Support » Fixing WordPress » Security issues?

  • jbardy


    Hello, I am doing design work for a company and they want help with their existing wordpress website. Now I am new to wordpress/websites, and I just figured out how to access their site via SFTP and phpMyAdmin.

    I downloaded the Ultimate Secuirty Plugin and it says there are a few concerns.

    Database prefix is one of these concerns. I have no prior experience messing with SQL/SFTP/phpmyadmin, so is this something I could easily fix?

    I read this suggestion on actual wordpress documentation too, so I figure it’s something I should do.

    Here’s the tutorial I found to follow for it:

    I just want to make sure this tutorial follows the full procedure.
    I’ve made a backup of all my plugins, themes, and the sql database in the event I mess it up, but these feel like dangerous waters for me.

    I’m concerned because I’ve read this is something that should be done during the initial installation process of the site. I’m afraid doing it now won’t make all the necessary changes since there is content on the site unlike at the beginning.

    Can someone tell me if this is worth messing with and if I am looking to do it properly?

    Another “concern” that came up in the plugin was to remove the version number of the wordpress site. Because I have the latest, it does not matter, but it tells me to add a few snippets of code to the function.php file.
    This is something I would do via SFTP and is it something I should do regardless?

    Many thanks!

Viewing 10 replies - 1 through 10 (of 10 total)
  • samateo


    yes, the tutorial should work to change your db prefix.

    Removing the version of wp you use will do nothing to make it more secure. Anyone attempting to hack your site will be looking for and testing vulnerabilities not version number.

    That said, the following snippets (placed in your themes functions.php file) can remove the wp generator from your site and feeds.

    // remove version from head
    add_filter( 'the_generator', create_function('$a', "return '';") ); // return empty version
    remove_action( 'wp_head', 'wp_generator' ); // <meta name="generator"
    // remove version from feeds
    foreach( array('rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head') as $feed ) {
        remove_action( $feed, 'the_generator' );



    So is this something I should absolutely do?

    In the event that it messes something up, I have a plugin called PressBackup installed. There is a restore function as well; does this restore the database and all other content?

    Thanks again.



    “So is this something I should absolutely do?”

    It can’t hurt 😉 take a look at Hardening WordPress Under ‘Security through obscurity’ it reads …

    Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

    With respect to the plugin which I personally have never used, the text under ‘Warnings’ under ‘Other Notes‘ indicates you must ‘change permissions of ”themes” “plugins” and “uploads”’ I imagine this is because it will back up those areas of your site. I attempted to install the plugin but received a fatal error.

    Of course, you can always copy those folders to a safe area yourself (along with a copy of your database) before you change the db prefix.

    With respect to the code snippets, those can easily be removed if you decide to again advertise the version of WordPress you are running.



    Thanks again.

    I have updated everything manually, locally and on Dropbox.

    In the event that the site gets messed up, all I’d need to do is copy all files except for the SQL to the root folder via FTP.

    The SQL i’d have to import via phpMyAdmin, correct?

    If something gets messed up while changing the database prefix, wouldn’t I only need to re-import the SQL database via phpmyadmin and not touch the FTP files?

    Thanks again.



    yes, with phpMyAdmin you can import the sql you saved. The only file you may need to look at is wp-config.php in order to verify that you have the correct value for $table_prefix

    More information on editing wp-config here.



    Thanks a lot.

    Now, if I install a new theme via FTP, would I just remove all files within the current theme folder and replace with the new theme folder? Is this better to do than via the theme’s dashboard? I am going to purchase a premium theme, so I’m guessing you HAVE to install downloaded premium themes via FTP since they aren’t built into the wordpress database.

    That being said, is it a security issue to install premium themes from various websites?

    Installing a new theme via FTP would keep all my posts, plugins, and database I assume… I hope.

    Thanks a lot for the help, I am going to do great things once i sort out initial info.



    WordPress allows you to have multiple themes in the themes directory, each in it’s own folder. At any one time however, only one can be active.

    With the new Customizer feature added in WordPress 3.4, you can preview a theme in your admin area without making it active on the front-end. Click ‘Live Preview’ on an inactive theme or ‘Customize’ on your active theme.

    WordPress checks the theme repository when you search for themes inside the admin area. Some of those themes may have premium upgrades. Regardless, you can FTP any theme premium or other onto your server, just put it into the themes directory.

    A theme (any theme) can pose a security threat, even a premium theme. A good practice is to run Theme-Check on whatever theme you might use before it goes live.

    Installing themes should not affect your content or plugins. Depending on how you want the content to show up, your theme might need some tweaking in order for it to display the content as you would like.

    WordPress theme development is a good place to start to understand how themes are put together and how they can be extended.



    You’re a life saver. Here’s a few more questions while I got ya…

    This is a potential theme for the site:

    It seems this theme is popular; looks like they have video tutorials and a good support forum. It’s been downloaded tons of times and has lots of features. Seems like a better bang for the buck than most premium themes.

    Do you think all these options will cause problems?

    As for installation, thanks. I think I will probably keep the current theme files until the entire transfer is made, and FTP this new theme in and try the preview option from within wordpress dashboard to preview it. I heard some people have problems installing premium themes through dashboard instead of FTP.

    I expect hours of customization after install, but at least this theme comes ready to configure it, a couple great color styles too.

    I’ll make sure to run theme-checker. Do i have to have the theme installed and activated in order to run theme-checker?



    Hey Jbardy, you do have to have a theme installed to run the Theme-Check plugin over it, but it doesn’t need to be activated. There is a dropdown menu in Theme-Check for you to select any of your installed themes to be checked.



    Ahh that’s even better. I can check a theme before I even activate it.

    WordPress is starting to amaze me. I had no idea it had so many featuers at such an easy configuration (for the most part).

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Security issues?’ is closed to new replies.