Security through obscurity in WordPress

Security through obscurity is neither necessary nor sufficient for your website. Sadly, a lot of people still believe in this shit in 2020.

The WP version bullshit

You find the following code in the vast majority of blog posts :

remove_action('wp_head', 'wp_generator');

It removes the following meta in the head section of your pages :

<meta name="generator" value="WordPress 5.4.2" />

The meta shows the current WordPress version. Unfortunately, you can find this information in several other places such as the RSS feeds :

<generator>https://wordpress.org/?v=5.4.2</generator>

It’s easy to forget that, and it’s not the only place, calls for assets may include the same GET parameter :

<script src="https://mysite.com/wp-content/themes/mytheme/js/main.js?v=5.4.2"></script>

A lot of WordPress security plugins use it as a marketing argument, so people think it’s a security enhancement.

I don’t have to be a hacker to know that. It does not require any skill. I can even use free online scans or free tools such as WPscan.

But what’s the problem?

You might say it’s not that bad; somehow, hiding things might have benefits. Indeed, if you move your login page, then bots cannot access to “/wp-admin” anymore. You will indeed prevent some brute-force attacks.

Nevertheless, it’s still possible to find the new URL. Anything can happen; for example, someone might inadvertently share the URL. It’s not sufficient.

Here is a better solution, limit login attempts. There are useful plugins for that. This way, it’s much much more difficult to brute-force your login page. With the first solution, you are crossing fingers, hoping that bad guys/bots don’t find your new login page.

Again, the first solution does not do evil, but it’s not sufficient at all.

Real solutions

Here are five practical solutions to improve security in WordPress :

  • Keep WordPress, plugins, and themes up to date
  • Enable two-factor/two-step authentication
  • Use a firewall
  • Forget about no longer maintained plugins
  • Stop using weak passwords

If you provide some e-commerce features, check if your checkout system supports strong customer authentication.

I admit some of these solutions are more time consuming than others, they might even be a massive pain, but they work, for real.

Don’t be overzealous

Updates are vital. There are many critical security patches you need to get for your website, but, IMHO, it’s not a good reason to enable automatic updates.

I know it’s a feature in WordPress, and they plan to introduce more granularity in the next versions (current version is 5.4.2). I read it will be possible to enable auto-updates per each plugin and each theme.

At least, only allow minor updates with the following constant :

define( 'WP_AUTO_UPDATE_CORE', 'minor' );

Be careful, while it’s an exciting feature, you might get some incompatibilities, it already happened in the past. Breaking your website is bad.

Wrap up

The risks involved in security by obscurity is quite more significant than its potential benefits. Most of the time, you can safely skip hiding techniques and use more effective methods to get protection.