Opened 21 months ago
Closed 21 months ago
#47512 closed enhancement (wontfix)
Added default unique prefix to database
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | trivial | Version: | |
Component: | Security | Keywords: | close |
Focuses: | Cc: |
Description
Used 'uniqid()` in "setup-config.php" to generate a unique wp_ prefix in the installation. This is only affecting the default setup form, so I don't believe this should have a major effect on any other functionality.
Attachments (2)
Change History (6)
#1
@
21 months ago
I have to ask...why?
You listed the component as "security" but this would have no impact on security. The prefix is not secret and can be found out. In fact as far as I know the only reason they have a customizable prefix is to allow running multiple WordPress installs from one database.
All that to say I would not expect this to be added.
#2
@
21 months ago
- Keywords close added
This is no security improvement, see for example
https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/
#3
@
21 months ago
Thanks for the WordFence article, looks like my knowledge was out of date. Would resolving this as "invalid" be the correct way to close this ticket?
#4
@
21 months ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
- Version trunk deleted
I'm surprised that Wordfence article glosses over blind SQL injection, because that's the main reason for advocating for changing the table prefix (other than its intended use of supporting multiple sites in one database).
That said, the general consensus is that this is security by obscurity and doesn't offer much real world protection.
Thanks anyway for the suggestion @jweston!
Made modification more in line with WP coding standards