Setting up WordPress is a pretty easy process, thanks to all the wonderful scripts Automatic has included in WordPress’s core. Essentially, all it takes to install WordPress is doing the 3 following things:

• Create a Database
• Upload WordPress Core Files
• Run Setup Script

This is great for the average user, because it allows them to skip all the hassel of setting up things like Salt Keys and editing files through an unfriendly FTP client–trust me, to the average user who doesn’t know much about working with PHP files, the internals of wp-config.php can leave you scratching your head.

The most difficult part of creating a WordPress install is probably figuring out how to create a Database, and Automatic identified that. That’s why they’ve added some guide text in your setup process to give you helpful hints as to what you should be putting where.  Unfortunately, this actually leaves a big security hole in their system. Thankfully, it’s not really a security hole that’s in the code of WordPress; it’s something that can be easy fixed by changing one little line at the setup screen..

When setting up WordPress, you’ll eventually get to a screen that looks a little something like this:

Notice the bottom part that reads Table Prefix. While most people understand Database Name, Username, and Password (because cPanel provides this information word for word,) a lot of people don’t seem to understand what Table Prefix means, nor do they realize that this section is just a suggestion and not required by WordPress, so they tend to leave it as the default wp_.  This will work and it doesn’t really cause any harm in the perfect world, but sadly the internet is far from perfect when it comes to WordPress. Spammers/Hackers/Evil users online will do anything they can to find access into your database and take control of your blog for their own reasons (usually to place ads on your website to generate revenue for themselves,) and thanks to so many people being confused by the Table Prefix area, we’ve made the job pretty easy for them. When hackers create scripts, the first thing they do is assume users are running out of the wp_ prefix because it’s the most common. This essentially gives them a little bit of a head start in their research of cracking your database.

Thankfully this is really (and I mean REALLY) easy to fix. All you have to do is change wp_ to whatever you want. It can literally be anything as long as it has a “_” at the end of it. To be nice, random, and secure I personally tend to name my database prefix something like this wp345345345345_. By changing your prefix like this you are throwing off hackers.  In fact, many of them will likely give up after they see you are not using the default prefix and move on to someone who has, because your site is simply not worth the effort it’ll take to hack. That’s just assuming it’s a human hacker; chances are if it’s a bot they’ll identify that you are not using “wp_” right away, assume it’s not a WordPress site, and then move onto the next blog.

So next time you setup WordPress, remember to do yourself a little favor and change your Table Prefix.  It’s not exactly government grade security, but it’s a little something just about everyone can handle.