[wp-trac] [WordPress Trac] #17966: Automatic table name randomization for improved security
WordPress Trac
wp-trac at lists.automattic.com
Sun Jul 3 05:11:56 UTC 2011
#17966: Automatic table name randomization for improved security
-------------------------+-----------------------------
Reporter: hexley | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.2
Severity: normal | Keywords:
-------------------------+-----------------------------
With the recent security exploits leaving users logins and passwords
leaked into the open, I was thinking that perhaps there may be a way to
make SQL injection attacks more challenging on the hackers.
The table names within WP are widely known. Certainly, they can be
changed, but that is something I rarely see done, and takes user
intervention. The current default table naming convention is wp-
table_name.
On a new installation, perhaps it could be created so that table names
take the form of:
wp-rand(0,2)-table_name
The random bits would be known, and could be easily included in the config
file, or the config file data that a user copies and pastes.
This would add one additional layer of information that a would be hacker
needs to know in order to act against the database with an SQL injection
style attack. It definitely does not cover all aspects, as there is still
chance for update, delete, and insert to be issued against known page-
id's, however, injecting a drop, rename, download, or other larger
operation would now essentially be password protected.
While the rand() part may not be terribly long, it should be enough of a
deterrent that the hacker gives up and moves along to an easier target. I
understand this is merely security by obscurity, for the rather simple
implementation versus the payoff in challenge it imposes on the hacker, I
feel it is worth it. I don't see a downside, and while we would all like
to not have to deal with workarounds such as this, with open source code
and rapid releases leaving users running old/legacy code, this could add
that one small layer that protects those users a bit more than nothing.
Thanks for your consideration.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17966>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list