The Dataport, Ballasalla, IM9 2AP
03330 439780
sales@netcetera.co.uk

How to Secure Your WordPress Database: A Complete Guide

How to Secure Your WordPress Database: A Complete Guide

Did you know that database hacks represent nearly two-thirds (i.e; 65.1%) of all web attacks? It is common knowledge that a database is the basic building block of a website. It stores all the crucial information such as user information, site configuration data (site URLs), and content information. Maintaining the security of a database is of utmost concern. In this article, we will discuss how to secure a WordPress database completely.

How Does WordPress Use Its Database?

WordPress is an open-source CMS that works on PHP (scripting language) and MySQL (database management system). To understand how a WordPress database works, in simple words, consider this example. While logging into your account, you submit your user_id and password. The database extracts your credentials from a stored table and logs you in. And it is PHP that connects your profile to your login credential and shows you correct data at the front-end.

A database is a set of structured and well-organized data. It generally stores valuable information in the form of tables. All the information on a website, be it themes, plugins, pages, comments, site URLs, users’ personal information, etc; goes straight to a database. Each and every minor change that you have been doing to your website gets stored in a database. However, the data can be easily manipulated by a hacker if the database is left without proper security.

This is why one must take the necessary steps to secure a WordPress database. After all, a database is the backbone of a website.

How to secure a WordPress database?

A database is the brain of any website, it stores all the important information of a website. Withholding such pieces of information makes the database an easy target for hackers. There are certain steps that one can take to secure his/her WordPress database. Some of them are :

1. Change WordPress database prefix

By default, all WordPress database tables have a prefix ‘wp_’ attached to them. Being widely known, this database prefix makes your database super susceptible to attacks. Hence, security veterans recommend changing this prefix to avoid any fateful event. To secure a database, you can change the default prefix line. You can follow the mentioned steps to do the same.

a. Changing database prefix with a plugin

One way to change WordPress database prefix is via the Change table prefix plugin from the WP plugins repository. Just install the plugin, activate it and change the database prefix without any fuss.

b. Changing database prefix with wp_config.php

Another way to do this by editing your wp_config file. Here’s how:

  • Access your website through an FTP client
  • Navigate to the root directory (i.e. public_html)
  • Open the configuration file, wp-config.php from the WordPress installation folder.
  • Look for the line with wp_ prefix then change it to your liking. Say for example, you want to change the table prefix to ‘wp_ga2020_’. In that case change the value for the $table_prefix in the config file like this — $table_prefix = ‘wp_ga2020_’;
  • Change the names of all database tables  
          
RENAME TABLE wp_comments TO wp_ga2020_comments;
RENAME TABLE wp_commentmeta TO wp_ga2020_commentmeta;
RENAME TABLE wp_links TO wp_ga2020_links;
RENAME TABLE wp_options TO wp_ga2020_options;
RENAME TABLE wp_postmeta TO wp_ga2020_postmeta;
RENAME TABLE wp_posts TO wp_ga2020_posts;
RENAME TABLE wp_terms TO wp_ga2020_terms;
RENAME TABLE wp_termmeta TO wp_ga2020_termmeta;
RENAME TABLE wp_term_relationships TO wp_ga2020_term_relationships;
RENAME TABLE wp_term_taxonomy TO wp_ga2020_term_taxonomy;
RENAME TABLE wp_usermeta TO wp_ga2020_usermeta;
RENAME TABLE wp_users TO wp_ga2020_users;
  • Replace the instances of wp_ of wp_ga2020_usermeta and wp_ga2020_options (former wp_usermeta and wp_options tables respectively).

UPDATE wp_ga2020_options SET option_name = REPLACE(option_name, ‘wp_’, ‘wp_ga2020_’) WHERE option_name LIKE ‘wp_%’;

 UPDATE wp_ga2020_usermeta SET meta_key = REPLACE(meta_key, ‘wp_’, ‘wp_ga2020_’) WHERE meta_key LIKE ‘wp_%’;

  • Rename the tables created by plugins also. For example, WooCommerce is a plugin used by WordPress. Run following queries to change default names:

 

  RENAME TABLE wp_woocommerce_api_keys TO wp_ga2020_woocommerce_api_keys;

  RENAME TABLE wp_woocommerce_attribute_taxonomies TO wp_ga2020_woocommerce_attribute_taxonomies;

  RENAME TABLE wp_woocommerce_downloadable_product_permissions TO wp_ga2020_woocommerce_downloadable_product_permissions;

  RENAME TABLE wp_woocommerce_order_itemmeta TO wp_ga2020_woocommerce_order_itemmeta;

  RENAME TABLE wp_woocommerce_order_items TO wp_ga2020_woocommerce_order_items;

  RENAME TABLE wp_woocommerce_payment_tokenmeta TO wp_ga2020_woocommerce_payment_tokenmeta;

  RENAME TABLE wp_woocommerce_payment_tokens TO wp_ga2020_woocommerce_payment_tokens;

 RENAME TABLE wp_woocommerce_sessions TO wp_ga2020_woocommerce_sessions;

2. Change Administrator Username

WordPress administrator uses the default name as admin. Using the default name makes your website an easy target for hackers. If you are still using the default name, change it now. Follow the mentioned steps:

  • Log in to phpMyAdmin.
  • Run this query to change the default name to a name of your choosing,     UPDATE {database_prefix}users SET user_login=’your choosing’ Where user_login=’admin’;
  • If you are using WordPress multisite, use the grant_super_admin()function to grant super admin privileges and access.

3. Change Administrator ID

WordPress uses default admin name as ‘admin’ and default admin ID as ‘1’. An attacker can easily gain access to your website by brute-forcing if you do not change your admin ID. Follow these steps to change the admin ID:

  • Go to phpMyAdmin
  • Run the following queries                                                                                            
    UPDATE wp_users SET ID=2020 WHERE ID=1;                            UPDATE wp_posts SET post_author=2020 WHERE post_author=1;
    UPDATE wp_comments SET user_id=2020 WHERE user_id=1;               UPDATE wp_usermeta SET ID=2020 WHERE user_id=1;
    ALTER wp_users AUTO_INCREMENT=2020;

4. Backup your Database

Always keep a backup of your website, it helps in restoring your website after an attack. To manually create a backup, do the following:

  • Go to phpMyAdmin.
  • Select the site’s database from the left side.
  • From the ‘Export’ tab, select ‘Custom’ as the export method.

  • Select Add DROP TABLE / VIEW / PROCEDURE / FUNCTION / EVENT from Object creations.
  • Click Go.

5. Database User Privileges

It is important that the MySQL users in the wp-config.php file have strict privileges. Restricting user privileges adds an extra layer of security to the WordPress database. During initial installation, ALL privileges are given to the user but it should be temporary. After a while, it should be changed to READ and WRITE only.

6. Install a WAF

Web Application Firewalls (WAF) is another effective method to fend off database attacks. A trusted WordPress firewall like Astra Security offers 24*7 website monitoring and protection against malicious queries and requests. It filters out all bad traffic from reaching your WordPress website.

You can secure database attacks by installing a firewall. This is how a firewall works. Source: Astra Security

 

Besides 24*7 website monitoring, Astra offers a range of other security features such as:

  • file upload rules (using which you can control the allowed file extensions & their size), 
  • IP & country blocking,
  • Malware scanning
  • One-click malware remove
  • Bug-bounty

and so on that protects your website even better. You can also tweak and configure these features to suit your website’s specific needs.

Conclusion

Maintaining overall security of the WordPress database can be a difficult task but it is not entirely impossible. If one follows the above-mentioned steps with precision he/she can secure his/her WordPress database from potential hacks. In addition to this, following secure WordPress security measures is also crucial to keeping your WP instance safe.

Free Trial

To get a 7 day free trial and to find out more, visit our website here

Start FREE Trial

Questions?

Speak to our friendly team today to find out what our services can do for you, or for any other queries, please call 03330 439780 or Chat Live with one of the team.

 

 

× How can I help you?
%d bloggers like this: