Automatic table name randomization for improved security
|Reported by:||hexley||Owned by:|
With the recent security exploits leaving users logins and passwords leaked into the open, I was thinking that perhaps there may be a way to make SQL injection attacks more challenging on the hackers.
The table names within WP are widely known. Certainly, they can be changed, but that is something I rarely see done, and takes user intervention. The current default table naming convention is wp-table_name.
On a new installation, perhaps it could be created so that table names take the form of:
The random bits would be known, and could be easily included in the config file, or the config file data that a user copies and pastes.
This would add one additional layer of information that a would be hacker needs to know in order to act against the database with an SQL injection style attack. It definitely does not cover all aspects, as there is still chance for update, delete, and insert to be issued against known page-id's, however, injecting a drop, rename, download, or other larger operation would now essentially be password protected.
While the rand() part may not be terribly long, it should be enough of a deterrent that the hacker gives up and moves along to an easier target. I understand this is merely security by obscurity, for the rather simple implementation versus the payoff in challenge it imposes on the hacker, I feel it is worth it. I don't see a downside, and while we would all like to not have to deal with workarounds such as this, with open source code and rapid releases leaving users running old/legacy code, this could add that one small layer that protects those users a bit more than nothing.
Thanks for your consideration.