Replace the default wp_ database prefix with a random one in a single click to protect against SQL injection attacks that target WordPress table names. WordPress installs with the default prefix wp_ for every database table (wp_posts, wp_users, wp_options, etc.). SQL injection attacks often hardcode these table names. Changing the prefix means those queries fail even if an injection vulnerability exists. WP Ghost changes the prefix through the Security Check tool with a one-click “Fix it” button and supports Multisite installations. This is a Premium feature.
Every WordPress database uses the same table names: wp_posts, wp_users, wp_options, wp_usermeta, and more. SQL injection attacks exploit vulnerable plugins to run queries against these known table names, for example SELECT * FROM wp_users to extract credentials. If your prefix is abc123_ instead of wp_, the table is abc123_users and the hardcoded query fails. Changing the prefix is one more layer that prevents automated exploits from succeeding.
Important: Back up your database before changing the prefix. WP Ghost modifies actual database table names and the wp-config.php file. While the process is reliable and includes an undo option, a backup ensures you can recover if anything goes wrong.
wp_ prefix, WP Ghost flags it as a security task.Multisite compatible. WP Ghost automatically detects WordPress Multisite installations and renames all network tables with the new prefix, including per-site tables (e.g., wp_2_posts, wp_3_options).
After changing the prefix, WP Ghost shows an option to undo the change and restore the default wp_ prefix. Use this only if you experience errors after the prefix change.
The undo button appears in the same Security Check task where you originally changed the prefix. Click it to rename all tables back to wp_ and update wp-config.php.
The $table_prefix value in wp-config.php may not match the actual table names. If you can access the dashboard, use the undo button in Security Check. If you can’t access the site, open wp-config.php via FTP and change $table_prefix back to 'wp_'. Then check your database tables using phpMyAdmin to see what prefix they currently have, and make wp-config.php match.
A few plugins store the table prefix in their own configuration or create custom tables with hardcoded prefixes. After changing the prefix, deactivate and reactivate the affected plugin so it picks up the new prefix. If the issue persists, check if the plugin created custom tables that weren’t renamed and contact the plugin author.
Your database prefix is already changed from the default wp_. The task only appears when the prefix is still the WordPress default. No action needed.
Yes, but always back up your database first. WP Ghost handles the renaming process reliably, including updating wp-config.php and all internal references. The undo option provides a rollback path if anything goes wrong. For extra safety, test on a staging site first if one is available.
Yes. Unlike path changes (which use rewrite rules and don’t modify files), the database prefix change physically renames your database tables and updates the $table_prefix value in wp-config.php. This is a real database modification, which is why backing up first is important.
Yes. WooCommerce tables (like wp_wc_orders, wp_woocommerce_sessions) are renamed along with all other WordPress tables. WooCommerce reads the prefix from wp-config.php and adapts automatically. Cart, checkout, and order management continue working normally.
For this specific feature, WP Ghost modifies wp-config.php (to update the $table_prefix value) and renames database tables. This is different from WP Ghost’s path security features, which never modify any files. The database prefix change is a permanent modification with an undo option.
Database and server-level security:
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…
Enable the 7G Firewall in WP Ghost for server-level protection against SQL injection and script…