WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#38251 closed enhancement (wontfix)

Promote security during installation

Reported by: FR_lucien Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

Hi,
during the installation process, the purpose of the table prefix is commented by the text "Table prefix (if you want to run more than one WordPress in a single database)".
IMHO, it could be interesting to make new WordPress users aware of the security advantage of a having a non-standard prefix, and advise them to change the field value in any case.
Lucien

Change History (2)

#1 @pento
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Version 4.6.1 deleted

Thank you for the suggestion, @FR_lucien!

This kind of security feature fits in the same basket as other obfuscation techniques - hiding the version of WordPress, or that a site is running WordPress, or anti-spam techniques that rely on browser vs. bot behaviour. They only work because very few people use them - it's not worth the time of attackers to build their scripts to deal with it.

If we were to directly encourage people to change their table prefix, attackers would stop hardcoding the table name, and start detecting it, instead.

For example, an attacker wanting to get the wp_users table would try to inject:

SELECT * FROM wp_users;

It's fairly simple to write an alternative version of this that doesn't depend on the table name being wp_users:

SET @query = CONCAT( 'SELECT * FROM ', (SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME LIKE '%users') );
PREPARE stmt FROM @query;
EXECUTE stmt;

So, while there is some value in changing the table prefix, that value only exists while WordPress Core doesn't encourage the practice.

#2 @FR_lucien
5 years ago

Thank you for your comment @pento

Note: See TracTickets for help on using tickets.