Security through obscurity is a process of securing a system by deliberately hiding or concealing information about it. While this alone is not a reliable or sustainable method for securing your website, it can help make your site more difficult for hackers to attack and less of a target. In this post, we will look into security through obscurity and how it relates to WordPress as open-source software.
Open Source Transparency vs. Closed Platform Obscurity
When using WordPress to run your website, there isn’t much in the way of obscurity. WordPress is an open-source CMS with a lot of documentation and one of the largest communities. This transparency makes it hard to hide any flaws, but this also works to its advantage. Any issue within WordPress core can easily be found and therefore fixed. The same can be said for the WordPress.org plugin repository.
Other software as a service (SaaS) CMS solutions are often closed platforms where the service provider controls the application. This is where security through obscurity is mainly used, but as mentioned above, it is not reliable for security. Where everything is true of WordPress transparency, the opposite is true in this case. While flaws in these systems may be harder to find, they are also harder to fix. This is often compounded by having less documentation and smaller communities due to this obscurity.
Hiding in Plain Site
When using WordPress, there is nowhere to hide. Visitors will often be able to tell right away if you are using it or not, but that does not mean you can’t be a little secretive. We will go through a few techniques on how to find and hide information about your WordPress site which, in turn, should make it a bit more difficult to exploit.
Hide the WordPress Version Number
If a site hacker knows which version of WordPress a site is running, they can use that information to go after known vulnerabilities. Hiding the version number while keeping WordPress core up to date can make it more difficult to exploit.
The WordPress version number can be located in a few areas in the source code.
- Remove the generator tag from your theme’s header.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
- Remove the information for the HTTP header.
- Remove the WordPress version number from the head file and RSS feeds.
add_filter( ‘the_generator’, '__return_false' );
Another tip is to check with your hosting provider and make sure that WordPress is set to auto-update for major and/or minor releases.
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
This will help keep WordPress core updated with all the security patches they release.
Change the WordPress Login URL
Most attempts to exploit a WordPress website start with trying to access the back end. This is usually best combated by encouraging strong passwords, limiting login attempts, and enabling two-factor authentication. However, by changing the default login URL we can keep would-be intruders from even finding the way in. If you have a site that only has site administrators logging in, this can be a helpful way to reduce brute force attacks. Changing the URL can be done with a plugin or by checking with your hosting provider and setting up a redirect.
Change the Admin Username
Often overlooked, when installing/setting up your WordPress site it asked for an admin username. This defaults to ‘admin’ but it should always be changed to something unique and difficult to guess. This requires an intruder to not only guess a complex password, but the username that goes with it. If your site uses the default admin user name, don’t fear, this can be updated in one of three ways.
- Create a new user account with admin privileges and delete the old ‘admin’ user account, assigning all the old admin’s content to the new account.
- Update ’admin’ in the WordPress database via phpMyAdmin, or command line via MySQLl or wp-cli. (This method is more advanced.)
- Use a plugin solution. This method is not recommended but if it is used, the plugin should be removed after the username has been updated.
(Bonus) Alter the Database Table Prefix
A more advanced way to use obscurity as security with WordPress is by changing the database table prefixes. This, again, is set during the WordPress installation process and defaults to ‘wp_’. Setting this to something unique during the installation process can help make SQL injection attacks more difficult. If your site uses the default table prefixes and you would like to update it, we would suggest consulting with your hosting provider or an experienced WordPress developer.
To reiterate, obscurity as security with WordPress cannot be relied upon alone for security. Most hackers are looking for quick/easy targets and the methods listed will help make your site more troublesome for them and reduce the number of intrusion attempts. Combined with more conventional security, your WordPress site will be much less a target. Make sure you review your site’s potential vulnerabilities and where they can be improved. If you need site security improvements, contact the experts at Hall today.