Secure WordPress – Change table prefix after installation
I’m doing a security audit of one of my sites, and I realize that my table prefixes for my site is wp_…. Is there any way I can change this after WordPress has been installed? Or would I have to reinstall WordPress, implement the theme, then import content?
You could change the table prefixes via Phpmyadmin (or another database management tool) and then amend your site’s wp-config.php file to suit. But do please backup your database and your current wp-config.php file first.
phpMyAdmin (long way)
Plugin (easy way)
Like esmi said, back up your database first. Do NOT skip this step.
Free plugin that features table prefix renaming: http://wordpress.org/extend/plugins/better-wp-security/
I want to put this out there.
It doesn’t matter.
Any semi-intelligent hacker will use
$wpdb->prefixanyway while trying to bugger your DB, and since you absolutely have to have that working for plugins and themes to be able to add tables, all you’ve done is change the color of your front door. It won’t stop a thief.
I understand what your saying. What do you recommend for all WordPress installs for security. I have had multiple clients that have came to me being hacked and I really just want to be as secure as possible.
@ipstenu, good point but being in the security business for a number of years now I can say that not all hackers are that clever. What I’ve seen are bots hitting my sites with preloaded scripts to attempt to hack into my database assuming the prefix is wp_.
They also blindly hit them hoping to guess that I’m using an out of date theme, plugin, WordPress version, etc.
So you are right that a very skilled hacker could figure out a way, but I have multiple examples from my own sites (from blocked attack alerts) that show quite a number of times the hacker is guessing using automated software.
@protechig – If you’d like to chat about security, feel free to contact me. I’ve had sites hacked before and have a set number of things I always make sure to do to “help” with security. Aside from that, here’s a few tips:
1. Security always starts with the person/site owner. Being aware that this is a problem and taking steps to safeguard yourself and be prepared is top of the list.
2. Keep WP up to date – always.
3. Don’t trust free templates/themes. I’m not sure what sort of security checks themes in the WordPress.org section have in place (maybe someone can enlighten us), but I’ve seen lots of examples where free themes include some nasty code.
4. Be careful what plugins you use for the same reason I gave for Themes. To to use reputable plugins, if possible.
5. I suggest changing your db prefix. Like I mentioned above, I’ve seen multiple instances where jerks try to hack my site by guessing that’s my database prefix and WordPress is out of date.
6. Don’t use free Wi-Fi. People can hack your computer, intercept your WordPress login if you choose to log in over free Wi-Fi, etc.
7. Use a good computer firewall and antivirus. Remember, keeping your WordPress blog secure involves more things than what you do to WordPress.
8. Never use unencrypted FTP. Use one of these instead:
Don’t trust free templates/themes
Perhaps free themes from shady sites – but I’m quite certain that spending money has nothing to do with quality. I’ve seen some pretty poorly coded paid themes out there.
There are plenty of really shady theme sites out there, and I agree to avoid them at all costs! Do the research, see what the rep of the vendor/site is
I’ve seen lots of examples where free themes include some nasty code.
If any of these themes are in the WPORG Theme Repository, please contact security [at] wordpress.org with all of the relevant details. For plugins hosted here, contact plugins [at] wordpress.org.
@voodoo – The problem is how do you know if they are shady sites?
Check this article out. It’s a real eye opener when it comes to free themes.
You are right, though, spending money does not mean the person who coded the theme is straight as an arrow. I didn’t mean to imply that.
@esmi – thanks for the info.
About 90-95% of the websites that I make are on the Genesis framework, from what I hear it is extremely secure (according to a testimonial from Matt himself). I am also dabbling with Thesis, which, from my understanding is the same.
I am actually thinking about dabbling with things such as, _s, toolbox, and HybridCore, what are your opinions of them?
Also, I am considering on going into the premium theme marketplace myself, do you have any recommendations for me? I want my works to be as secure as possible because I know from personal experience that the recourse can be devastating.
- The topic ‘Secure WordPress – Change table prefix after installation’ is closed to new replies.