New to the community? Start here

[Defender Pro] Remove DB prefix change from Defender

0

Hi Guys,
I’m writing to ask if you’d consider removing the DB prefix change / reporting option in Defender Pro. The main reason I’m asking for this is because it’s totally misleading. Changing the prefix does not add ANY level of protection to a WP site as a simple DB querry can return the current prefix. Any hacker able to identify a code vunerability in your site will surely have the nouse to check the prefix before he/she tries this attack vector. My view is that propegating the myth that it adds some level of protection is not helping the WP community at large.

Aside from this – I appreciate your work and your plugins :slight_smile:

Kind Regards,
Glenn

Tue, 21 Jan 2020 22:53:32
More Defender Pro discussions
Defender Pro
  • Predrag Dubajic
    • Support

    Hi Glenn,

    It’s true that changing DB prefix doesn’t help much in most cases as the new prefix could still be returned with a simple script, but from my understanding, it can at least throw some automated scripts from direct access.

    I did, however, pass this to our devs as well so they can check it out further and share their thoughts on this :slight_smile:

    Best regards,
    Predrag

    • Patricia BT
      • Connector

      well, the vast majority are automated scripts which target wp_ prefix, and in those cases, it’s useful to have another prefix. (but true that in the event of a targeted attack, it doesn’t help).
      well, I will always install with another db prefix, and regularly change it. if not in Defender anymore, I will do it otherwise.

      • Adam
        • Support Gorilla

        Hi Patricia BT

        well, I will always install with another db prefix,

        Yup, that’s what I always to as well. Not really that I believe it will “protect my site from all evil of the world” but certainly won’t hurt. It’s also a kind of “habit” for me, for a “long-gone” times in a distant past when I often had to deal with “how to install multiple WPs while only one DB is allowed by host” – certainly use different prefixes.

        Of course using same DB for multiple sites is never a good idea (unless, like back then, you don’t have a choice) but made me use different prefixes for each install without even thinking about it :smiley:

        Anyway, fortunately it’s easy enough to take care of it upon installation but since it’s not really a “crucial” thing, I can see how it might sometimes cause “false impression of full security” so I think Hoang and grieger are right on this – in a long run, it’s better to get rid of it from the plugin :slight_smile:

        Best regards,
        Adam

        • Julian
          • Click Here

          Or you could keep it in the plugin and put a notice with the option about how it does very little for security. I too like to change the DB prefix and it’s nice to have the option in the UI of Defender. If this feature stops even one attack then it’s worth it right? :slight_smile:

          • Predrag Dubajic
            • Support

            Hi Julian,

            After some additional reading my understanding about DB prefix change is that once you’re DB is accessed via SQL injection a simple script can return the current DB prefix so having a custom one doesn’t really make any difference.

            As Adam mentioned above, it might be best for long run to remove it as it can give a sense of false security since it doesn’t really help in securing your site.

            Best regards,
            Predrag