Let’s debunk some common WordPress security myths we often hear at Shield. In particular we’re going to address the tactic that is commonly referred to as “Security Through Obscurity”, and how that is often applied to WordPress.

Hiding Your WordPress Identity

You might hear advice like, “Hide that you’re using WordPress to keep hackers at bay.” The idea sounds logical: if attackers don’t know your site runs on WordPress, they might skip over it, right?

Wrong. Here’s why:

  • Automated Attacks: Hackers use bots that don’t care what your site runs on; they indiscriminately attack everything.
  • Universal Exploits: Even non-WordPress sites get hit with WordPress-specific attacks, showing that hiding your platform isn’t much of a shield.

Another part of the WP identity-hiding tactic can involve hiding your WordPress version. Sure, you could certainly do that, but what would it gain you?

Some logic argues that if an attacker doesn’t “know” what version of WordPress you’re running, then they don’t know which vulnerabilities to target. That’s true, but what if you kept your WordPress completely up-to-date and it didn’t have any publicly known vulnerabilities? Wouldn’t that be more secure than trying to mask the fact that there are vulnerabilities to be hacked?

The same principle holds for hiding your theme or plugins. The best defense against hackers is keeping these up-to-date.

Hiding or Renaming the WordPress Login Page

This also falls under the approach already mentioned. By “hiding” the location of your WordPress login page, it feels like this would stops bots from trying to login.

Bots don’t care about your feelings.

This technique might thwart simple, unintelligent bots. Most WordPress sites, particularly complex commerce site running WooCommerce, will expose several login areas and the information about where your login page can easily be leaked by other plugins on your site. Bots have a way of “finding” your login page no matter where it is.

Shield Security PRO offers a WP Login Rename feature, but we always stress that this is purely cosmetic, it doesn’t enhance your WordPress security one iota.

Tweaking the WordPress Defaults

Changing things like your login URL or admin username might seem like a clever trick to outsmart hackers. While it may deter the most basic bots, skilled attackers will likely uncover these changes.

Just as we discussed above when hiding the WordPress version, you could rename your WP admin username, and hide your WP login page to prevent bots from logging-in. But that wouldn’t come close to the benefits you’d get by enforcing strongs passwords, preventing password re-use, and protecting accounts with 2-Factor Authentication.

If you did all that you could put your login page out in plain sight for the whole world to see and remain confident that no-one is getting in, no matter how hard they try (as long as your site is protected from brute-force attacks).

The Not-So Hidden Costs of Obscurity

Implementing these “hide and seek” tactics has downsides that are often overlooked until you actually use them:

  • Increased Complexity: Altering standard WordPress elements can lead to issues with plugins, themes, or updates, making your site harder to manage and more likely to break.
  • Maintenance Nightmares: Custom setups mean more troubleshooting when things go wrong.

It’s far easier to use a tool like Shield Security PRO for WordPress to enforce a strong security posture, than to waste time and resources on trying to hide the technology that powers your site.

Security Through Obscurity: Not Worth It?

While changing defaults and hiding your site can offer a small sliver of protection and make you feel better, it shouldn’t be your primary strategy. Focus on robust security practices like regular updates, strong authentication, and good backup schedules.

Security through obscurity might give a false sense of safety, but straightforward, proven methods are your best bet.