Is WordPress really safer by changing the prefix of the database? • WordPress Help

One of the most common advice given (me too) about WordPress security is do not use the default WordPress prefix for database tables but does this change really improve WordPress security?

 protect wordpress

Either from installation or later (see link in previous paragraph) ), using a different prefix for the database tables is a basic WordPress security tip to avoid SQL injections .

As you already know, WordPress by default uses the prefix wp_tablename but is it really a security improvement to use another one like mistablas_nombretabla ? Let's see arguments

What is an SQL injection?

 sql injection

To begin with it's good to know what exactly is an SQL injection . To summarize, a SQL injection offers the attacker the possibility of injecting SQL code through some input path that is available to visitors (visible or not) and that can be executed from the database server, which in the case of WordPress would be the MySQL server where it is hosted.

For example, imagine that instead of entering an email address in a registration form the attacker enters SQL code that makes a list of all the records in the table wp_users which is where all the data of registered users of a WordPress is saved. It gives miedito no?

If so, once sent the form, instead of rejecting the SQL code, the web runs it and the database server would deliver the contents of the table wp_users to the attacker.

An SQL injection, that is, the execution of code through an entry path to a web is the typical result of a problem with the code of a form, a plugin, the theme or any other component of the WordPress installation. And it is possible almost always because the gateway for visitors has not been sanitized so it allows the introduction of SQL code.

It's basically that. In a typical installation of WordPress the attacker will also be able to write to the database, which is even more dangerous as we will see later.

As in everything, there are many variants of possible SQL injections some really gimmicky, but it's good that you have an overview of how an SQL injection works, the impact it can have if it is carried out (read or write in the database) and, above all, how it can be avoided. [19659005] Now let's see how this affects a typical installation of WordPress and if a change in the prefix of the database influences the time to avoid SQL injections, do you think?

Names and tables in the database of WordPress

We have already seen on several occasions which are the tables of the WordPress database and what each table is for, but there is never a new review, and what we are talking about today is a reminder comes from pearl. [19659005] Basically, WordPress installs by default 11 tables that, if you do not modify it, will have the prefix wp_ so if you have not made any changes they will be:

  • wp_commentmeta
  • wp_comments
  • wp_links
  • wp_options
  • wp_postmeta
  • wp_posts
  • wp_terms
  • wp_term_relationships
  • wp_term_taxonomy
  • wp_usermeta
  • wp_users

If you understand some English, just by looking at the names of the tables you can guess easily what is stored in each table. For example, it is easy to imagine that in the table wp_comments comments are stored or that in wp_options is where the settings are right?

Exploiting an SQL injection in WordPress

]  insecurity wordpress

Let's get into the realms of Mordor so choose your best weapon and trust the ring community (or the WordPress community) hehe

Imagine that one of the plugins that you have installed in your WordPress is vulnerable to an SQL injection, something that is not uncommon, it is the most frequent way of vulnerabilities. An attacker who wants you the first thing you would do would be to scan your WordPress installation with tools like WPScan to have the list of the plugins you have installed, even those that are disabled. If when looking at the list it detects that one of them is vulnerable to injections SQl will already have half the work done, if not the most.

The next thing he would do is exploit the SQL injection for what he would execute some codes like Next, the usual ones to manually create an administrator in the WordPress database, there's nothing:

What do those codes do? As nothing more and nothing less than the attacker can create a WordPress user with administrator privileges on your website, which will immediately get access to your WordPress desktop with full access.

On other occasions the attacker not only creates an new admin user but also changes the current password and, by the way, leaves you without access, a symptom that when you see it and is slow to react.

Why the attacker can create an administrator?

Knowing in advance that your website is made with WordPress and that it is vulnerable to SQL injections due to some vulnerable plugin or whatever you may have seen, the attacker only needs basic configuration knowledge of the WordPress database, something fully documented in the same WordPress.org website

Guessing database table names

If the prefix of the WordPress database on the site is the default one, that is wp _ the attacker can easily execute code and read or write information in the tables.

If you change the prefix of the WordPress database, for example to MordorX25_ the attacker can not Read or write in the database so easily since you do not know the names of the tables. This is true even if you have done the SQL injection and the code is exploitable, because they would not have any effect when you did not find an objective to act on.

Yes, changing the prefix of the WordPress database tables improves WordPress security

The – good – idea of ​​changing the prefix of the WordPress database tables is old, in fact from the first versions of WordPress, to avoid SQL injections that could create users and inject spam or malware The only way to quickly stop them was to change the default names of the tables.

Does this mean that I'm safe just by changing the prefix of the WordPress database tables?

Of course not. Changing the prefix of the tables in the WordPress database is a very good security measure, and it stops an infinity of attacks on the database, but it's not the only way they can enter your site.

Most of the time the culprits of a WordPress attack are badly programmed or not updated plugins, the reality is that you can get access to a WordPress installation in other ways, for example through social engineering, stealing passwords and any other method that imagine Everything will depend on the interest that your site provokes in the possible attackers, and with the plague of spammers that invades us, nobody is 100% sure.

So, in addition to changing the prefix of the tables in the database apply these 15 rules to have a bomb-proof WordPress you'll be happier.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

The tables in the WordPress database, what are they? What is each one for?

I always like to remember in the courses I teach that Web 2.0 exists thanks to the databases if there were no tables within databases to store the dynamic information that we upload or write directly to the Web would not exist, we would simply have read-only websites.

WordPress of course, also uses databases to store the necessary information to make it work. As soon as WordPress is installed, a series of default tables is created in the database which is good to know what each one is for, so let's see them in detail.

So these are and for this they serve, watch them and take care of them. If you want to see a graph of all the tables and their relationships, you have it right here …

Price table in WordPress

If you need to create a page in WordPress with a price table there are many ways to do it, from manually to buying a theme specially designed for e-commerce sites.

But if your needs are simple and you do not want to complicate your life there is a great solution.

Because if you only want to create a page (or several) with a table of prices in a simple way and without touching code there is a plugin that serves exactly for that, and the best thing is that the price tables are really nice.

And that is that, starting from a free PSD offered in Premium pixels in Siteorigin have created a plugin for WordPress, Price Table which uses that graphical basis to offer a system that, based on personalized entry types makes life a pain in the asses when offering price tables .

S i have some doubts left here's the documentation .

As I said, it's a very simple and practical solution, which also works great. In addition, there are many plugins of this type but most are paid, and this is completely free. And if it does not convince you there is another – older – that comes to work in a very similar way .

How to clean the table wp_options • WordPress Help

One of the things that most squeaky WordPress is the mania of many plugins to put lines of information in the database specifically in the table ' wp_options ', that shortly install and uninstall plugins, it is filled with crap, much like what happens with the Windows registry.

Of course, it is a bad habit, not WordPress, but some developers who, being able to create their own tables, prefer to enter the plugin information in the table ' wp_options '. And this, in addition, would not be a problem if they introduced a line of code to clean the database of their information when uninstalling the plugin, something that some programmers do.

But hey, if your database grows and grows in size and it is not by new tables nor by the normal growth of tables wp_posts or wp_comments it is very likely that it is precisely the table wp_options that has been growing by plugins with this ugly custom.

Clean it? well, you can do it manually, if you know the entries of a standard WordPress installation, but it's an absolute It can take many hours that you probably prefer to use for other things.

The best thing is to use one of these solutions:

This plugin offers a browser that allows you to identify the entries in the table ' wp_options your database and go selectively deleting them . What differentiates it from doing the same from PHPmyAdmin is that offers us to hide the default WordPress entries, making this task much more secure .

Another interesting feature is to look for obsolete options, to start erasing out there.

Highly recommended but you have to use it with caution, as long as you do something directly with the database, as is the case.

One of the greatest virtues of this plugin is that detects options obsolete and identifies the very heavy and common old RSS entries, which usually fill all tables ' wp_options '.

It is also appreciated that before the final deletion we offer a screen in the that warns us and remembers everything that is going to be erased, to give the last breath before doing the deletion.

3. Delete the _transient

The entries of type ' _transient ' are a kind of references to cache and the RSS accesses that I mentioned earlier. If it is your particular cancer you can automate the deletion of these annoying and heavy entries in your table wp_options from WordPress by adding this code to the file functions.php or plugin functions:

If you look at detail we are creating the structure that, when exporting, will convert what we now declare as text into HTML code that our WordPress editor will understand and show as a table. The resulting text, understandable by the blog as a code, is this:

The Body of the Table

The next function concatenate () will be that of the other rows, and will combine the data of each row with labels

and

.

This function will be introduced first in cell I3. Once we have it, only will have to copy it down to the rest of the rows in column . The values ​​of the cell in the function are relative, so the function copied to the rest of the rows will be adapted to reference the cells of its same column. Your spreadsheet will do it on its own.

The function concatenate () specific to the rows of the body of the table is the one you have below:

Once you have copied the formula in the following rows you will have something like this …

Well, you already have the base of what you need to make your table in HTML.

Moving on to XHTML

The following is a little trick for which we use the possibility of copying and pasting special sheet s calculation . You just have to copy the cells, and paste them as I explain:

Copy cell I2, which is where we had the values ​​for the header.

Make a paste special, or paste values ​​ – depends of the spreadsheet you use-, in another cell of that same column. In the following rows of the column you are doing the same with each row. What you do is get a column with values ​​as text, without any reference to functions of the spreadsheet.

Once you have all the values ​​you just have to copy them into your HTML editor and you will get what you were looking for, all the codes and values ​​of your table (only without the label

of opening and closing).

Here you have the result:

JANUARY FEBRUARY MARCH APRIL MAY JUNE
UNO 1500 1800 1800 2600 2300 2500
DOS 2000 1600 1700 1900 2300 2400
THREE 3000 2500 2300 2800 ] 3100 3000
FOUR 1400 1100 900 1100 1400 1500

Although it seems somewhat tedious I assure you that it is much less than it is Write hundreds of "tr" and "td" in code. In this example we have few rows but imagine a table with dozens of them.

Thank you

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Create tables in HTML • WordPress Help

Several times I have complained about the error of not including a simple table creation function in the WordPress editor . I do not think it's a mania of mine but I think that to professionalize the aspect of blogs tables are one of the most striking and flexible style resources when it comes to displaying information of many types.

Well, although there are plugins that add this kind of utility, you do not need to install anything because there is Kotatsu a table generator that, when you finish adding your rows, columns and classes allows you to generate the html code so that you copy it in your editor and you do not have to write dozens of " tr " and "td".

You only have to add your texts between the created labels. Chulo huh?

In a few days I prepare an article with a more elaborate method to get something similar. I'm sure you'll like it, and you can not imagine how it's done, you'll see.