Being that WordPress powers about an eighth of the world’s websites, it is unfortunately subject to attacks as spammers try to maliciously insert content or links into your site, like links to those dodgy pharmacies and gambling sites that we’ve all seen in our email junk folders (but never visited, right…?)
One of the methods that spammers try to use is called SQL injection, which involves hacking into your database to insert the spam, since that is where WordPress stores all of your site content.
WordPress gives all the tables in its database a default prefix of wp_. If you don’t change it, spammers can easily target your site, as they know where your content is being stored – it’s akin to giving a burglar your address: once they know where it is, it’s just a matter of committing the offence.
So it is strongly advisable to change your database prefix and this tutorial shows you how. If you haven’t yet installed WordPress, you only need to perform step 1 before you upload your files to your server. If your WordPress site is already installed, you’ll have to go through all the steps, but it’s still nothing more than a 10-minute process.
1. Change your wp-config.php file
wp-config.php is where you tell WordPress where to read and write tables and entries in the database. If you look at your wp-config.php file, you will see a section that reads:
This dictates the prefix for all of the tables in your database that are associated with WordPress. This is the part we want to change and it’s as simple as changing the wp for another random string: it doesn’t really matter what the prefix is, so long as it is not wp. As with any security measure, the more random the string is, the more secure it will be. Since you will never need to remember the string, you can be as random as you want. For the purposes of this tutorial, I’m going to use mn8cvp82d933pxq as my random string. Therefore, your new wp-config.php may look like this:
2. Change your database table names
(Remember, if you haven’t yet installed WordPress, you’re done now and can upload your files and install WordPress and it will take care of the rest of these steps on your behalf.)
Now that you’ve told WordPress to look for tables with your new prefix, they actually need to exist, or WordPress will throw up an error.
There are 11 standard tables that WordPress creates in your database. If you’ve installed plugins, there may be more. Look at the list of tables on the left hand side of the screen to see whether you’ve got more than the original 11.
Log in to phpMyAdmin and select the SQL tab. You can use the RENAME command to quickly rename all the tables in your database.
The command below works for the 11 standard WordPress tables, but if you’ve got more tables than that, then you can add extra lines and include the extra table names. Copy this code and change mn8cvp82d933pxq to your own random prefix on each line:
Once you hit ‘Go’, your tables will instantly be renamed and you’re close to being complete.
3. Change your wp_options table
The wp_options contains at least one value which references your old table names. We’re going to execute another SQL command that will return all values in that table that are using the old table names. Click on the SQL tab at the top of the page and enter the following, swapping out my random string with your own:
With the results that are returned, edit the option_name to change wp for your own random string. So if one of the option_names is wp_user_roles, then you’ll change it to mn8cvp82d933pxq_user_roles, to reflect your new table names.
4. Change your wp_usermeta table
This is similar to the step above: we’re performing the same task, just in a different table. The SQL command to find the results that need to be changed is:
Now change the meta_key in every result that is returned to replace wp with your own random string.
That’s it! Go to your front page and to your admin area and make sure that you’re not encountering any errors. Now you can sleep at night knowing that your site is that much more secure.