Does hiding the WordPress version number really improves the security of your website?
One of the most common tips to improve the security of your WordPress website is to hide the version of WordPress that you are running. It is also a very common feature in the many WordPress security plugins available, to hide and obscure the fact that you are running WordPress, or its version. But does it really help? Or is this just a gimmick?
The answer is no, it does not help. Hiding the version of your WordPress won’t protect your site from automated malicious attacks. In this article we explain in more detail why it does not work.
Most popular WordPress hacks
The two most common and successful ways malicious hackers used and still do to hack into WordPress websites are:
- Exploiting a known vulnerability on an old version of WordPress, plugin or theme
- Guessing a WordPress administrator (or another account) password to login to WordPress
How do these WordPress attacks work?
Exploiting a known WordPress, plugin or theme vulnerability
To date, thousands of known vulnerabilities have been reported in older versions of WordPress core, plugins and themes. To exploit these known vulnerabilities malicious hackers use automated tools to scan large numbers of websites.
These automated tools do not check what version of WordPress the target website is using. They do not even check if a target is running on WordPress. They simply send the malicious request, and if the target website replies with a specific response, it means that it is vulnerable. Vulnerable websites are then flagged and attacked at a later stage.
Of course if the target website is vulnerable to a specific WordPress or plugin vulnerability, it is running an older version of WordPress or the plugin. However, hiding the WordPress version in this case does not help at all. The best ways to protect your websites from these type of attacks are:
- Always run the latest version of WordPress, plugins and theme
- Delete any unused / disabled plugins, themes and other files containing code snippets
- Before installing a plugin or theme make a proper background check to ensure it is not vulnerable.
Guessing WordPress credentials (brute force and dictionary attacks)
The other popular attacks employed against WordPress websites is WordPress is brute force and dictionary attacks. During such automated attacks the tools used by the malicious hackers scan large numbers of websites to:
- Identify the login page (checking for specific patterns in WordPress such as /wp-admin/ and wp-login.php)
- Try to login using a brute force approach by using commonly used credentials, such as admin and password.
Like with the previous attack, the tools do not check for or target WordPress websites specifically. The tools simply scan a list of targets. If a target website replies with an expected response, then it means that they are hosted on WordPress and they will be attacked. Once the credentials are guessed, the website is flagged for further attack.
To protect your WordPress sites against brute force and other similar attacks do not use default usernames and use strong passwords. Consider also implementing policies to enforces strong password security and adding two-factor authentication.
WP White Security Tip: A strong password should consist of at least 8 characters and should not be a dictionary word. It should also have a mix of upper case and lower case letters, numbers and special characters such as !, ?, – etc. Read our guide on what makes a strong password for more information on this subject.
Why do many still recommend to hide the WordPress version?
The idea of hiding the version of the software you are running originated from the web application security industry. In some cases organizations cannot use the latest version of the web server or other software available, because of incompatibilities. Therefore most of the time, they employ a security by obscurity approach. They hide the version of the web server and other software they are using.
In the early days of the internet this was a somehow semi-effective measure, especially when automated security tools were not so common and couldn’t identify most of the known vulnerabilities. However, with today’s automated free or affordable security tools, even a non-seasoned hacker can identify the CMS a website is running on and its version within seconds.
Conclusion: hiding the WordPress version does NOT help
Gone are the days when security by obscurity used to work. Nowadays, very powerful automated security tools are easily available that even non-technical people can launch attacks and exploit the most common type of issues. Therefore hiding the WordPress version will not improve the protection or security posture of your website.
Even in the case of a targeted WordPress attack, there are many ways and means which one can use to identify known issues in a target WordPress install, or the plugins that are running on it. For example, by using an automated WordPress black box scanner, you can identify which plugins are running on the target installation, what version they are, and much more.