Security through obscurity is the most commonly used strategy to protect our WordPress sites from attacks. It is based on the belief that a system is secure as long as outsiders can’t find out details about its internal mechanism. Security through obscurity is achieved by hiding the important parts like login and admin pages, admin username, content folder, etc. It is somewhat like hiding the main door to your house behind a lot of bushes and expecting your house to be completely safe. This tactic might discourage a novice but will be of no significance to a seasoned robber. Similarly, obscurity provides only a minimal layer of protection to your site. Nevertheless a lot of people still believe in obscurity.So are there any benefits at all with obscurity?
Obscurity is useful in the case of brute force attacks. In such attacks, hackers use automated scripts to break into your site. These bots check for the default components like the “admin” username, “wp-login.php” page, tables starting with the prefix “wp_”, etc. Obscurity can be an effective solution in mitigating these attacks. Besides, steps like renaming the database prefix or the default admin username are easy to understand and implement. They hardly take much time and don’t require you to buy any fancy plugins or premium services. Given all these reasons it is no surprise that security through obscurity is very popular with WordPress users. However, using obscurity as the only layer of defense will not suffice. It offers little protection in an era where evil-doers have thorough knowledge of WordPress and use every trick in the book to exploit vulnerabilities.
Almost all the WordPress security plugins primarily focus on login security. Since obscurity provides the simplest way of protecting against these login attacks, the plugins fiercely promote these methods. But as we proved in our article Does your WordPress Security Plugin really secure your site?, these plugins fail to protect us in other forms of attacks. Besides, the common measures of obscurity also bring their own set of problems.
- Hiding admin user – This is possibly the most recommended method and can be helpful against login attacks. However, there are ways in which your admin account can still be compromised. For example, the admin account name can still be identified by looking at the author pages.We need to tread with caution while relying too much on this tactic for security.
- Changing the default DB prefix – WordPress uses the “wp_” prefix for all the tables by default. Changing this to a unique prefix can be helpful in hiding table names, especially critical ones like users and options. However, the table name can still be extracted with SQL injection attacks. But coupled with a good firewall, changing the DB prefix can be effective solution to protect your DB. Changing the DB prefix on an existing WordPress site, however, is not a trivial step. It can really mess up your database and even break your site. So you need to be very careful while adopting this measure.
- Hiding login page – This involves changing the login page from wp-login.php to something less obvious. This is again quite easy to circumvent for experienced hackers. Moreover, it makes it hard for users to access your site and can even break WordPress.
- Hiding WordPress version – This is the mostly ineffective obscure measure and this is a sheer waste of time. There are multiple ways to find the WordPress version and nearly impossible to hide them all. Besides, most attackers don’t even look for the WordPress version anymore. Like other methods, this too can mess with the functioning of your site.
- Renaming wp-content/wp-admin/wp-includes folder – This is as obscure as it can get. Renaming the content, admin, and includes folders does little to protect the information they store. This can cause major issues in the working of your site and may even lead to a crash. In toto, not worth the effort.
- Hiding WordPress altogether – This step is fraught with issues and you shouldn’t even bother with it if you value your site.
Security only by obscurity is moot. However, adding obscurity as an extra layer to a site that already has good defenses in place may be effective. We are not big fans of this strategy though. What makes it worse is the over emphasis that security plugins lay on these methods. Using these techniques mostly give you a false sense of security and only do more harm than good in 99% of cases. Obscurity doesn’t bring safety.