WordPress Security through Obscurity: Is It Essential or Optional?

When rifling through WordPress security articles and forum topics, you may start to notice most developers say: "WordPress security through obscurity is no security." Is it really true? Security through obscurity entails hiding segments of software in an attempt to fool hackers into thinking there's nothing for them to hack. In the case of WordPress, this looks like hiding your login page or the version of WordPress you're using. Just like hiding your house key under your welcome mat, cloaking parts of your WordPress website doesn't guarantee that hackers won't find a way around it. But, it doesn't hurt to do it because it can help in certain cases. Not to mention that obscurity tactics are also recommended in the WordPress Codex. Today, I'll share more details on WordPress security through obscurity, why you shouldn't rely on it, but also why it's still a good idea to apply it to your website.

WordPress Security is Essential

Before delving into security through obscurity, it's important to understand that WordPress security itself is essential. According to W3Techs, 29% of websites on the internet are built with WordPress. With such a high volume of sites available to hack, it increases the chance of hackers being successful. While WordPress itself is secure, it's still important to further protect your website. Why? The reason is it's possible for hackers to find vulnerabilities at any time. So, the more security features you can add to your website, the less likely it is to be hacked. So what about security through obscurity? It's a type of WordPress security you can use. It's also outlined in more detail below.

What is WordPress Security through Obscurity?

As mentioned earlier, WordPress security through obscurity means hiding parts of your WordPress website in the hopes that hackers won't detect them. After all, if they can't see something to hack, they're more likely to move on and that means your website stays safe. According to WP WhiteSecurity, 92% of WordPress websites are infiltrated with automatic hacking programs, called bots. Only 8% are manually attacked by brute force. Bots can be (and most often are) designed to attack thousands of websites automatically every hour. WordPress security through obscurity aims to take advantage of the fact that most attacks are automated. Website parts are hidden so when a bot attempts to hack a website, it's unsuccessful and moves onto a different website. It's a numbers game. Bots are created to attack as many websites as possible in the shortest amount of time. That way, there's a higher probability of the bot being successful. This translates into the hacker reaching their goal. Most of the time, their goal is to spread spam to make money.

Is Security through Obscurity Optional?

Many developers believe that WordPress security through obscurity doesn't count as a proper defense. The main reason behind this idea is that skilled hackers can bypass this kind of security without issue. With that being the case, there's really no reason to think that obscurity tactics count as essential security measures. On the other hand, not all hackers are skilled and many of them use bots to attempt to hack WordPress websites. Also, they target vulnerable websites en masse. The bot first scans a website for vulnerabilities. If they're found, the bot tries to exploit them. If no entry points are found, the bot skips over to a different website. Then, the process is repeated. Poorly programmed bots bypass websites that use obscurity tactics. That means that obscurity tactics can save your website in these cases. Unfortunately, many bots are more sophisticated and can scan for multiple vulnerabilities. That being the case, WordPress security through obscurity only helps in more rare situations. Still, if you secure your website with strong security measures, it doesn't hurt to throw in some obscurity tactics into the mix.

Optional Obscurity Security Tactics

Also, there are many kinds of obscurity tactics you can apply to your WordPress website:

• Change your databse table prefix
• Disable the plugin and theme editor
• Move your wp-config.php file
• Protect important files
• Restrict access to the admin dashboard
• Prevent directory browsing
• Restrict access to PHP files
• Secure the /wp-includes/ directory
• Prevent username enumeration
• Delete unneeded files such as the readme file
• Change the file and directory structure
• Change your admin username
• Hide your login page
• Remove your WordPress version number

For details, check out The Ultimate Guide to WordPress Security.

Wrapping Up

At the end of the day, WordPress security through obscurity is optional. Although, it doesn't hurt to include obscurity tactics to your thorough security arsenal. It's also important to build your website for security and maintain it as well, which is what we do at Materiell. Do you want to add obscurity security tactics to your WordPress website? Share your thoughts in the comments below.