Occasionally, we still encounter people who passionately recommend security measures that offer questionable value. Many of these recommendations fall into the category of security through obscurity.
This week, let’s discuss some of the most common security-through-obscurity measures and whether they actually contribute to the security of your WordPress website.
Hiding WordPress & Plugins Information
As WordPress hacking incidents became increasingly widespread, one of the first security-through-obscurity methods was to hide the fact that the website is running on WordPress.
The logic behind this approach was that since WordPress sites are frequent targets, removing visible signs that the site is built with WordPress would keep it off potential target lists, thus preventing it from being hacked.
Unfortunately, that’s not how things work. The majority of attacks are completely automated, and hackers aren’t curating a list of targets. Time is the biggest enemy of hackers—they need to exploit vulnerabilities before users have a chance to patch them—so they just attack everything they can.
In fact, at Patchstack, we often see WordPress sites being targeted by attacks that attempt to exploit vulnerabilities in other CMSs or even vulnerabilities in Java applications such as Log4J. Sites that do not run WordPress are also commonly attacked with WordPress-specific exploits.
Changing the Defaults
In some cases, a touch of security through obscurity can provide value, but it should never be relied upon as the primary security measure.
Changing defaults such as the WordPress login/admin page URL, paths/directories, the default admin username, and database prefixes can make it harder for some automated bots to complete their exploitation.
However, hackers who pay attention to details can still figure these out. So, even if you rename the default admin username and the default admin panel location, you should still enforce 2FA on all privileged accounts as the primary security measure.
Benefits vs. Costs
The limited security benefits you gain from obscurity measures often come with a cost. Customizing URLs, directory names, and other WordPress standards increases the complexity of your website and can cause compatibility issues with plugins, themes, and third-party solutions.
Increased complexity always leads to higher maintenance overhead, and as time goes by, the likelihood of plugin and core updates breaking the website only increases. When that happens, it can be difficult to identify the exact cause of the issue.
If we evaluate the security of your WordPress website strictly from a CIA triad perspective, which focuses on confidentiality, integrity, and availability, the negative impact of security through obscurity on WordPress availability becomes much clearer than any benefit for confidentiality and integrity.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread
Oliver Sild
Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.
