There is a security tip that can be seen often on the Internet. Articles and tutorials about WordPress security tend to say that hiding your WordPress version enhances the security of your website. In fact, you can even find that most security plugins also promote hiding your WordPress installation version and obscuring it.
Does the method of hiding the version of your WordPress code core work against security attacks? Will your WordPress site be protected if you simply hide a bunch of numbers from hackers?
The answer is no. The sad truth is, this misconception is common among users, and because it’s all over the Internet, people believe it. The whole thing is actually a security “gimmick,” or as people nowadays like to say – a myth.
In most cases, hiding the WordPress version of a site won’t even protect it against automated mass hacker attacks. This article is to explain why such attacks cannot be prevented by hiding the version of your site’s WordPress code.
This post will cover:
Most Popular WordPress Hacks
When talking about malicious hacker attacks against WordPress, there have been lots of successful ones (different types) over the years. However, the two most common hacker attack cases have to be:
- Exploiting of known vulnerabilities in older versions of the WordPress core, plugins or themes;
- Guessing a WordPress admin (or another account) password.
How Do WordPress Attacks Work?
Exploiting Known WordPress, Plugins, and Theme Vulnerabilities
To date, there are hundreds, maybe even thousands of known and reported vulnerabilities in older WordPress versions, plugins, and themes. Malicious hackers tend to use automated tools and scan an extensive number of websites automatically, exploit the known vulnerabilities, using them to hack into WordPress sites.
Those automated tools are not even going to check if websites are using WordPress, or let alone the software version the sites are using. It’s quite simple – they begin scanning websites on a random basis, checking whether the target websites are vulnerable to particular attacks. Vulnerable websites are being flagged and then attacked. Of course, if the target sites are vulnerable to particular WordPress or plugin vulnerabilities, that means such sites are running on an older WordPress core version, or that there is a vulnerable plugin installed.
As we just mentioned, in such attack types, malicious hackers do not target only specific websites, and thus hiding your WordPress version will not protect you from the attacks.
There are best ways to protect your WordPress website or blog from this particular attack type, and they are:
- Making sure that your site is always using the latest versions of WordPress, plugins, and themes;
- Deleting unused/disabled plugins and themes, in addition to other files, containing code snippets;
- Making sure to check properly whether it is vulnerable before installing plugins or a theme.
Guessing WordPress Credentials
The other popular attack on WordPress among malicious hackers is guessing the WordPress credentials (also referred to as brute force attacks). During this kind of automated attack, the tools used by malicious hackers scan an extensive number of websites to:
- Check whether a site has a
/wp-admin/directory (WordPress dashboard)
- Try logging in by using common WordPress usernames and passwords (“admin” and “password”).
Similar to the previous method, the attackers here do not check or target specifically WordPress sites. They just launch their tools to start scanning on a random basis. The websites responding positively to the tool’s requests are certainly WordPress sites. They will be attacked, and when the credentials are guessed, such websites are going to be further attacked.
In order to make sure your WordPress blog or site is protected against brute force attacks, always use non-default (strong) credentials. For example, escape using the default “admin” as your username and try to implement some random password generators – they always create strong passwords and are free tools on the web.
A strong password consists of at least eight characters that don’t create a dictionary word. Such passwords contain a good mixture of uppercase and lowercase letters, special characters, and numbers.
You can also use two-factor authentication (2FA) on WordPress via a plugin like Google Authenticator, or protect your login page with HTTP authentication. It strengthens the security of the WordPress login and further protects your WordPress installation from brute force attacks.
Why do Many Recommend Hiding your WordPress Version?
This idea originated from the web security application industry as a type of false advertising. Because there are a lot of organizations unable to always provide their product for the latest WordPress versions, they often suggest that hiding your WordPress version is a good security method. Well, it can work for some single cases, but as we already explained, nowadays, most of the time, attacks are automated.
With the security tools that are currently available and most of which are free, even non-seasoned hackers can identify the CMS of a website and its version within minutes.
Conclusion: Hiding your WordPress Version is Not a Solution Against Hackers
After taking a look into the WordPress attacks that are currently trending, one can quickly come to the conclusion that hiding their WordPress version won’t improve the security of their website against malicious hackers.
Even when there is a targeted attack, there are plenty of tools that can identify a site’s WordPress version, in addition to the theme and plugins it is using. So, once again, your solution for the best possible security is always update everything you are using, and remove everything that you are not. Otherwise, your WordPress site can potentially be a victim of malicious attacks.
Feel free to comment in the section below. We would be happy to answer any questions and to hear opinions on the matter of WordPress security.