Auto-generating random WordPress database prefix to improve security
At the moment, a database prefix in each new WordPress instalation is set "wp_". This is makes a website insecure.
Could you auto-generate a random database prefix to fix that?
I'm havint this issue with my blog as well here http://teampages.com/teams/1876810-Blogger-House--other--team-website/announcements
Why is this still not developed? Shouldn't be that hard and for security this would be very good!
Even after reading the Wordfence blog post that Ron posted, I think this is still a good feature request.
There is zero downside to generating a prefix with some random characters -- if it's done at the time of installation, which is what we're talking about here.
The upside might be small, but there's still a benefit. Even if it makes sites *slightly* less vulnerable, why not do it?
Ron, I have read most of the articles you shared.
The main point that I see of the article is that changing the database prefix doesn't improve the security as there is a way for hackers to identify the changed database prefix, and changing it on a live site might cause issues.
However, if the hacker or a bot does not know the way to detect the new database prefix, changing it improves makes it more work for them to hack your site.
The idea is to auto-generating a random WordPress database prefix when the new application is created so that people do not need to try to change it on a live site.
In my opinion, there is still a benefit to changing the database prefix.
Ron Seigel commented
Downvoting this one 100%. Seems some here need to learn more about securing WP.
I would use IThemes security. It's better and easier than wordfence for security anyway! It will also change the DB prefix for you in the "advanced settings" back up your DB first though!!!
Yes, they are tools that will help you do that, but it should be automated. Making life of all of us easier.
John C commented
This is a good tool for that: https://wordpress.org/plugins/db-prefix-change/
Bruce Munson commented
I absolutely agree and support this!
It is a WordPress security step that should always be done.