's sitemap modules such as All in one SEO pack or Yoast's WordPress SEO .

Broken link checker

] Wonderful, essential, obligatory but it happens the same as the previous one, that when analyzing ALL the links of your site to find broken links, in a constant and tremendously effective way, is a memory devourer like no there is another, even worse than Google XML Sitemaps.

The bad thing is that a server has not found any other plugin that does not even look like it, so be damned. The only possible alternative is to use web services or SEO desktop applications, which sometimes offer search engine broken links, such as BrokenLinkCheck CheckLink or LinkChecker this last installable.

Or, what I do: a day of little traffic I install it, I activate it, I let it work a few hours, fix links and I deactivate it until next time .

WP Post Views

This veteran plugin, from the last century, is actually a very cool tool because it shows us the most viewed posts, which we can make visible in the form of widget or code.

It is a good SEO tool but it has its hidden face, and is that, of course, being constantly reviewing your entries to show their popularity consumes many resources to be constantly checking your database .

I would say any plugin that does the same it can be useful of alternative but it is not true, they are not alternative, all plugins of this type have the same problem because they all do the same, so your only alternative are external statistical analysis systems like Piwik or the same Google Analytics.


Of course, I could not miss, and that is that JetPack has modules that do much of the above, although it has other modules that help speed up your site, but in this kind of thing you do not have to to compensate, we must be as effective as possible.

Whether we are talking about the statistics module, because of what was said previously of WP Postviews, of Markdown, Beautiful Mathematics or the Shortcodes because they have to "translate", of the infinite Scroll by the JavaScript, of the Gravatar Hovercards until they load the information or the Contact Form, that consumes what is yours even if you do not believe it, we are facing a monster .

So avoid it, and use to alternative plugins for each utility you "really" need .


Yes, remove that face of astonishment, that Akismet, and wonderful as it is, is also piece of plugin brick, that slows down your site more than desirable .

This is due to several reasons, because not only do you have to connect to the JetPack servers to check lists of spammers but also check your database to show more comments of each author, and even shows thumbnails emerging from the URLs in the comments, and all that consumes his .

Also, you have enough alternatives to combat spam .

Are there more mallet plugins?

There is more, of course, and there's nothing better than doing your own checking on your site with plugin P3 which analyzes the loading of the components of WordPress. It seems almost messy but this plugin is also a great consumer of resources, but at least it is of the type to install, activate, use and deactivate.

The best, in any case, is to follow a series of guidelines to the time to choose plugins and avoid – where possible – those that comply with the following rules:

  1. Plugins that load a lot of scripts, style sheets and other additions.
  2. Plugins that add additional requests to the database on each page of your site.
  3. Plugins that perform complex operations like MySQL commands or intensive search in the database.
  4. Plugins that make many requests to the database.

It is not the number of plugins you have installed which slows down your site but the quality of the plugins you have installed.

Choose well, choose only those you need, and for everything else create your own plugin functions only with what each site re

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

How to hide emails from spammers in WordPress • WordPress Help

I do not know if it happened to you, but to me yes. One day you receive an email from a visitor to your website that tells you that since leaving a comment on your website you are only receiving spam and, most surprising of all, that you are going to sue you as not stop receiving spam! . The fat thing is that sometimes it was the same who had left his email in a comment in the style of …

KoM0 haze xto ???
my email is hoyganpedorro @ algarrobicoadabajo .es

Yes, it happens, it's weird, to give a capon to the uncle for cenutrio but to pass.

But hey, if you want to get rid of this kind of inconvenience, and do not what for boarders like the one of the imaginary example, since the spammers scan code of the webs and also they will find emails not so obvious as the one of above, it can be made very easy, hiding the email addresses .

To get it I found a very majete trick in wprecipes which is about adding this code to your plugin functions :

What does the " coso " this is search for any character string of the type " loquesea@loquesea.algo " and conceals it whether it's in the content or – very interesting – in the text of widgets.

So you already know how to get rid of that plague of spammers who are hunting for email addresses .

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Filtering forbidden words in WordPress

One functionality of the old forums of all life that is essential is the filters of forbidden words those that, if a user writes them in a message they are automatically blocked by the system.

Interestingly, despite the enormous growth of WordPress, thanks in part to its comment system that makes it active almost like a forum, to have a filter system of forbidden words was something of the most requested by the users and not always available.

This is over, because with the plugin WP Content Filter you can easily define which words are they will block, being replaced by asterisks. In this way, if you add the word "press" in the field of forbidden words, it will appear as "*****". Now, as you may have guessed, this has a danger, and that is if you write someone in a comment or where "WordPress" would appear as "Word *****", so be conscientious with which words you choose to block. [19659003]

For the rest, the plugin is very simple . In your settings screen you have a field to include the forbidden words (separated by commas) and then a series of configurations of how you want it to behave and where the filter will apply, being able to choose to filter in practically all parts, namely …

  • Entries
  • Recent ticket entries from the sidebar
  • Title entries
  • Comments [19659007] Widget of recent comments from the sidebar
  • Authors of comments
  • Tags
  • Tags cloud

As you see, very complete and, above all, useful and effective, great to remove hobbies to the spammers and heavy of the autodrome and things like that that there is always.

Try it and tell us that.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Akismet 2.5.4 incorporates preview and deletion of links

If you have updated Akismet to the latest version available today, the 2.5.4 skip the comments marked as spam, or mark one as spam to try the ] new preview functionality for links and, if necessary, fast erasure .

The idea is great, because often the only thing that is "markable" as spam of a comment is the link included in it, either in the body of the comment or in the signature of the author, and in these cases Akismet offers you …

I find it a great, simple and very practical functionality.

How to fight spam

Although from time to time the bands of spammers receive a setback from the security forces, it is such a round business that for every mafia that they imprison in jail, 10 more appear wanting fast income offering the last pharmaceutical wonder or promoting services of any kind in your site.

Well, to defend against spam we have multiple tools, which I compiled here to the delight of the respectable:

Oh, if you know some other method share it in the comments, this it's almost a public service.

WangGuard, the definitive anti-splog

Some time ago José Conti has been fighting against that plague of the blogs spam in installations multisite and BuddyPress and it seems that he has finally come across the solution. The best thing ?, that has created a plugin, free for non-commercial use, with which to keep at bay the annoying splogs.

I am talking about your recent child: WangGuard already in the official WordPress repository . With this plugin, which installs like any other, you have in your WordPress a system in the style of Akismet, but specialized in splogs. When a user tries to register on your site WangGuard checks if it is in the database of sploggers (in continuous growth) and if it does not allow you to create the blog, as simple as that.

Of course, through the API you can improve the database, something highly recommended.

I was going to say some memorable phrase that would encourage you to install it but better is from Jose

So you know, if you want to have your installation of WordPress multisite safe from sploggers instalaros WangGuard "Made in Spain".

Akismet 2.5

I do not know if you've noticed but the version 2.5 of Akismet is already available which, in this way, hits an important version jump.

This update includes interesting new features like … [19659003] A history of comments states, so you can see which comments were captured and / or released by Akismet, which were marked as spam or otherwise by the moderator.

  • Now the links are highlighted in the body of the comment, to so reveal hidden or badly typed links
  • If your hosting provider can not connect to the Akismet servers the plugin will automatically try it when your connection comes back
  • Moderators can see the number of comments approved to each user
  • The Spam and Unspam reports now include more information, to improve its accuracy
  • Here is a video of the news …

    The entry Akis met 2.5 published it first Fernando Tellado in Ayuda WordPress . Do not copy content, do not say anything good about you to your readers.

    Disqus, Intense Debate or what?

    Some time ago I have been using an external comment management system in my personal blog but I still maintain the internal comment system of WordPress in others, and this dissension with myself is not because I have not seen the advantages of outsourcing comment management but rather because of technical issues that are not relevant, but I will explain at the end of this article.

    And I say this because outsourcing the comments management, using systems like Intense Debate or Disqus is a decision most of the time successful, although not for all situations. Let's see advantages and disadvantages …

    In favor: Integrated management

    It seems an incongruity but when you externalize the comments one of its biggest advantages is that you can manage in a unified way the comments of all your blogs, if you have several. From the page of your profile in Disqus or Intense Debate you can moderate and configure the comments of all your blogs.

    With this you avoid having to access each of your blogs, each one with your access data, and with only one "Login" you can manage the comments of all your sites.

    In favor: Bandwidth

    One of the activities that consume the most bandwidth and requests to the database of your blog is the management of comments and , by outsourcing, you limit this type of slowdowns and resource consumption of your server, relegating them to the service used.

    In favor: Advanced features

    One of the virtues of external comment systems is that they have all the technologies modern comments management, in this way, without touching a line of code or install dozens of plugins, you have instantly:

    • Comments nested
    • Access from social profiles
    • Share in networks social
    • Sort comments at will
    • References and separate comments
    • Inbound links from social networks
    • Gravatar
    • AJAX effects and Javascript
    • Page comments
    • Personalization of comment form

    ] In favor: Moderation and antispam

    By this I mean you can unify moderation rules for comments, tagging and marking as spam, all from the same interface and for all your sites. In addition, this type of services offer advanced moderation tools, including by users (mark as inappropriate), which you do not usually find in other systems, at least natively.

    In favor: Integration

    Both system that I have proposed have a full integration with the native system of comments. Therefore, it is very easy to change from an external system to a native one at any time. When installing one of these external comment management services, the first thing you are offered (almost) is to export the existing comments with the account in the service and, at any time, you can synchronize both systems of comments (internal and external) so as not to lose anything if you want to change.

    As an additional advantage, you do not have to wait for the export and / or synchronization processes to finish, you start them up and leave the page without any problem. When the process ends, the service sends you an email confirming the end of the action.

    Against: Veteran Blogs

    Despite what was said in the previous paragraph, I have encountered several problems when trying to export and synchronize comments in veteran blogs, with many comments (let's say more than 10 thousand or so). Sometimes this synchronization process gets so long that it gets stuck if there are a lot of comments. The good thing is that you do not lose anything in the process so to try you will not suffer a misfortune.

    Against: Personalization

    There are times when, if you are very picky about the design of your blog, these external services they do not manage to satisfy your personalization needs, of adapting to the template of your site. Although they offer different customization settings, such as retouching the CSS, choosing the language of the form and adapting to your tastes of the appearance and behavior of the form, the adjustment is not always perfect.

    There are small details that you can not easily change (if you know CSS if you can do wonders) and that may not offer an aesthetic result and adapted to the design of your blog to the level of personalization you want.

    Against: Dependency

    All the virtues offered by an external management system Comments may be your biggest problem because you are actually depending on an external service that, if they decide to close it, will leave you lying and you will have to go back to the native system. Fortunately, these systems that I have been talking about allow you to recover your blog conversation at any time, so you would not lose any of the content, but you would have to get used to "the old" again or look for an alternative service if you closed the service

    Both Intense Debate and Disqus reserve the right to modify the terms of service if they so choose, so keep this in mind before making the decision.

    ] In summary …

    As you can imagine, the decision is yours, but since you expect me to get wet I'll do it …

    • If your blog has thousands of previous comments, I almost do not recommend it, most of the time both systems fail in the export and that does not give you guarantees that, in case of wanting to change, you can synchronize without problems.
    • If your blog is new or does not have thousands of previous comments, I highly recommend it. You enormously reduce the requests to the database, you offer your readers all the current features of integration with social networks and the operation is outstanding.

    My decision has been, for the above reasons, to install Disqus in Navigating with Network (my personal blog) and here, and maintain the native system in CiberPrensa (at the moment, and due to synchronization problems). I was tempted to install first Intense Debate (being a service purchased by Automattic, a company that coordinates the development of WordPress) but at the time I made this change the system was more advanced Disqus and I opted for it, and the truth is that I am very satisfied with the decision.

    (Originally posted in Neumattic which I reproduce here because of its interest in WordPress)

    NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

    Loading …

    That may also help you: