WordPress.org

Make WordPress Core

#47512 closed enhancement (wontfix)

Added default unique prefix to database

Reported by: jweston Owned by:
Milestone: Priority: normal
Severity: trivial Version:
Component: Security Keywords: close
Focuses: Cc:

Description

Used 'uniqid()` in "setup-config.php" to generate a unique wp_ prefix in the installation. This is only affecting the default setup form, so I don't believe this should have a major effect on any other functionality.

Attachments (2)

#47512.diff (1.0 KB) - added by jweston 14 months ago.
#47512.2.diff (1.1 KB) - added by jweston 14 months ago.
Made modification more in line with WP coding standards

Download all attachments as: .zip

Change History (6)

@jweston
14 months ago

@jweston
14 months ago

Made modification more in line with WP coding standards

#1 @Ryan_B
14 months ago

I have to ask...why?

You listed the component as "security" but this would have no impact on security. The prefix is not secret and can be found out. In fact as far as I know the only reason they have a customizable prefix is to allow running multiple WordPress installs from one database.

All that to say I would not expect this to be added.

#2 @Presskopp
14 months ago

  • Keywords close added

This is no security improvement, see for example

https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/

#3 @jweston
14 months ago

Thanks for the WordFence article, looks like I misunderstood the purpose of unique prefixes. Would resolving this as "invalid" be the correct way to close this ticket?

Last edited 14 months ago by jweston (previous) (diff)

#4 @johnbillion
14 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Version trunk deleted

I'm surprised that Wordfence article glosses over blind SQL injection, because that's the main reason for advocating for changing the table prefix (other than its intended use of supporting multiple sites in one database).

That said, the general consensus is that this is security by obscurity and doesn't offer much real world protection.

Thanks anyway for the suggestion @jweston!

Note: See TracTickets for help on using tickets.