Hi People,
Some people change their WordPress table prefix from wp_ to something random to reduce the risk of SQL injection.
Malcare and some other describe this as security through obscurity, how can one find the WordPress table name if someone has changed it?
https://www.malcare.com/blog/change-the-database-wordpress/
My guess is you’d need access to the the database or file on the server to carry on the attack, or you would brute force something until you got a response indicating the right table prefix?
Hosts like WPEngine say they don’t do this as their platform has measures in place here, so I’m guessing the solution in many peoples view is not worth the effort or risk and should be mitigated elsewhere. What do you think?
https://wpengine.com/support/changing-table-prefix/
It seems like there are quite a few risks here and there are lots of warnings when doing this, anyone had any good or bad experiences doing this?
Is anyone doing this or not doing this, and why?
Looking forward to seeing what you think.
Thanks,
[ad_2]
Had to do a proof of concept for a client to show them the issue and explain why they needed to fix it. One of the steps was to inject a query to list all of the database tables. So, depending on the specifics of the exploit, DB prefix doesn’t matter.