EXCLUSIVE | Security through obscurity – the dangerous approach that work in your Imaginationland only.
Hiding/renaming your login does not do much, although you may think it is a great additional protection for your website. That is “security through obscurity” (STO), which is not really protection.
What does “security through obscurity” (STO) mean?
STO is primarily based on hiding important information and enforcing secrecy as the main security technique. Some people believe that by using security by obscurity, they can minimize the risk of an attack.
Here are 2 real life examples:
1) Hide the key to your front door under a nearby rock or doormat. The principle is simple: your house is “safe” until a thief discovers the key in its hiding place. Then your house becomes vulnerable to attack.
2) The same goes for building your house in the middle of the woods. Since it is surrounded by trees and bushes, it is “safe” in that forest. However, once someone enters your house and discovers it, it is vulnerable.
It’s a similar story with WordPress.
Let us say you want to make it harder to discover you are using WordPress, and you also want to hide a few other things. All of these measures are meant to increase your security. But none of them are nearly as valuable as making sure you lock the metaphorical door.
There’s no question that you can use STO as a method for protecting yourself from attacks. But if your front door is not locked, STO will not do much good. If your sole reliance is on STO to replace real WordPress security, all is lost once its secrets are exposed. Hackers/bots can (and will) try to exploit your plugins and themes, whether they know what you have installed or not. They will just try, and if they get a hit, they will move on. Hiding the “names” of what’s there will not stop that.
First, you need to figure out where to hide those important details.
For example, if you hide the names of your plugins and themes in an .htaccess file hidden in the depths of your server, the hackers would need to know that file to find out what plugins you use and what themes you have.
It’s very difficult to protect yourself against a hacker who has access to your server and its files. And once they have access to your server’s files, they have access to all of your website’s files and content. If they manage to do that, they have all the information they need to abuse your website.
Surprisingly, it’s easier for hackers to find out what you have installed than to keep it a secret. The best way to protect your WordPress website is to “keep the door locked” and make sure you do not open it for anyone without first checking their credentials and knowing who they are.
What will prevent trouble is ensuring all your plugins and themes are kept up to date – then it doesn’t matter what they try or what they know. Also, changing your login URL could negatively affect how some of your plugins work.
What else does not contribute to the security of the website
1. The website is secure because it has an SSL certificate
The security that an SSL certificate provides is purely transactional – it protects the data that is passed between the website and its visitors. Specifically, the visitors who provide sensitive information such as credit card numbers, contacts, etc.
What WordPress users may ignore is that it only encrypts traffic, not the files and data that reside on the site. Websites that are not protected by WAF (Web Application Firewall) are still vulnerable to hackers even when SSL is used.
2. Changing the database prefix improves security
This is actually a common recommendation. The idea is to change the prefix “wp_” to a different value and thus prevent attacks on the database (SQL injection). Although it appears that security is being improved, little is being accomplished.
There are various methods hackers use to access your database by exploiting vulnerabilities in the plugins and themes you use.
There is no proof that this method improves the security of your website, and if the change is not done properly, it can crash your website. To protect yourself from such attacks, you should take a three-pronged approach – use WAF, monitor the site for malware and scam attempts, and update plugins, themes, and the WordPress core.
3. You can prevent brute force attacks by hiding the wp-admin and wp-login pages
Most malicious bots attempt to use a brute force attack to obtain usernames and passwords to gain administrative access to the background of your site, targeting a login page on the site. They usually target common usernames like “admin” along with tens of thousands of passwords in hopes that one of them will work. It is common practice for WordPress administrators to hide the login page or wp-admin folder in order to prevent this access.
While there are many plugins that help hide the login page, there are reasons why this should not be a priority.
– Many plugins depend on the wp-admin folder being where it is expected to be. If this folder’s path is changed, the plugin may cease to function properly.
– In the case of hackers who possess the proper tools to locate the moved folder, hiding the login page or access point does not provide adequate protection. Also, most attacks are not directed at the login page, but at XMLRPC, another application used to communicate with your website.
Therefore, this method is not effective and can cause more problems than benefits.
4. Strong password and a username are enough to protect the website
It is important to have a complex username and password. It is definitely recommended to use upper- and lower-case letters, numbers, punctuation and other unique symbols when creating a password, but this will not protect you from all attacks.
Of course, if one of your usernames is not, for example, “admin”, you are one step ahead, but hackers use other methods – vulnerabilities in outdated themes or add-ons, manipulations to obtain confidential information (e.g. identity theft), etc.
Another security layer you can consider on your site is two-step authentication, where you get a code every time you log in using your mobile phone.
5. My website is secured by a CDN or a cloud-based firewall
Content Delivery Networks (CDNs) and cloud-based firewalls like Cloudflare provide security for websites by redirecting traffic to their servers, filtering it according to firewall rules, and then forwarding traffic that meets the rules to your website.
This method of protection is meant to hide your original server, as anyone who visits your website is automatically redirected to the protection provider’s servers.
This protection method can actually be bypassed and the original IP address can be tracked down and attacked directly.
Endpoint protection is more robust and reliable because it protects your data where it resides. Protecting your data at its original location is the best direct defense against hackers and other forms of attack.
6. My page is “small” and as such not interesting
Clearly, such a statement is not true. In particular, smaller blogs and sites are the perfect targets for hackers.
1. the smaller the site is, the less likely it is to be maintained by competent administrators who would quickly respond to a hacker attack.
Researchers have found that most hacking attacks occur on small and medium businesses who lack the resources to defend against such attacks as opposed to larger, more robust sites.
A website does not have to have millions of visitors to be of interest to hackers. Your site can be destroyed once they gain access to it, and they can make use of your server to spread malware, send spam, or redirect traffic to malicious sites.
2. even if the owners of smaller websites think that they are protected because they are overcrowded by other websites – it is the owners of blogs who are trying to stand out from the crowd and attract as much traffic as possible to your website, and if you work to attract attention, you will surely attract the unwanted ones.
Hacks today use bots that search through thousands of websites looking for vulnerable pages, focusing more on quantity than quality. No website is too small to be hacked, and all owners need to take precautions to protect themselves.
Security through obscurity: The Good, The Bad, The Ugly
Confidentiality by obscurity can be considered bad because it often implies that obscurity is the main means of confidentiality. Confidentiality is fine as long as it is not discovered, but once someone finds out your particular obscurity, your system is vulnerable again.
Never rely on secrecy as your primary method of security. If someone finds out your security methods, then you are vulnerable again. Secrecy is only safe until it is discovered.
Security is not about hiding something, it’s about making it hard for someone to get to it. In today’s world, there are many ways to protect information: a password, a safe, or locking it in a bank vault. True security is more than just hiding information, but also making sure no one else can access it.
Security through obscurity isn’t bad, it’s security only through obscurity that’s risky.
Despite the fact that WordPress may be more susceptible to attacks than other CMSs, WordPress itself is not inherently insecure. WordPress’ biggest vulnerability comes from users not taking steps to protect their own site.
WordPress consists of a WordPress core, along with external WordPress plugins and themes. Up to 80% of hacking incidents occur as a result of outdated software (add-ons and themes that aren’t updated).
The easiest way to hack a website is to use an outdated password or plugin, and this applies to any CMS, not just WordPress. It’s not WordPress’ fault if your site gets hacked – it’s your mistake. Update your themes and plugins regularly.
WordPress has an active international community of users and developers who work together to find and fix security vulnerabilities in the base files, as well as in the ecosystem of add-ons and themes.
When you design and build a website with WordPress, you are also responsible for the long-term security of the site. No website can be considered 100% safe from hacking, but applying security measures can reduce a website’s vulnerability. Virusdie can help you to manage high security level and has great support if anything goes wrong.
Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.
Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.