Securing WordPress with obfuscation

So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin.

Changing the prefix is easiest done with a new installation, but my installation dates from the very first versions of WordPress when the dinosaurs roamed. Due to WordPress’s design, changing the database prefix (‘wp_’) is not as straightforward as you would expect.

Edit wp-config.php

In this exercise, we’re going to change from the default “wp_” prefix to “foo_”. If you’re doing this for security through obscurity reasons, don’t use “foo_”, use something you made up. Trust me, my prefix is NOT “foo_”. In wp-config.php, change:

$table_prefix  = 'wp_';

to

$table_prefix  = 'foo_';

Once you’ve saved the file, your WordPress installation is now officially broken. Move fast!

Rename your tables

use myblog
show tables

and for each of the tables you see there, do this:

rename table wp_options to foo_options;

At this point, your blog will now be viewable again, but you will not be able to administrate it. Accessing /wp-admin/ will say “You do not have sufficient permissions to access this page.”

Fix WordPress Brain Damage

Let’s go ahead and fix that for you:

UPDATE foo_usermeta SET meta_key = REPLACE(meta_key,'wp_','foo_');
UPDATE foo_options SET option_name = REPLACE(option_name,'wp_','foo_');

You’re welcome.

Published by vanderaj

Just another security geek

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *