One of the awesome things about WordPress is that it’s a dynamic publishing system that uses a database to store your site’s information: posts, options, plugin and theme settings – all of this data is stored in your site’s database. It’s like the brain of your WordPress installation.
Unfortunately the WordPress database is also a prime target in many website attacks. Spammers and other bad guys target various database tables with automated scripts, SQL injection, and other malicious code. Needless to say it’s critical to protect your database and keep recent backups. One of the smartest ways to protect your site’s database is to change the default table prefix to something obscure and difficult to guess. Sort of like a password.
Default WP database tables
By default, during installation, WordPress creates the database with all of the tables prefixed with “
wp_”. There are 11 tables created in the default installation procedure, and all of them will prefixed with
Install WordPress out-of-the-box and that’s what you’re going to get. And would-be attackers understand this perfectly. Automated scripts that target the WordPress database aim for these default table names during their attacks. I think it’s fair to assume that a vast majority of WordPress databases are using the default
wp_ prefix. This is bad because it makes attacking WordPress sites easier for the bad guys.
Fortunately you can improve your site’s security by changing the default table prefix to something completely random and unique. There are two ways to change your database prefix: the easy way and the hard way. Which you use will depend on if you’ve already installed your WordPress site or not..
Changing default table prefix before installing WordPress
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_';
Just replace the “
wp_” with a string of random, unique characters and you’re all set: continue with the installation as normal and your database prefix will have been changed to something more secure. Here’s an example of a strong database prefix generated at Random.org:
Notice two things that will help keep your database nice and organized:
- begin the prefix with “
wp_” to keep things orderly
- end the prefix with an underscore (“
_”) so the actual table names (e.g.,
meta) stand out and are easily recognizable.
But really you can use whatever prefix you want – the take-home message here is that you should obscure your tables’ prefix and it’s easiest to do before installing WordPress.
But wait! I’ve already installed WordPress and have been using it for all sorts of stuff.. is it still possible to change my prefix? Absolutely there is, but it takes quite a bit more time to get it done.
Changing default table prefix after installing WordPress
If you’ve already installed WordPress and want to change your database prefix, you’re stuck with the hard way. But it’s really not that hard, just hard compared to changing a single line in your
wp-config.php (as shown above). To change your prefix after installing, set aside around ten minutes and follow these steps:
Step 1: Preparations
Before changing your table prefix, make sure you have a recent backup and about 10 minutes of downtime for your site. It may be a good idea to redirect visitors to a temporary maintenance page.
Step 2: Change table prefix
Change your database table prefix in
wp_ to something more secure, like
wp_VzQCxSJv7uL_ or something.
Step 3: Change all WordPress database tables
Go to your database (using phpMyAdmin or whatever) and rename all WordPress table prefixes from
wp_ to whatever you specified in your
wp-config.php file. Here are SQL commands to rename the 11 default WP tables:
RENAME table `wp_commentmeta` TO `wp_VzQCxSJv7uL_commentmeta`; RENAME table `wp_comments` TO `wp_VzQCxSJv7uL_comments`; RENAME table `wp_links` TO `wp_VzQCxSJv7uL_links`; RENAME table `wp_options` TO `wp_VzQCxSJv7uL_options`; RENAME table `wp_postmeta` TO `wp_VzQCxSJv7uL_postmeta`; RENAME table `wp_posts` TO `wp_VzQCxSJv7uL_posts`; RENAME table `wp_terms` TO `wp_VzQCxSJv7uL_terms`; RENAME table `wp_term_relationships` TO `wp_VzQCxSJv7uL_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_VzQCxSJv7uL_term_taxonomy`; RENAME table `wp_usermeta` TO `wp_VzQCxSJv7uL_usermeta`; RENAME table `wp_users` TO `wp_VzQCxSJv7uL_users`;
If there are other WordPress-related tables from plugins or whatever, just rename them too. The goal here is to rename all of the tables that begin with the default prefix. If you’re using something like phpMyAdmin to interface with your database, you can execute multiple commands at the same time, so edit the above code with your table prefix, paste it into the SQL field, and WHAM! – all tables changed in the blink of an eye.
Step 4: Edit the WordPress options table
Now search the
options table for any instances of the old prefix. To do this, enter the following SQL query:
SELECT * FROM `wp_VzQCxSJv7uL_options` WHERE `option_name` LIKE '%wp_%'
That search will return the
wp_user_roles option along with any other options created by plugins, custom scripts, etc. The goal here is to rename any options that begin with
wp_ to the new prefix.
Step 5: Edit the usermeta table
Now search the
usermeta for all instances of the old
wp_ prefix. Here is an SQL command to accomplish this:
SELECT * FROM `wp_VzQCxSJv7uL_usermeta` WHERE `meta_key` LIKE '%wp_%'
Executing that query on a recently installed WordPress database, the following
usermeta fields were returned:
The number of fields that you need to rename may vary depending on plugins and other factors, but as before, just remember to rename any entry that begins with the default WordPress table prefix,
Final Step: Test, backup, and done!
Ideally at this point, all instances of the old table prefix (
wp_) have been replaced with the new (
wp_VzQCxSJv7uL_ in our example). Once this is done, go check your site for proper functionality. Test the Admin, pages, posts, search, and everything else you can think of (or have time for). If your site seems to be working as before, chances are good that the surgery was a success. Now make another database backup for good measure.
Want more SQL recipes like this one? Check out Wizard’s SQL Recipes for WordPress — includes an entire chapter on optimizing the WP database!
Securing WordPress involves securing your database. The default table prefix is well-known and targeted by nefarious scumbags across the Web. Changing your prefix to something obscure and difficult to guess is an easy way to stop automated attacks, malicious scripts, and other evilness from compromising your precious database.
And remember – always, always, always keep recent backups. If something goes awry with your database, the easiest way to restore sanity is to upload a recent backup and call it done.