Security through obscurity is a belief that as long as people outside can’t find the details of your site, your site will be safe. It’s a common strategy used to protect your site from hack attempts. Security through obscurity is achieved by hiding some important parts of your site, parts that are common knowledge, for instance, the WordPress login page. All WordPress websites have a common login page which is “www.yoursite.com/wp-admin”. Hence changing the login page helps hide it from unwanted visitors. But how effective is security through obscurity really? If you hide the main door of your home behind a bush, does it secure your home? It may deter a novice robber, but a mature, seasoned robber has enough experience and skill to overcome this security tactic.
Security through obscurity offers only a minimal layer of protection, and yet its use is widespread. It makes one wonder what sort of benefits comes with hiding or obscuring part of WordPress site?
Obscurity is useful in a number of cases like in brute force attacks when hackers program bots to carry out automated attacks on the login page. These bots check for default WordPress login page, i.e. “www.yoursite.com/wp-admin”. Hence obscuring the default login page by changing it to something like “www.yoursite.com/newurl” can effectively mitigate brute force attacks. It is not hard to change the default login page of a WordPress site. You don’t need to hire a fancy WordPress developer to do it for you. There are many WordPress plugins like iThemes that’ll help you change the WordPress login page slug. Given how easy it is to achieve security through obscurity, it is no surprise that the strategy is popular among WordPress users.
How Effective is Security Through Obscurity?
Although security through obscurity provides a layer of protection to a WordPress site, it’s not enough. In fact, today when hackers are using every trick in the book to exploit vulnerabilities, security through obscurity may not be very effective. To illustrate this point, let’s take a look at some of the common measures of obscurity that WordPress websites take and how ineffective they are.
1. Hiding Users
In brute force attacks, automated bot tries out commonly used usernames and passwords to break into a site. In this type of attacks, hackers target many WordPress simultaneously. Sometimes when a single website becomes a target, hackers try and find the usernames associated with that site. Display Name is one of the ways they can get the username for your account.
It is not uncommon to have the same username and display name which makes the job of a hacker easy. With the username already available on the site, the hacker only needs to focus on getting the right password. But you can hide the user by changing the display name. But changing the display name does not change the author page slug. The admin account can still be identified by looking at the slug.
Take for instance, on my website; I changed my display name from “Lawrence” to “Phoebe.” My username is still visible in my author slug (i.e. URL). This is not a foolproof tactic hence one must prevent oneself from relying on it too much.
2. Changing the Default DB Prefix
Have you ever seen your WordPress database tables? (You can access it through your web host account) Every table has a specific function. For instance, wp_posts stores information from posts, pages, and the navigation menu. The knowledge becomes helpful in executing certain types of hacks attempts.
By default, WordPress uses the “wp_” prefix for all database tables. Changing this default prefix to something unique can be helpful in hiding the table. But there are flaws in this tactic because the table name can still be extracted with SQL injection attacks. Also changing the default prefix is dangerous and can mess up your entire database. In some cases, it may even break your site.
3. Hiding Default Login Page
When you log in to your WordPress site, you’ll notice the login page slug looks something like this: “www.yoursite.com/wp-admin”. This is the default WordPress login page. You can hide your login page by moving it to a custom URL. The idea is to prevent a hacker trying to access your login page. There are several plugins like iThemes that helps you change your login URL to an address the tool gives you. Chances are, every website using the same tool is using the same URL. This means if the hacker knows the URL format suggested by this tool, he can easily find your login page. Hence, hiding your default login page doesn’t necessarily protect your WordPress site in any way. Moreover, changing your login page slug without properly informing all your users can lead to chaos.
4. Hiding the WordPress Version
The open-source ecosystem of WordPress makes it easy to learn about any vulnerabilities the core may have. Hackers may launch attacks to exploit these vulnerabilities. Hence, hiding the WordPress version installed on your site can prevent hackers from targeting your site. But there are many ways of identifying what WordPress version your site is running on. For instance tools like WPScan that informs you which plugins are present on your site along with their version. From this, one can find out what WordPress version your site is running on.
Besides, hackers no longer identifying a WordPress version to launch an attack because they have more sophisticated tricks up their sleeves.
5. Renaming Folders
WordPress works in a predetermined manner. For instance, when you install a plugin, the files of the plugins are stored in the Plugin folder. Hence, if you rename the folder, then hackers are unlikely to find it if they are planning to exploit it. Like with changing the default DB prefix, this method too does little to protect the information stored in the files. Moreover, it may cause your site to malfunction. For instance, if you change the plugin folder name, you may miss out on plugin updates. Like other methods, this too can mess with the functioning of your site.
The risks involved in security through obscurity is larger than it benefits. One may argue that it provides an extra layer of security, but if your site already has a good defence in place, these methods are ineffective and at best offering you a false sense of security.