A solid WordPress security practice is to change the prefix of the WordPress database tables when you are installing WordPress. The goal here is that WordPress security is heightened by changing the default WordPress database table prefix from wp_ to something different. This changes the default WordPress database table names, and helps to block those hackers seeking to penetrate WordPress security by performing database injection attempts.
For example, a hacker has decided that he is going to deface your corporate blog, and will know that your user table should be wp_users, but if you have changed the database prefix from wp_ to perhaps four_ then the injection attempt against wp_users will automatically fail, as that table does not exist. Your hacker does not know this, just that his attempt failed, and your WordPress security is intact. The hacker is none the wiser, and may move on to easier hunting grounds.
Changing the prefix to your WordPress database tables during the installation of your blog is simple. The installation process will ask you not only for the database name, user, and password, but also the database prefix that you wish to use for your tables. To increase WordPress Security, simply alter the default database prefix “wp_” to something else. This prefix can be anything, such as a shortened version of your blog name, or something completely random. Many times, when I am installing a blog, I will use a prefix like “greengrass_” or something else completely unrelated to the blog. This increases WordPress security even more.WordPress Security: Changing Your Database Prefix During an Install.
Changing the Default WordPress Database Prefix After Installing WordPress
Now you may be asking, “What if I have already installed my blog? Can I change the prefix of my WordPress database now to increase my WordPress security?” Yes, even though this a bit more difficult than doing it when you first set your blog up, it is quite possible to make this change after you blog is installed. To do this WordPress security upgrade, you are going to need to set aside approximately 10 minutes to make the changes. During this period of time, your blog is going to be down, so you may wish to put up a maintenance page until you are through.
1. As always, before making any type of changes to your WordPress database, you should do a database backup. The method to actually back your database up is going to vary from hosting company to hosting company, and from control panel to control panel, therefore, I do not intend to cover those specifics here.
2. Next, in your wp-config.php file, you are going to edit your database prefix from “wp_” to something more secure. The line to actually edit is line 65, and will read $table_prefix = ‘wp_’;. You can change this to an abbreviated form of the name of your blog, such as “tbr_”, or you could do something completely random, such as “wp_kG^#18Uh”. The more randomness you add here, of course, the better your WordPress security is increased.
3. Now you will need to make some edits to your database itself, changing the prefix to match the one that you came up with in Step 2. Using PHPMyAdmin, or whatever program that your hosting company has for you to manage your database, you will need to run the following SQL commands to change the WordPress database prefix to the one that you changed it to in wp-config.php. In the example below, you will change “new_prefix_” to whatever new database prefix it is that you have decided to use.
RENAME table `wp_commentmeta` TO `new_prefix__commentmeta`;
RENAME table `wp_comments` TO `new_prefix__comments`;
RENAME table `wp_links` TO `new_prefix__links`;
RENAME table `wp_options` TO `new_prefix__options`;
RENAME table `wp_postmeta` TO `new_prefix__postmeta`;
RENAME table `wp_posts` TO `new_prefix__posts`;
RENAME table `wp_terms` TO `new_prefix__terms`;
RENAME table `wp_term_relationships` TO `new_prefix__term_relationships`;
RENAME table `wp_term_taxonomy` TO `new_prefix__term_taxonomy`;
RENAME table `wp_usermeta` TO `new_prefix__usermeta`;
RENAME table `wp_users` TO `new_prefix__users`;
Please note at this point that if you have installed additional plugins after the installation of your blog, you may have additional tables besides the ones listed above that need their prefix changed. Just follow the syntax that I have used above, and run additional SQL commands to rename the database pefixes on those tables also. If you happen to be using PHPMyAdmin, or some other database administration script, you will be able to run multiple lines of SQL commands at once (note that a “;” terminates a MySQL command).
4. The next step in this WordPress security process is to edit the wp_options table to reflect the new WordPress database prefix. If this is not done, your blog will not function. Using the method described above, run the following MySQL command, once again changing “new_prefix_” to your newly chosen database prefix. This MySQL command will search the wp_options table, returning the wp_user_roles option, along with any other plugin-created options, custom scripts, or other entries. The goal here is to rename any entries in the wp_options table that begin with “wp_” to the newly chosen database prefix.
SELECT * FROM wp_new_prefix_options WHERE option_name LIKE ‘ %wp_%’;
5. The final edit that we will need to make is in the usermeta table. We are going to be looking for any instances of the old “wp_” database prefix so that we can edit that prefix to our newly chosen one. Once again, we are going to run a MySQL command to find these instances. When you run the following command, it will reveal those rows that have the instances of the old prefix so that they can be altered.
SELECT * FROM new_prefix_usermeta WHERE meta_key LIKE ‘wp_%’;
To show an example of this, running this MySQL query on a newly installed WordPress install returned the following results from the usermeta table.
The number of fields that you will need to alter is going to depend on a number of different factors: the number of plugins that you have, as well as a few other variables. The important thing to keep in mind is that you need to change any entry returned by this search from the default “wp_” prefix to the new one that you have chosen.
Finishing Up: Testing Functionality
When you have finished this last step, this WordPress security upgrade should be complete. All entries of the old “wp_” prefix in the wordpress database should be gone, and replaced with the new wordpress database prefix that we selected in Step 2. Now comes the moment of truth: disable your maintenance page, if any, and test the functionality of your blog. Do this by going through your blog, checking links and posts, and assuring yourself that everything is functioning properly. If the blog appears to be functioning properly, then it would appear that your WordPress security upgrade has been a success. Now, make an additional backup of your WordPress database for good measure: WordPress security should never be stopped.