Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#47512 closed enhancement (wontfix)

Added default unique prefix to database

Reported by: jweston's profile jweston Owned by:
Milestone: Priority: normal
Severity: trivial Version:
Component: Security Keywords: close
Focuses: Cc:

Description

Used 'uniqid()` in "setup-config.php" to generate a unique wp_ prefix in the installation. This is only affecting the default setup form, so I don't believe this should have a major effect on any other functionality.

Attachments (2)

#47512.diff (1.0 KB) - added by jweston 5 years ago.
#47512.2.diff (1.1 KB) - added by jweston 5 years ago.
Made modification more in line with WP coding standards

Download all attachments as: .zip

Change History (6)

@jweston
5 years ago

@jweston
5 years ago

Made modification more in line with WP coding standards

#1 @anonymized_6443559
5 years ago

I have to ask...why?

You listed the component as "security" but this would have no impact on security. The prefix is not secret and can be found out. In fact as far as I know the only reason they have a customizable prefix is to allow running multiple WordPress installs from one database.

All that to say I would not expect this to be added.

#2 @Presskopp
5 years ago

  • Keywords close added

This is no security improvement, see for example

https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/

#3 @jweston
5 years ago

Thanks for the WordFence article, looks like I misunderstood the purpose of unique prefixes. Would resolving this as "invalid" be the correct way to close this ticket?

Last edited 5 years ago by jweston (previous) (diff)

#4 @johnbillion
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Version trunk deleted

I'm surprised that Wordfence article glosses over blind SQL injection, because that's the main reason for advocating for changing the table prefix (other than its intended use of supporting multiple sites in one database).

That said, the general consensus is that this is security by obscurity and doesn't offer much real world protection.

Thanks anyway for the suggestion @jweston!

Note: See TracTickets for help on using tickets.