We instinctively hide the things we find valuable. It makes sense: if thieves and other bad actors can’t find our valuables, how can they take them? In the digital age, we act on the same instinct. A common security precaution taken by WordPress site owners is to move the login page to a different location; if hackers can’t find the login page, they can’t launch a brute force attack against it. Hiding things, moving them, making it difficult to figure them out — these are examples of security by obscurity.
When I talk to WordPress hosting clients about security, the concept of security by obscurity comes up all the time. Among the common misconceptions I hear is the belief that owners of low-traffic sites don’t need to worry about security — their site is obscure, so it’s inherently secure. In fact, automated scanners regularly check through a large proportion of the web’s IP space looking for vulnerable sites. An insecure site is likely to be hacked even if it’s never had a single visitor. Criminals like sites with large audiences, but they also like any vulnerable site with storage and bandwidth.
An example of the application of security by obscurity from more sophisticated WordPress site owners is changing the default Administrator username because they know criminals will target it.
But there’s a problem with relying on security by obscurity: all it takes is for someone to find what you’re hiding and it’s game over. If your website has a security vulnerability, you might reason that because it’s difficult to find, there’s no point putting in the effort to fix it. If few people visit your site, why update it regularly; even if there is a vulnerability, who is going to be looking for it? If your site is a blog and there’s no obvious financial motive to compromise it, can’t you just cross your fingers and hope for the best?
Security by obscurity does nothing to fix the underlying problem. You might want to continue to use an abandoned WordPress plugin, but if you simply hope that no-one notices you’re using a vulnerable plugin, you’ve done nothing to mitigate the underlying issue. It’s a time-bomb that could go off at any moment.
But as renowned security expert Bruce Schneier points out, “security by obscurity sometimes works.” Security by obscurity isn’t bad per se, but it should be a small part of a site’s security processes. Deleting the “admin” user and choosing a less easily guessed username will make your site a little safer from automated attacks and attacks by inexperienced criminals, but implementing two-factor authentication solves the problem.
Moving your WordPress site’s login page to a non-standard location is likely to confuse bots and reduce the number of brute-force attacks your WordPress site has to cope with, but installing a rate limiting plugin will — for the most part — make life much more difficult for brute force attackers while preventing bots from consuming your site’s resources.
Security by obscurity should not be relied on to keep WordPress sites safe. It should be in the mix, but obscurity is no substitute for security best practices.