Missing "Harden" button for "Database table prefix"

  • Resolved idearius

    (@idearius)


    9 years, 11 months ago

    It’s kind of strange, but the Harden button that shows (and works well) at every section of the Hardening page doesn’t appear at “Database table prefix”.

    The current DB prefix is the default one and the plugin marks it with a red background, yet the button is not there.

    At this website I’m using the latest WP with a slightly modified version of the old Default theme (https://www.ads-software.com/themes/default) and the only plugins are yours, BackUpWordPress and cforms (no inactive plugins).

    Couldn’t find any info on this on the Web. Any ideas?

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 3 replies - 1 through 3 (of 3 total)

  • There is no hardening button for that option. The plugin used to have one but after a discussion with our research team I had to remove it because it represented a security hole in the websites.

    The button basically would create a backup of the database to restore the site in case of a malfunctioning of the hardening, then it starts changing the name of all the main database tables, and finally secure some specific data in the options and metadata tables. The issue was that I also added an option that allowed the administrator to download the backup of the database, and the code that powered this option was vulnerable allowing an attacker to download any file from the server.

    I fixed this security hole as soon as it was discovered, but before the patch was released the manager of the research and development team decided that it was better to omit that option, so I removed the hardening button (as you can see here [1] and here [2]) and since then it only has the warning.

    [1] https://plugins.trac.www.ads-software.com/changeset/949827
    [2] https://plugins.trac.www.ads-software.com/changeset/953661

    Thread Starter idearius

    (@idearius)

    That’s strange indeed. The two websites where I currently have Sucuri installed have (or at least it says they have) the same version: 1.7.5.

    Leaving that behind, maybe making the backup downloadable is the problem. Making a temporary backup is a good idea, but it should be deleted after the DB change is confirmed to have gone OK as Sucuri’s mission is not providing backups. It would even be perfectly fine if you only warned the user that a backup should be made (with cPanel, BackupWordPress or other)… and there you could even have a business opportunity by selecting which backup system you recommend.

    Anyway, it would be great if you could re-enable the database prefix change again.

    Happy New Year, Yorman.

    Yes, I even was proud to have written the code to implement that hardening option, because I spent many hours improving it to work better and faster. I also had the same idea that you propose, but I can not take that decision on my own, so I will just move this to our internal tracking system, if my manager and the rest of our development team consider that this hardening option can be added again, then I will re-implement the code for a future version of the plugin, but I can not promise anything.

    Happy new year for you too.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Missing "Harden" button for "Database table prefix"’ is closed to new replies.