Does hiding the version of your WordPress really improves the security of WordPress and protects it from malicious hacker attacks?
One of the most common tips WordPress security articles and tutorials recommend for improving the security of your WordPress blog or website is to hide the version of your WordPress installation. The same applies for most of the available WordPress security plugins; one of the most common features they promote is to hide the version of your WordPress installation and obscure it.
But does hiding the version of your WordPress installation or obscuring WordPress really protect your blog or website from malicious hacker attacks? Or is this just a security “gimmick”? Does it improve the security of your WordPress?
The answer is no, or better, in most cases it won’t protect your WordPress from automated mass malicious hacker attacks. This WordPress security article explains why hiding the version of your WordPress does not really protect you from automated malicious hacker attacks and does not improve the security of your WordPress blogs and websites.
Most Popular WordPress Hacks
Looking back at the history of hack attacks against WordPress, there have been many different types of successful ones, but the two most common and successful ways malicious hackers used and still use to hack into WordPress blogs and websites are:
- Exploiting a known vulnerability on an old version of WordPress, plugin or theme
- Guessing a WordPress administrator (or another account) password to login to WordPress
How Do These WordPress Attacks Work?
Exploiting a Known WordPress, Plugin or Theme Vulnerability
To date, hundreds if not thousands of known vulnerabilities have been reported in older versions of WordPress and several plugins and themes. To exploit these known vulnerabilities and hack into WordPress websites, malicious hackers use automated tools to scan large numbers of websites automatically.
Such automated tools do not even check if the target websites are WordPress or not, or what version of software they run on. They simply start scanning websites randomly and check if the target websites are vulnerable to a specific attack or not. Those websites which are vulnerable will be flagged and attacked. Of course if the target website is vulnerable to a specific WordPress or plugin vulnerability, it means that it is running an older version of WordPress or a vulnerable plugin is installed.
As we have just seen, in this type of attack malicious hackers do not even target any specific website; therefore hiding the version of your WordPress installation will not protect you from such attacks.
The best ways to protect your WordPress blogs or websites from such type of attacks are:
- Always run the latest version of WordPress, plugins and theme
- Delete any unused / disabled plugins, themes and other files containing code snippets
- Before installing a plugin or theme make a proper background check to ensure it is not vulnerable.
Guessing WordPress Credentials a.k.a WordPress Brute Force Attack
The other popular WordPress attack malicious hackers are using to hack into WordPress blogs and websites is WordPress brute force attacks. During such automated attacks the tools used by the malicious hackers will scan large numbers of websites to:
- Check if a website has a /wp-admin/ directory (WordPress dashboard)
- Try to login using commonly used WordPress usernames and passwords, such as admin and password.
Like in the previous attack, the attackers do not check or target WordPress websites specifically. They simply launch their tools and start scanning randomly. Those websites which respond positively to the tool’s requests means that they are WordPress and will be attacked. Once the credentials are guessed, the website is flagged for further attack.
To protect your WordPress blogs and websites against brute force attacks and other similar attacks is to use strong usernames and passwords. You should also never use default WordPress accounts such as the admin username. If you do rename it by following this procedure to manually rename the built-in WordPress administrator account.
WP White Security Tip: A strong password should consist of at least 8 characters and should not be a dictionary word. It should contain a mixture of upper case and lower case letters, numbers and special characters such as !, ?, – etc.
You can also implement two-factor authentication on WordPress or protect your WordPress login page with HTTP authentication to improve the security of the WordPress login and further protect your WordPress installation from such type of attacks.
Why Many Recommend to Hide the Version of WordPress?
The idea of hiding the version of the software you are running originated from the web application security industry, because many organizations cannot always use the latest version of the web server or other software available because of web application incompatibilities. Therefore most of the time, by hiding the version of the web server saved them from malicious hacker attacks, especially back in the days when automated security tools, which are also used for hacking were not so popular or couldn’t identify most of the vulnerabilities.
And the same concept was applied in the WordPress community. Though with today’s available automated security tools, most of which are available for free on the internet, even a non-seasoned hacker can identify the CMS a website is running on and its version within minutes.
Conclusion: Hiding the Version of WordPress Does NOT Help
After looking into the current trending WordPress attacks, one can easily conclude that hiding the version of WordPress will not improve a website’s security or protect it from malicious hacker attacks.
Even in the case of a targeted attack, there are many ways and tools available one can use to identify WordPress and its version, the plugins it is running and the installed theme. For example by using WPScan, an automated WordPress black box scanner, one can identify which plugins are running on the target WordPress installation, what version they are and much more. So might as well not bother with it and look into other more useful ways to improve the security of your WordPress blogs and websites.