No. If someone has the ability to run SQL on your site you’re already in trouble. They would just run ‘show tables’ and get a list of tables. The idea that a security plugin should hide your tables by changing the table prefix to somehow hackerproof your site is absurd.
Regards,
Mark.
I do not understand why this idea is absurd. Please, clarify to me.
I’m in doubt to which plugin I have to use in my network: yours or https://wordpress.org/plugins/better-wp-security/
Now, I’m comparing the features of both. If you have something to tell me, please, I would like to know 🙂
Thank you very much for your attention.
Hi Andrez,
I’ll explain:
You need to ask: Why would I want to change the prefix of my database tables?
Because if a hacker does SQL injection they will not know my table names and so they won’t know what table name to include in the SQL statement.
But if they can do SQL injection, they can just run the “show tables” SQL command and get your list of tables anyway. So that makes changing the table prefix completely pointless.
Also, if they can do SQL injection, you need to fix the plugin, theme or file that is allowing SQL injection, rather than trying to work around it.
Does that make sense?
Regards,
Mark.
Yes, thanks. But, anyway, changing the name of the tables is a litle obstacle to some hackers. In future, can you implement this feature?
Other interesting feeatures are:
– rename the admin account
– reports changes to the filesystem and database
– detects hidden 404 errors
– remove meta generator
– change the login and admin urls
Do you intend to implement them?
Does your plugin minimize SQL Injection? Or do you know some plugin to help in this sense?
Thanks.
Changing the table names is also important to hide the fact that you are using wordpress.
Changing your database table prefix of an established from the original wp can be carried out by following the tutorial here: http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
Changing the username of the administrator from the admin default is part of good security housekeeping by the site administrator, alongside other hardening WordPress steps: http://codex.wordpress.org/Hardening_WordPress
Wordfence has options to hide your WordPress version, block or throttle login attempts through the firewall.
As far as hiding your login/admin folders by renaming them, security through obscurity is considered questionable.
You are better off using two factor authentication (offered by WordFence premium), or restricting access by IP address.
Again, I really don’t recommend changing your DB prefix because it’s a risky endeavor and doesn’t improve security. It’s like removing the www prefix from your website and changing it to ‘hidden’ in the hope that a hacker won’t find you.
There seems to be a lot of misunderstanding around this e.g. @andrezasv you are under the impression that this somehow relates to hiding that you’re running WordPress and it’s completely unrelated.
I agree with @Barnez regarding changing your admin username, hiding your WordPress version (Wordfence does this), throttling login attempts and the ability to block them (Wordfence does this).
Also agree with @Barnez regarding not changing your folders.
What you want to be doing is running a fairly standard system that will be compatible with any themes and plugins you use, but is also rock solid secure, and you can get that with Wordfence.
Regards,
Mark.
