WordPress Security Through Obscurity: Why It Isn’t Enough to Keep Your Website Safe
Now you see it. Now you don’t.
Website security is like a magic trick that’s getting harder and harder to pull off as time goes by. In fact, hiding aspects of your site as your main form of security just isn’t what it used to be.
Poof, there it goes.
While obscurity is not an effective deterrent on its own, it can still be useful as part of a more expansive security strategy. There are actually a lot of precautions you can take to protect your WordPress site’s admin area that don’t rely solely on obscurity. The best part is that most of these techniques are fairly simple to implement.
In this article, we’ll explain what security through obscurity (also known as security by obscurity) means and discuss why it’s no longer recommended as the sole protection against attacks. We’ll then offer nine tips that will help you secure your WordPress website and admin area. No bunny in hat required.
A Brief Look at WordPress and Security
WordPress is a pretty secure platform; it has to be since it powers more than a quarter of all websites. When you’re using an up-to-date version of WordPress, your site will be protected against the most common types of attacks. Ever since Version 3.7, you don’t even have to worry about installing new security updates yourself since these are now performed automatically.
With that said, no system is ever foolproof. As WordPress is such a ubiquitous platform, it’s also a common target for attackers and malicious bots. Hackers never sleep, and they’re constantly finding new ways to attack your site or exploit flaws in your system. We don’t say this to scare you, but to make you aware that security is something you should never take for granted.
However, what if your website is just a small personal blog or a portfolio of your work? No one would bother to attack it, right? Well, we hate to bear more bad news, but the majority of common attacks are automated brute force attempts to gain access to the admin area on as many sites as possible. This means that any site, no matter how big or small, is a potential target.
If this worries you, it’s okay. You can channel that concern into productive action. There are actually plenty of easy things you can do to strengthen your site’s security. First, let’s look at one strategy that’s been popular for some time now.
An Introduction to WordPress Security Through Obscurity
Security through obscurity is when you rely on secrecy and obfuscation to protect your website. The thinking goes that if attackers are not aware of a flaw in your security, or cannot easily find your site’s weak points, that will be enough to keep the site safe.
One popular way to implement this strategy is by simply altering some of the default WordPress settings. This could include changing the URL for the WordPress login page, hiding the WordPress version number, and renaming sensitive folders.
In theory, this is not a terrible idea, especially since many brute force attacks rely on automated bots to perform the same action against thousands of websites. If you can hide your site’s vulnerable points, you make it harder for them to reach you. However, this is only effective up to a certain point. Relying on obscurity as the sole tactic for protecting your site is not going to work in the long run.
Our automatic updates and strong security defenses take server management off your hands so you can focus on creating a great website.WordPress + DreamHost
Why You Shouldn’t Rely Solely on Security by Obscurity for Your WordPress Site
Although security by obscurity has been popular over the years, it’s generally not considered a best practice to make it your website’s only form of protection. This is not a recent trend either, as obscurity has been criticized for a long time — and we do mean a long time.
For example, an early critique of this practice comes from the locksmith Alfred Charles Hobbs back in 1853. He would often openly discuss specific vulnerabilities in lock designs, for which he was sometimes criticized. When asked why he would make this sensitive information public knowledge, he simply responded:
“Rogues are very keen in their profession and know already much more than we can teach them.”
This quotation highlights the main problem with obscurity as a security strategy. It’s based on the assumption that simply by hiding something, you ensure that it will never be found. This is like keeping your house key under your doormat. While it might deter impatient robbers, it only takes one person to lift the mat and completely break your security system.
A similar point was made by the 19th-century cryptographer Auguste Kerckhoff, who originated Kerckhoff’s principle. This principle states that any system should remain secure even if all aspects of its design, except the key, become public knowledge.
Of course, security by obscurity can still play a role in keeping your site safe. It’s a good way to slow down attackers, even if it won’t stop them outright. It just doesn’t work as the primary method for safeguarding your site. Instead, it needs to be used as one part of a broader security system.
How to Actually Protect Your WordPress Admin Area (9 Vital Tips)
We’ve spent a lot of time talking about why you shouldn’t rely entirely on obscurity to keep your site safe. Now, it’s time to get constructive. Let’s look at some of the ways you can protect your WordPress admin area.
However, before you make any changes to your site, we recommend that you first create a backup. This will save you a lot of trouble if something goes wrong along the way or if you need to revert your site for any reason. Then you can start working your way down the list!
1. Use Two-Step Authentication
Two-step authentication (also called two-factor authentication) adds another layer to your login process and makes your admin area more secure. It works by requiring not just your user credentials, but also a one-time passcode whenever you want to access your account. The passcode is generally sent to an external device, such as a cell phone.
Adding an extra step to the login process is a little inconvenient, but makes it much harder for attackers to brute force their way in.
If your site is hosted with DreamHost, there are a few easy methods for setting up two-step authentication. You can use the Google Authenticator app on your phone or other mobile device, for example. Alternately, you can purchase and use a YubiKey device, a tool specifically designed for this application.
2. Use a Firewall
You’re almost certainly aware of firewalls and their importance. They are an integral part of computer security, and most people have at least have a passing familiarity with them at this point. When used for websites, they are usually referred to as Web Application Firewalls (WAFs).
A firewall sits ‘in front’ of your site, monitoring its traffic and blocking many common threats, such as malware. This makes it an indispensable layer in any site’s security. If your site is hosted on DreamHost, you don’t have to worry, as it will already be protected by a built-in firewall.
Otherwise, there are plenty of WordPress-specific solutions available, such as Sucuri and SiteLock. Our personal favorite is Cloudflare, which can easily be integrated into WordPress and offers a number of additional features, including content optimization.
3. Password Protect the WordPress Admin Directory
Your wp-admin directory contains all the files necessary to log in to your site’s admin area. This makes it a primary way for attackers to gain access. One way you can stop them is by protecting the directory with a password.
There are a number of ways to do this, but the easiest is through your web host’s panel. There, you will be able to configure the directory to require a password for access. The process for how to do this will differ depending on your host, so refer to its provided documentation for more details.
Another way you can achieve the same goal is by adding .htaccess and .htpasswd files to your site’s directory. This is recommended only for advanced users, who want total control over their site structure.
That said, it’s important to note that password protecting your admin directory can have a negative side effect. Specifically, it can interfere with all WordPress plugins that use AJAX. This could be a big problem, as many plugins rely on AJAX to work.
Fortunately, there is a pretty simple solution. You’ll just need to add the following code to your .htaccess file:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
This will allow the AJAX file to be accessed by the plugins that need it, even if the rest of the directory is protected.
Related: 13 of the Best Security Plugins to Keep Your WordPress Site Safe
4. Always Use Strong Passwords
This may seem like an obvious tip, but it’s one that bears repeating. The most common reason attacks succeed is due to passwords that are easy to guess, such as ‘“123456” and “password.” People like to use passwords they can easily remember, but that makes them equally easy to crack.
The good news is that these days, you don’t even need to remember your passwords. By using a password keychain solution, such as Password Safe or Keychain Access, you can save your passwords in one secure location and copy them whenever they’re needed.
As for the password itself, WordPress actually contains an excellent generator in the admin area. Just navigate to All Users, and then select your admin account from the list. This takes you to the Edit User page, where you can scroll down to find the Account Management section.
Select Generate Password to create a new password, which will appear underneath the button. You can copy this and set it as the user’s new password.
You should also take the time to test your password to make sure it genuinely is strong enough.
If your password consists of a simple string of words and numbers, you’ll probably find that it can be cracked within minutes. However, passwords generated by WordPress should be very difficult to crack.
5. Limit the Number of Login Attempts Allowed
A basic but efficient way of stopping many attackers is to limit the number of login attempts each user is allowed to make. When the limit has been exceeded, the IP address will be prohibited from attempting to log in for a set amount of time.
You can implement this technique easily with the free Limit Login Attempts Reloaded plugin. It will automatically set a limit of five attempts from any IP address, and then lock that IP from trying again for 20 minutes.
If you want to change these defaults, you can do so by going to Settings > Limit Login Attempts. In addition to the plugin options, this page will show you a list of all lockouts that have occurred. This enables you to keep track of potential unsuccessful attacks.
You can also use this page to whitelist and blacklist specific IP addresses. This will make the specified addresses exempt from the login limit, or automatically deny them any time they attempt to sign in.
Related: 12 Things to Know About the GDPR and Data Security
6. Limit Login Access Based on IP Address
If you notice that your site is getting a lot of invalid traffic from a specific IP address or domain, you can usually assume that it belongs to an attacker. Once you know the address for a potential threat, you can deny it access to your login page altogether.
We’ve already talked about using a plugin to blacklist specific IP addresses, but there’s a more flexible way of accomplishing the same goal. This will require you to edit your .htaccess file, and add the following code:
deny from 173.236.241.100
As you can see, this snippet will deny access to the user with the IP address 173.236.241.100. If you want to deny an entire subnet, you would write it like this instead:
deny from 173.236.241.
This will deny all users at the specified subnet from accessing your login page. Just be careful not to accidentally block users who should have access to the site!
7. Disable Login Hints
When a login attempt fails, WordPress will display a default error message. This will usually feature a hint as to why the attempt was unsuccessful.
This is certainly helpful. In fact, it might be too helpful. This message can inadvertently give potential attackers more information about how to crack your login page. A solution is to replace this message with something more generic.
This will require you to add functionality to your site, which you can do by editing the functions.php file. However, this can be risky, especially since the functionality is tied to the theme and will be lost if you switch themes down the road.
Instead, we recommend you add the function as a ’Must Use’ (MU) plugin, which are stored in wp-content/mu-plugins. These are plugins that cannot be deactivated in the admin dashboard, and will run on all sites within an installation. In this case, set up the plugin and use the following code:
// Display no login error. add_filter( 'login_errors', '__return_false' ); //Display a message. add_filter( 'login_errors'), function(){ return 'Something went wrong!'; });
This will override the default login error message with the phrase “Something went wrong!” You can even give it a try and see the new message in action.
Feel free to replace the default text with whatever message you prefer.
8. Keep Your WordPress Site Updated
This is another tip we’re willing to bet you’ve heard by now. However, it’s also one of the most important. Using an outdated version of WordPress does not come with any guarantees.
Since version 3.7, all security updates are automatically installed on your site. WordPress itself can be set to update automatically as well. We strongly recommend that you do this; it’s good practice to keep software updated. Just remember that vulnerabilities can be introduced by updates as well.
The same goes for your themes and plugins. These are entry points, which can contain security vulnerabilities and exploits. Whenever a new version of a plugin or your theme is available, you should update it as soon as possible. This is easy to do, and it can prevent a lot of problems.
Related: How to Back up Your WordPress Website — A Complete Guide
9. Understand WordPress User Roles and Permissions
One final (but crucial) aspect you’ll need to consider is user roles and permissions. It’s very important to carefully consider which roles you assign to your users. This is to ensure that you don’t give unnecessary permissions to people who could use them irresponsibly.
By default, WordPress contains the following user roles with varying permissions:
- Super Admins have full access to the network, site, and admin dashboard.
- Administrators have full access to the site and admin dashboard, including plugins and themes.
- Editors can write, publish, and edit all posts, comments, and pages.
- Authors can write, publish, and edit their own posts and comments.
- Contributors can edit and delete their own posts.
- Subscribers can only view the site.
As you can see, certain roles have more privileges than others. You need to make sure that the roles you assign users, either manually or by default when they register, are correct. As a general rule, only give each person the permissions they need to do their job and nothing more. In addition, it’s best to keep the number of users with high-level roles as small as possible.
Play It Safe
Keeping your site secure is not a task you should take lightly or leave to chance. Attackers are more persistent and resourceful than ever so you need to be their match at every step. This is why relying entirely on security by obscurity is not enough.
While obscurity can be a useful tool in your arsenal, it should be no means be the only one.
Do you have any questions about WordPress security through obscurity? Or even how to protect your WordPress site and admin area? Join our conversation on Twitter or Facebook.
