Friday, July 20, 2012

Change Your Table Prefix in WordPress


If your table prefix is “wp_” or “wp1_” or even “wordpress_”, then changing it will bring your WordPress site security to a higher level.
By default Fantastico installation sets “wp_” as a prefix for each WordPress table name. Since this is a known vulnerability, malicious users can exploit your data easily.
They specifically look for the wp_options table, because it will alter your WordPress site look. Through wp_options they can set the url to redirect to their sites, leaving you the impression that your site was defaced.
If you already have a WordPress site, take a look at either your config.php file or go to phpMyAdmin in cPanel to check your tables names.
// Entry in config.php showing wordpress table prefix used in the installation
$table_prefix = ‘wp_’; // Only numbers, letters, and underscores please!
Attackers can easily send malicious code using JavaScript injecting SQL targeting your wp_ based tables. To make your wordpress site really secure, change the prefix to something that is difficult to guess. I would pick something almost like a password, except you are limited here to only numbers, letters, and/or underscores.
You might want to check a plugin “wp prefix changer” written by Philipp Heinze for BlogSecurity.net. It should do the job for you. However, I had problems using it, and prefer the manual way which I already done for 2 blogs.
I strongly recommend you to do change the prefix, if it is plain wp_. Just follow the next 6 steps and you should be in good shape. I have tested these steps already with a WordPress 2.8 installation:
1- Take a backup
Since this is a change in your WordPress table structure, you will have to take a backup first.
In cPanel click on the “Backups” icon and click on “Generate/Download a full Backup” and proceed with a “Home Directory Backup”.
2- Edit your wp-config.php file and change
$table_prefix = ‘wp_’;
to something like
$table_prefix = ‘op2mro445_’;
3- Change all your your WordPress table names
Go to phpMyAdmin and choose your WordPress database. Click on sql menu item and enter the command to rename all your tables. Do it one table at a time.
Note: You might have more tables that start with “wp_” prefix, change all the tables.
Every time you paste one line into the SQL window, click on GO and see the table name change on your left. Keep changing the table names until all your wordpress tables have the new prefix.
Rename table wp_commentmeta to op2mro445_commentmeta;
Rename table wp_comments to op2mro445_comments;
Rename table wp_links to op2mro445_links;
Rename table wp_options to op2mro445_options;
Rename table wp_postmeta to op2mro445_postmeta;
Rename table wp_posts to op2mro445_posts;
Rename table wp_terms to op2mro445_terms;
Rename table wp_term_relationships to op2mro445_term_relationships;
Rename table wp_term_taxonomy to op2mro445_term_taxonomy;
Rename table wp_usermeta to op2mro445_usermeta;
Rename table wp_users to op2mro445_users;
4- Edit wp_options
Then you need to edit in the op2mro445_options table ( formaly wp_options ) table
Click on the table name link and then click on “Browse” menu item.
You will see all the data stored in that table. Look under the option_name column header and change wp_user_roles to op2mro445_user_roles.
You will be able to change it by clicking on the edit button for that record.
Note: wp_user_roles might not appear on the 1st page under options. Keep looking for it, otherwise you will not be able to login afterwards.
5- Edit wp_usermeta
And finally apply changes to op2mro445_usermeta formally ( wp_usermeta). Don’t miss any records.
In phpMyAdmin highlight op2mro445_usermeta link and click browse menu.
Change every value under meta_key column header, that starts with the old prefix wp_ to the new prefix op2mro445_ the number or records might be different for your web site.
I have changed the following in my installation:
wp_capabilities to op2mro445_capabilities
wp_autosave_draft_ids to op2mro445_autosave_draft_ids
wp_user_level  to op2mro445_user_level
wp_usersettings to op2mro445_usersettings
You can run a query in phpMyAdmin to find out how many records you need to change:
Simply click on the search link, add the following search condition (meta_key like ‘wp_%’ ), and click the GO button. (see image) This will get you the exact number of record you need to update. (Jessi, thanks for the tip)
table_prefix_search
6- Done! Test your WordPress site now
It should be a lot more secure giving you the peace of mind to focus on blogging.
Oh, one more thing. Do another backup.
If I can be of any help, just let me know.
Popularity: 100% [?]