Promote security during installation

[FR_lucien]

Hi,
during the installation process, the purpose of the table prefix is commented by the text "Table prefix (if you want to run more than one WordPress in a single database)".
IMHO, it could be interesting to make new WordPress users aware of the security advantage of a having a non-standard prefix, and advise them to change the field value in any case.
Lucien

[pento]

Thank you for the suggestion, @FR_lucien!

This kind of security feature fits in the same basket as other obfuscation techniques - hiding the version of WordPress, or that a site is running WordPress, or anti-spam techniques that rely on browser vs. bot behaviour. They only work because very few people use them - it's not worth the time of attackers to build their scripts to deal with it.

If we were to directly encourage people to change their table prefix, attackers would stop hardcoding the table name, and start detecting it, instead.

For example, an attacker wanting to get the wp_users table would try to inject:

SELECT * FROM wp_users;

It's fairly simple to write an alternative version of this that doesn't depend on the table name being wp_users:

SET @query = CONCAT( 'SELECT * FROM ', (SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME LIKE '%users') );
PREPARE stmt FROM @query;
EXECUTE stmt;

So, while there is some value in changing the table prefix, that value only exists while WordPress Core doesn't encourage the practice.

[FR_lucien]

Thank you for your comment @pento