Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


Martin Falada
Martin Falada
1,628 Points

New WordPress Class - Security Suggestion

I have been using WP for a while now, but I am going through the course out of interest.

I noticed it suggests using the 1 Click Install... which I don't generally suggest doing... but if you are going to do that there is an important step that was missed.

In the setup area, Zac suggests changing the Admin name... this is a good point... but skipped right over changing the DATABASE PREFIX.

Some 1-Click installers will randomize DB Prefix, but not all do. Many will just leave it as wp_

It is very important to randomize the DB Prefix because it makes SQL injection attacks very difficult. If you just use the "Default" Prefix, then an attacker can easily know the table names when they are crafting their attacks.

wp_users is VERY common mySQL table for WP (since majority of people do not know to change it). So many attackers hit that.

jh3ad_users is random and thus would not be in the hackers "toolbelt" meaning they would have to find a different way.

Food for thought, that this may be something to add to the video as a pop up bubble or something.

+1 I see China hit my site all the time.. noobs have no idea I'm tracking them.

Martin Falada
Martin Falada
1,628 Points

I feel ya... I had to block all of Russia for a month because I had a guy hopping IP's every 60 seconds....

I did notice they suggest a Prefix change in the "Manual Install" video.... but it should be suggested in the 1-Click as well.

Do you use Visitor Maps - Who's Been Online? at all.

Martin Falada
Martin Falada
1,628 Points

Google Analytics mostly.... if I am chasing somebody trying to hack me, I use SSH Terminal to watch active connections and track them.

Give it a shot you may like it.

1 Answer

Zac Gordon
Zac Gordon
Treehouse Guest Teacher

+1 to this point

I mention this in some of the course, but not in the others, depending on the level or if I can assume they should know it. Great to post the point tho!