[wp-hackers] Wordpress database encryption.

Dion Hulse (dd32) wordpress at dd32.id.au
Sun Nov 27 05:25:15 UTC 2011


On 27 November 2011 16:18, jackie sparks <jackie.craig.sparks at live.com> wrote:
> This just isn't security by obscurity. This can protect the data in the database from sql injections from rouge plugins and miscoded plugins(This seems to be a huge problem, if you read the sec lists in the past week. There have been over 10 new exploits found for different plugins). Have to know the keys to decode the data. CCC(those german guys are pretty bad has already proven that SSL certs can be cracked and replicated on the fly with a cluster of ps3 systems, http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/ .
>
> Most crackers are opportunists. If they have the opportunity they will take it. If it's difficult they will leave it be.
>
> Can I randomize the usersmeta id's thru the use of a plugin so firstname is not alway 1,16,24,32 ?
>
> Every securty system has its fail points

My point was -location wise- it's security by obscurity if you attempt
to "hide" the code in core code rather than in a plugin, ie this
quote:
>  It would make it harder for someone to find the code instead of just browsing thru directory in the wp-content/plugins dir.

But yes, Aside from initial install, you can randomise user ID's if
you wish, just increment the wp_users AUTO_INCREMENT value a random
ammount each time a user is added for example. or alter the ID before
the data is sent to the update()/insert() calls.
For the initial install, it's a bit harder as plugins aren't loaded,
but there's a wp-content/install.php dropin that can be used to
override certain installation functions.

>> (...) I would *not* be focusing on making a core patch for this, it's
>> something that's much better aimed at being a plugin (or a wp-content/db.php
>> Dropin file if it can't be done otherways).(...)
>
> You can load alternative files in core from a plugin? Or would this be
> replacing files manually. Couldn't find any other documentation on this
> other than pluggable functions (
> http://codex.wordpress.org/Pluggable_Functions ), which is something else.

No, You can't override specific core files, WordPress does have
support for non-mysql databases by you adding a wp-content/db.php file
however, Have a look at the HyperDB plugin/droping for example for a
client class that can support multiple MySQL servers (ie. Master/slave
setup). This is similar to the advanced-cache.php and object-cache.php
dropins.


More information about the wp-hackers mailing list