Hi Nicholas, Great tip. I've always left it as jos_ as I figured it could cause problems if I changed it. Will be sure to do this in all my installs from now on.
Good work with Akeeba.
The Achilles’ heel
Given that the majority of attacks which might get through any countermeasure are going to be SQL injection (a.k.a. SQLi) attempts, our first line of defense should be the database. Some dry theory should help us appreciate the importance of this. There is a concept in epidemiology called “homogeneous populations”. This is a fancy term, which stands for many different members of a same group sharing a common characteristic. In this context, homogeneous populations are prone to be wiped out by a single threat, if that threat uses this common characteristic to gain leverage against each of the members. In other words, if you look alike to your neighbours, you're in deep trouble!
Believe it or not, Joomla! sites consist of a homogeneous population, vulnerable to severe threats! No, this is not a problem in Joomla!'s design, rather than a misunderstanding of how Joomla! is supposed to work. I am talking about the database table prefix, which defaults to jos_. Most SQLi attacks I've seen “in the wild”, take for granted that your site is using the default setting for the database table prefix to deliver their malicious actions against you. Sadly, they are right. Even though jos_ is a default value meant to be changed during installation, it rarely is. As a result, this benevolent default setting proves to be the Achilles' heel of Joomla!. But, really, has it got to be that way with your site?
Thinking before clicking
Thankfully, the answer to my last rhetorical question is a solid and loud “No, sir!” You can prevent being part of the “homogeneous population” of Joomla! sites, if only you take care during installation. This is extremely easy. The solution is found in the fourth page of Joomla!'s installation, titled “Database Configuration”. Click on the “Advanced settings” header and locate the “Table Prefix” field. Now all you have to do is pick a good new database table prefix.
There are no general rules about picking a database table prefix. Ideally, it should be something hard to guess, contain only alphanumeric characters, not too big, not too small and end with an underscore. If this sounds complicated, I will agree with you. My general rule of thumb is: pick three random lower case letters (a-z, no accented or international characters, please) and add an underscore. For example, aow_ is a good prefix, but aøw_, αοβ_ or somethingwaytoolongtobepractical_ is not. That's much simpler, right?
If you came late to this party...
...you are already using the default jos_ prefix. Don't fear and don't despair! We can fix that, with a small PHP script, courtesy of your friendly neighbourhood developer — that's yours truly. Before you proceed, do note that modifying your site's database can be potentially dangerous. You will be playing with live fire here, so there's no room for error. Practise those changes on a local server or a development site first. Keep notes of what you do. In any case, before you attempt any change whatsoever, remember practicing the three basic rules of being a web master: backup, backup, and — most importantly — backup! That said, in order to change your database table prefix, create a file named rename.php in your site's root with the following contents:
<?php
$new_prefix = 'new_';
require_once 'configuration.php';
$config = new JConfig;
$con = mysql_connect($config->host, $config->user, $config->password);
if(!is_resource($con)) die('Error connecting to db');
$test = mysql_select_db($config->db, $con);
if($test===false) die('Error connecting to db');
$prefix = $config->dbprefix;
$sql = "show tables where `Tables_in_{$config->db}` like '{$prefix}%'";
$res = mysql_query($sql);
while($row = mysql_fetch_array($res))
{
$old = $row[0];
$new = $new_prefix . substr($old, 4);
$temp = mysql_query("RENAME TABLE `$old` TO `$new`");
if($temp === false) die(mysql_error());
mysql_free_result($temp);
}
mysql_free_result($res);
mysql_close($con);
echo "OK";
You have to substitute the new_ placeholder in the second line with your desired new prefix. After saving this to your site's root, run it by accessing the script with a URL like http://www.yoursite.com/rename.php and wait until it responds with an OK, usually after a couple of seconds.
At this point, the first thing you have to do is remove the rename.php script from your site's root. Then, edit the configuration.php file and find the line starting with var $dbprefix. It should look like this:
var $dbprefix = 'jos_';
Replace the old jos_ prefix with your new prefix, i.e. the one you used in the second line of your rename.php script. If your new prefix is new_, this line should now read:
var $dbprefix = 'new_';
Save the file and you're good to go! You've just changed your database table prefix and you're one step closer to fending off attacks by potential hackers.
Honey, I’m already on my way home...
Yes, we've ran out of space for this issue, but worry not! There are quite a few more site security articles in this on-going series. In the next issue, we're going to talk about another practical security tip which has to do with your database. I won't say more, but I'll give you some hints. I've talked about it in my last article, and it's always there when you install Joomla! on a server. I know that most of you must have figured it out by now.
Until our next issue, take care and be safe!
I'm writing an article on .htaccess which, among other things, allows you to dodge the most common SQLi tricks, like UNION SELECT. And, yes, the prefix was meant for multiple installations, but it became very evident that it doubles as a first line of defense. IMHO, it should be treated as a security feature.
