Security is always top concern when you’re running a website.
But… sometimes all the hubbub over hacking seems a little over the top. All the scary stories about big businesses like eBay, Target, Adobe, Steam, and others who have suffered big data breaches can feel like fear-mongering. Surely hackers won’t go after your website when they have such big fish to fry?
The data, unfortunately, tells us otherwise. Smaller websites are hacked just as frequently as big ones, with almost half of small businesses reporting being hacked, their resultant costs averaging $8,700.
And those are only the businesses who are willing to report being hacked. It’s probable that others keep their vulnerability a secret, not wanting their users to lose their trust in their ability to keep private data safe and secure.
Even if you only take into account reported instances, tens of thousands of websites are hacked every day, and many of them don’t even know they’ve been hacked and that their websites are being used to spread malicious code.
As a WordPress user, you’re using one of the most secure content management systems available. But no CMS is 100% invulnerable, and hackers are evolving their methods just as fast as developers can patch vulnerabilities.
You may have heard that hiding WordPress is the best way to keep your site secure from hackers and bots.
There’s actually quite a bit of debate among developers and security experts about this practice.
I’ll go over the pros and cons of both sides and the reasoning behind them, and leave it up to you to decide if hiding your CMS is right for your website.
Then we’ll talk about how you can obscure your implementation of WordPress.
Let’s get started!
Isn’t WordPress Secure Enough Already?
WordPress is known for being a very secure content management system (CMS). Security issues are a top concern of WordPress core developers, and the software is patched and updated regularly to address any vulnerabilities that arise.
The security of WordPress is one of the reasons for its popularity. WordPress is now one of the most popular content management systems on the web, used for tens of millions of websites around the world. Even big websites like CNN, The New York Times, eBay, and Mashable use WordPress for their blogs.
But just the fact that you’re using WordPress for your website doesn’t make your website invulnerable to hackers.
In fact, its very popularity is what makes it a popular target.
Hackers know that millions of websites that are using WordPress aren’t using the best security measures to keep their sites secure. Many of those sites are using weak passwords, outdated versions of WordPress with known vulnerabilities, or old and insecure plugins and themes. Hackers know there they’ll have plenty of targets out there once they discover those vulnerabilities and create a way to exploit them.
The most common ways that hackers attack WordPress sites are with brute force attacks or HTTP requests.
Brute-force hackers use software to try to gain access to your website by guessing at your password until they get lucky and break in. Often, simple countermeasures like requiring CAPTCHA or 2-step verification on login can easily stop brute force login attempts in their tracks.
Another common category of hacker attacks are specially-crafted HTTP requests sent to your server. These requests are designed to exploit specific vulnerabilities which are often caused by outdated or insecure software, themes, or plugins. Anything contained in your wp-content directory, whether active or inactive, can potentially introduce security vulnerabilities to your website that knowledgeable hackers can exploit to disable or gain access to your blog.
Why Hide WordPress?
Here’s where the debate comes in.
But first, let’s get our terminology straight: Sometimes people mean different things when they say they’re hiding WordPress.
What’s usually meant by “hiding WordPress” is that you’re attempting to obscure the fact that your site runs on WordPress from any person or bot that attempts to identify the CMS.
But hiding WordPress could also mean just trying to hide which version number of WordPress you’re using, or changing permalinks, file names, subdirectories, etc. to hide them from bots.
Is hiding WordPress worth the effort? Depends on who you ask.
The fact is, there’s no way to completely obscure the fact that your website runs on WordPress. A tech-savvy person who knows enough about WordPress will be able to detect your CMS using any number of means.
Even if you’re just trying to hide your WordPress version number, there are a multitude of ways to discover what WordPress version you’re using just by being familiar with the differences between versions.
And security experts warn that security through obscurity is a discouraged practice, since it can encourage laxness in addressing vulnerabilities if you think no one can find them: “The security of a system should depend on its key, not on its design remaining obscure,” security engineer Ross Anderson wrote.
Does that mean it’s a waste of time to hide WordPress?
Maybe, maybe not. It won’t help you to foil a dedicated hacker that’s targeting you specifically.
But the majority of hacking attempts are made by bots, and you may be able to foil hacker bots by obscuring your WordPress installation. Just by changing some default permalinks, you may be able to protect your website against things like brute-force attacks, SQL-injection, and requests to your PHP files.
Other WordPress Security Measures
Hiding WordPress by obscuring a few permalinks and files can be a good security measure, but it’s not your only option, and it shouldn’t be the only action you take to protect your site.
There are some basic WordPress security tips you can easily follow to keep your site more safe from hackers, without hiding WordPress:
- Always use strong passwords.
- Always keep your WordPress core updated to the latest version.
- Keep all your themes and plugins updated, delete inactive themes and plugins, and stop using any themes and plugins that are no longer being updated.
- Consider protecting your login page from brute force attacks by requiring CAPTCHA and/or 2 factor authentication.
- Consider installing an all-in-one security plugin like iThemes Security or Bullet Proof Security.
(If your website’s already been hacked, check out this great guide by Nathan B. Weller here on ElegantThemes to find out how to fix it: “Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked.”)
How to Hide the Fact You’re Using WordPress
So you’ve decided you still want to try to hide the fact that you’re using WordPress from your visitors as well as potential hackers and bots.
How exactly do you go about it?
There are plenty of tutorials out there for hiding just your WordPress version number, but I’m not going to rehash those for a few reasons:
- If security is really your goal, you should always be updating to the latest version anyway.
- The WordPress version number shows up in a multitude of places in various files, so it can be difficult and time-consuming to obscure them all, and not worth the effort, because…
- Even if you do manage to erase every mention of your WordPress version number, there are still plenty of ways someone can find out what version of WordPress you’re using.
- Obscuring your version number won’t protect you from bots, either. Bots don’t generally check to see what version of WordPress you’re using; they just go straight for the vulnerability they’re targeting. If you keep your WordPress core updated, they won’t find it. And if you’re using an old version of WordPress, they will find it regardless of how well you try to hide your version number.
Still determined to hide the fact you use WordPress? It could be that you have a client demanding you hide WordPress for them, or maybe you think that your business looks unprofessional using blogging software to run your website.
In that case, I recommend a premium plugin called Hide My WP, available on Code Canyon. It works well as a general security plugin, and will hide the fact that you’re using WordPress by changing your permalinks without making changes to the actual locations of your files.
Hide My WP has a number of features that improve your WordPress security:
- Changes permalinks of files (like wp-admin) to obscure them from bots
- Removes meta info (like version number) from your headers and feeds
- Controls access to your PHP files
- Changes the default subdirectories of vulnerable folders like wp-content
- Changes query URLs to protect from SQL injections
- Hides files that can give hackers information about your WordPress installation (like readme.html or license.txt)
- Gives you the option to disable specific archives, categories, tags, pages, posts
- Notifies you of security risks with the new “Intrusion Detection System”
Hide My WP is also compatible with many other popular WordPress security plugins. It’s rated 4.5 out of 5 stars on Code Canyon, and the plugin author is very timely to respond to support requests.