Opened 4 years ago
Closed 4 years ago
#47512 closed enhancement (wontfix)
Added default unique prefix to database
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | trivial | Version: | |
| Component: | Security | Keywords: | close |
| Focuses: | Cc: |
Description
Used 'uniqid()` in "setup-config.php" to generate a unique wp_ prefix in the installation. This is only affecting the default setup form, so I don't believe this should have a major effect on any other functionality.
Attachments (2)
Change History (6)
#1
@
4 years ago
I have to ask...why?
You listed the component as "security" but this would have no impact on security. The prefix is not secret and can be found out. In fact as far as I know the only reason they have a customizable prefix is to allow running multiple WordPress installs from one database.
All that to say I would not expect this to be added.
#2
@
4 years ago
- Keywords close added
This is no security improvement, see for example
https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/
#3
@
4 years ago
Thanks for the WordFence article, looks like my knowledge was out of date. Would resolving this as "invalid" be the correct way to close this ticket?
#4
@
4 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
- Version trunk deleted
I'm surprised that Wordfence article glosses over blind SQL injection, because that's the main reason for advocating for changing the table prefix (other than its intended use of supporting multiple sites in one database).
That said, the general consensus is that this is security by obscurity and doesn't offer much real world protection.
Thanks anyway for the suggestion @jweston!
Made modification more in line with WP coding standards