The majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are increasing the security of your WordPress blog and website from zero day SQL injections attacks.

WordPress Database Security: The Prefix Guessing Game

By default, all WordPress database tables’ names start with the prefix “wp_” as shown in the screen shot below.

If a malicious user discovers a zero day SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the malicious user can easily guess the WordPress database table names and exploit the vulnerability against your blog or website.  To make things worse, there are a myriad of scripts and automated scanners available on the internet that specifically scan and target WordPress blogs and websites. If a malicious user exploits such vulnerability against your blog or website, he can:

  1. Gain administrative access to your blog.
  2. Tamper your blog and website.
  3. Gain access to other sensitive databases on that server.
  4. Gain administrative access to your web server.

Therefore by renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names. We recommend to use difficult to guess prefixes, like long random strings which include both letters and numbers.

You can manually change your WordPress database table prefixes manually by following this step by step guide; How to manually change WordPress database table name prefix


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.