WordPress Database Security: Why Change the Database Tables Prefix

The majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are increasing the security of your WordPress blog and website from zero day SQL injections attacks.

WordPress Database Security: The Prefix Guessing Game

By default, all WordPress database tables’ names start with the prefix “wp_” as shown in the screen shot below.

If a malicious user discovers a zero day SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the malicious user can easily guess the WordPress database table names and exploit the vulnerability against your blog or website.  To make things worse, there are a myriad of scripts and automated scanners available on the internet that specifically scan and target WordPress blogs and websites. If a malicious user exploits such vulnerability against your blog or website, he can:

  1. Gain administrative access to your blog.
  2. Tamper your blog and website.
  3. Gain access to other sensitive databases on that server.
  4. Gain administrative access to your web server.

Therefore by renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names. We recommend to use difficult to guess prefixes, like long random strings which include both letters and numbers.

You can manually change your WordPress database table prefixes manually by following this step by step guide; How to manually change WordPress database table name prefix

Share this post
  • To use your WP Security Scan tool to change the names of the table files I need to type in the names of the table files I want to change, is there a master list somewhere of what all the file names are?

    I see 11 different files in your sample, is that all of them? How do I know which files are table file and files I need to rename?

    Probably a dumb question…

  • Julie, it’s only asking you to change the prefix. There’s no need to do each table. Just change wp_ to rt_ (or something like it) and hit Start Renaming. You’re done.

  • What effect will changing the prefixes have on the database of the site?

    • Hi Debra,

      If you change the database prefixes you will be making it more difficult for a malicious user to hack your site in case there is a 0 day SQL injection on WordPress.

    • Hi Erhan,

      No it does not affect SEO. Such change is done in the “internals” of WordPress, therefore it is transperant to the public.

  • I have a wordpress install that has well over 40 subdomains membersite on a multisite install all using a central theme and so if I rename the wp_ to something else will it break the system and is there a way I can do the renaming so as not to break the site?

    • HI nueranet,

      Thank you for showing interest in our products. Unfortunately the database table prefix renaming tool does not support multisite installs yet. We are working on a solution. Follow us on our blog or any of our social media networks to stay updated with our updates.

  • Seems wrong to me, because if there is a SQLi issue, the attacker also have access to information_schema.tables (MySQL), etc. so all of this just would be security by obscurity.

    Let me know if I am wrong with that.

    • HI Gerrit,

      Yes it is wrong presumption. It depends on what access the user being used to access the WordPress database has. If you use the root account, then yes, unfortunately the malicious user will have access to all other databases. If you use a specific user just for the WordPress database, then you are safe.

  • Erm. No?

    The attacker can brute force the table names, so it’s still security by obscurity. Maybe you can delay the full access to the tables by some seconds, not even minutes.

    As my job as developer I have tested some of these SQLi tools, to learn how they work. These tools automate the hole attack, after you gave them a vulnerable URL. As normal db user the table names were also determined quickly by brute force.

    To change the prefix doesnt effect that much.

    • Hi Gerrit,

      Thank you for your response.

      From our experience, renaming the table prefixes helps a lot. Obviously, if you use a prefix like 123 is different than nf4u1Gn85Rg21n 😉

      Thank you.

  • Aren’t table names just a SHOW TABLES away anyway?

    Once your installation is vulnerable to SQL injection, you’re pretty much an open target, no matter what table prefix you’re using.

    • Hi Alexandre,

      The whole point of renaming the tables is to make it more difficult for malicious users to exploit a 0 day SQL injection against your WordPress installation, not to protect yourself when a user already exploited the SQL injection. Prevention is always better than cure.

  • By renaming the prefixes does that affect future upgrades of the theme or of WordPress itself?

    • Hi Bridget,

      No it does not affect any of those in any way.

  • I can’t see where I need to go or what button to hit to have this automated. Help? 🙂

  • What about integrations? Does the changing of the files impact any integrations done with other plugin tools – such as Paypal or 3rd party applications?

    • Hi Simonee,

      Such change should in no way affect any kind of integration.

  • give us some examples of a good name. can we keep wp_ or should we not use wp_ at all?

    does this effect upgrading wordpress or the speed at which the site loads? does it affect themes or other components of wp?

    • Hi,

      Ideally you should have an 8 alpha numeric value instead of wp_.

      It will not affect any WordPress or plugin upgrades and definitely does not affect the website loading speed.

  • I have a WP e-commerce installation that I have spent the last few months setting up. Are there any potential problems with changing the table prefix? If there is even a risk then it may not be worth it at this time.

    • Hi Jesse,

      There are no risks involved in renaming the WordPress database table prefixes. Though I always recommend to make a full backup in case the unexpected happens.

  • I have one question, i am using the default database prefix if I will change it then will my website will crash?

  • In response to the comment about brute force hacking of the obscure prefix. No plugin shuts all the doors on its own. In addition to this rather neat scripot I also use something like Limit Login Attempts. This does at least slow the hacker’s access to a crawl unless he’s got unlimited proxies 😉

  • Changing the prefix Wp_ into something else, won’t it harm my data?

    Thanks

    • @Azubuike – No, changing the prefix won’t harm your data. If you are worried about making any changes, make a backup of your site first.

  • Hello,

    Will changing the prefix break all the links to pictures and other things I have in my posts? Thanks!

    • Hi Ryan,

      No it will not break anything. Such change is done in the “internals” of WordPress and is unnoticeable from the outside.

  • In WSD it state:

    Before running this script:

    – Make a backup of your database.
    – The wp-config.php file must be set to writable before running this script. (Yes)
    – The database user you’re using with WordPress must have ALTER rights. (Yes)

    The (Yes) items above are in green, HOWEVER when viewing my wp-config file the permission is set to 644.

    So the question is, can I go ahead and put in a different table prefix and hit “Start Renaming” OR do I still need to change the wp-config file to 777?

    Thanks
    Phil

    • Hi Phil,

      To be on the safe side I would recommend you to change the wp-config.php file permissions to 777. Once the change is done, revert back the permissions.

  • Why would changing the prefix stop a hacker? It wouldn’t.
    If they can gain access to the wp-config.php file and connect to the database using a plugin or similar method then all it would take is a simple show tables mysql command to see the table names.

    Security through obscurity is risky and leads people into a false sense of security. You’re probably better off securing / locking down portions of your site to prevent abuse.

    • Hi Ben,

      This security precaution is not a protection for when a hacker gains access to your wp-config file and neither is security through obscurity. This procedure will only protect you from zero day SQL injections. So if a hacker manages to exploit a zero day SQL injection against your WordPress site, he cannot simply predict the table names and retrieve all the data from your database but have to guess the table names. As you can see this is an extra precaution you can take for making sure your WordPress is bullet proof 🙂

  • What is a “zero day” SQL injection? I have seen this term used a number of times with regard to this plug-in, but am not sure what it means. Thanks.

  • Hi SF

    A zero day SQL Injection attack exploits an SQL Injection vulnerability that exists on a web application and of which there was no awareness of it before. That means no security measures were applied against it. Thus, in case this vulnerability is exploited, by changing the table prefix of the WordPress database the attacker will have to guess the table names before accessing them. So, even if the attacker exploits the vulnerability to gain access to the WordPress database, the attacker has to guess the table names as well before gaining access to the database data.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  • It is my understanding that Google and Word Press have had or are in heated discussions/disagreements with each other.

    And as such Google have downgraded most if not all WordPress sites (including mine) through their Panda and Penguin updates to search engine obscurity, that is traffic to our websites have greatly reduced!

    Would installing the WebsiteDefender plugin which allows the wordpress database tables with the “wp_” prefix to be changed to something else increase our website rankings as well as securing our websites from malicious attacks ?

    I apologize in advance if this is a childish/naive question

  • Hi Naresh

    The WebsiteDefender database table prefix change feature is used as a security measure against Zero-Day SQL Injection attacks and is not related in the ranking process of a website.

    Thank You

    ———

    Stay tuned with the latest news and updates by subscribing to our WebsiteDefender Facebook account http://www.facebook.com/WebsiteDefender or follow us on Twitter http://twitter.com/websitedefender .

    Remember, stay secure!

  • Hi,
    I’ve been renaming my db prefix to something like wp_jndk8hen48_
    Would it be safer to simply drop the wp_ altogether and name it something like: jndk8hen48_ ?

    If so, I’d be curious why that is the case. Thx

  • @Lorenzo,

    That should be fine, as long as you change the names which are used by wordpress by default. Attackers will try to guess the names of the databases using the default names. The ‘random’ characters you inserted in the names of the tables should stop such attacks.

  • Leave a Reply

    Your email address will not be published.