The idea that your site will be secure as long as people outside can’t find the specifics of your site is known as security by obscurity. It’s a simple technique for defending your website against hacking attempts. Security by obscurity is accomplished through concealing several of the site’s most critical features, such as the WordPress login page, which is widely known. The login page for all WordPress websites is “www.yoursite.com/wp-admin.” As a result, updating the login page helps to keep unwanted guests away. But, in fact, how successful is protection through obscurity? Is it possible to protect your home by hiding the main door behind a bush? A inexperienced robber can be deterred, but a mature, experienced robber has the experience and ability to resolve this protection measure.
Despite the fact that security by obscurity provides only a thin layer of protection, it is widely used. It begs the question: what are the advantages of concealing or obscuring a portion of a WordPress site?
Obscurity comes in handy in a variety of situations, such as brute force attacks, in which hackers programme bots to launch automated attacks on the login page. These bots look for “www.yoursite.com/wp-admin” as the default WordPress login page. As a result, modifying the default login page to anything like “www.yoursite.com/newurl” will effectively protect against brute force attacks. Changing the default login page of a WordPress site is easy. You don’t have to employ a skilled WordPress developer to do it. Many WordPress plugins, such as iThemes, will assist you in changing the WordPress login page slug. Given how simple it is to achieve protection by obscurity, it’s no wonder that WordPress users favour the technique.
Is Security Through Obscurity Effective?
While security by obscurity adds a layer of security to a WordPress web, it is insufficient. Indeed, in today’s world, where hackers use any trick in the book to exploit flaws, protection by obscurity may not be very efficient. To demonstrate this argument, consider some of the most common obscurity measures used by WordPress websites, as well as how unsuccessful they are.
1. Hiding Users
To break into a site, a brute force attack uses an automated bot that seeks out widely used usernames and passwords. In this form of strike, hackers attack several WordPress sites at the same time. Hackers can attempt to locate usernames associated with a single website when it becomes a target. One of the ways they can get your username is via your display name.
It is not unusual to have the same username and show name, making a hacker’s job easy. The hacker just needs to concentrate on finding the right password now that the username is already visible on the web. However, by modifying the show name, you can make the user invisible. Changing the show name, however, has no effect on the author page slug. The slug can also be used to identify the admin account.
On my website, for example, I changed my show name from “Lawrence” to “Phoebe.” In my author slug, my username is still available (i.e. URL). Since this isn’t a foolproof strategy, you should avoid depending on it too much.
2. Changing the Default DB Prefix
Have you ever looked at the tables in your WordPress database? (You can get to it through your web hosting account.) Every table serves a specific purpose. Wp posts, for example, saves data from links, websites, and the navigation menu. The expertise is useful in carrying out some forms of hacking attempts.
WordPress prefixes all database tables with the “wp_” prefix by default. Changing the default prefix to anything special will aid in the table’s concealment. However, there are drawbacks in this strategy since SQL injection attacks can still extract the table name. Changing the default prefix is also risky, since it can wreak havoc on your entire database. It can even destroy your site in some cases.
3. Hiding Default Login Page
When you log in to your WordPress account, you’ll see something like “www.yoursite.com/wp-admin” as the login page slug. This is the WordPress login page by design. By redirecting your login page to a custom URL, you can cover it. The aim is to keep a hacker from gaining access to your login page. Several plugins, such as iThemes, will help you update your login URL to an address provided by the tool. Any website that uses the same tool is likely to use the same URL. This means that if a hacker is familiar with the URL format suggested by this method, he will have no trouble finding your login page. As a result, hiding your default login page does not guarantee that your WordPress site is secure. Furthermore, adjusting the slug of your login page without properly informing all of your users can cause havoc.
4. Hiding the WordPress Version
WordPress’ open-source ecosystem makes it simple to learn about any vulnerabilities in the core. Hackers can launch attacks to take advantage of these flaws. As a result, hiding the WordPress version built on your site will help you avoid being targeted by hackers. However, there are a variety of methods for determining the WordPress edition the site is using. For example, WPScan will tell you which plugins are installed on your site and what version they are. This can be used to determine what WordPress version your site is running on.
Furthermore, since they have more advanced tricks up their sleeves, hackers are no longer identifying a WordPress edition to launch an attack.
5. Renaming Folders
WordPress has a set of rules that it follows. When you instal a plugin, for example, the plugin files are saved in the Plugin folder. As a result, if you rename the folder, hackers will be less likely to find it if they want to exploit it. This approach, including changing the default DB prefix, does nothing to protect the data stored in the files. Furthermore, it has the potential to cause your website to crash. If you change the name of the plugin folder, for example, you will miss out on plugin updates. This, like other approaches, can cause problems with your site’s functionality.
The dangers of security by anonymity outweigh the advantages. While it can be argued that it adds an extra layer of protection, if your site already has a strong defence in place, these approaches are ineffective and at best provide a false sense of security.