WordPress Database Security
WordPress websites use MySQL for their database. MySQL is an open-source system used by the vast majority of WordPress websites. At the time of writing, MySQL was second only to Oracle in terms of database popularity globally (no small feat).
The reason for MySQL’s popularity is because it makes up a core component of the LAMP stack that most web servers run on. LAMP stands for Linux, Apache, MySQL, PHP. These are the open-source technologies that make up the foundation upon which WordPress operates. However, not all web hosts manage and maintain this foundation equally.
The first thing we do when looking at a WordPress database is to make sure the web server is using the latest versions of these core open-source technologies. Low-end hosts will often neglect their infrastructure or delay upgrades because of a lack of resources or just sheer neglect. It is sometimes hard to tell which versions a given host is using. This is the dark secret of web hosting that nobody knows about. Imagine walking into an office and seeing the entire company using Windows 98. How confident would you feel about having them host your website?
The configuration of that hosting environment is the next step. By default, most web servers will deploy WordPress with the MySQL database prefix “wp_”. Therein, all the default database tables will use this prefix. Hackers are well aware that this is the default database prefix and table structure and can use it in their attempts to exploit your site. By changing the default database prefix to some random characters, we make it harder for hackers to employ some common WordPress exploits.
We also make sure that the username and password used by WordPress to access and communicate with that database is randomly generated. You’d be surprised how many times we find that a 3rd party web designer has setup the database using a terribly insecure username and password such as admin | 12345.
Lastly, we use tools to scan databases to make sure there is no malicious code hidden inside the database itself. And we monitor all of the databases we manage and take full backups to ensure the database is kept secure.
