[wp-trac] [WordPress Trac] #38251: Promote security during installation
WordPress Trac
noreply at wordpress.org
Fri Oct 7 13:04:01 UTC 2016
#38251: Promote security during installation
-----------------------------+----------------------
Reporter: FR_lucien | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Upgrade/Install | Version:
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
-----------------------------+----------------------
Changes (by pento):
* status: new => closed
* version: 4.6.1 =>
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Thank you for the suggestion, @FR_lucien!
This kind of security feature fits in the same basket as other obfuscation
techniques - hiding the version of WordPress, or that a site is running
WordPress, or anti-spam techniques that rely on browser vs. bot behaviour.
They only work because very few people use them - it's not worth the time
of attackers to build their scripts to deal with it.
If we were to directly encourage people to change their table prefix,
attackers would stop hardcoding the table name, and start detecting it,
instead.
For example, an attacker wanting to get the `wp_users` table would try to
inject:
{{{
SELECT * FROM wp_users;
}}}
It's fairly simple to write an alternative version of this that doesn't
depend on the table name being `wp_users`:
{{{
SET @query = CONCAT( 'SELECT * FROM ', (SELECT TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME
LIKE '%users') );
PREPARE stmt FROM @query;
EXECUTE stmt;
}}}
So, while there is some value in changing the table prefix, that value
only exists while WordPress Core doesn't encourage the practice.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38251#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list