WordPress Version: To Hide or Not to Hide?
There is a security tip that can be seen often on the Internet. Articles and tutorials about WordPress security tend to say that hiding your WordPress version enhances the security of your website. In fact, you can even find that most security plugins also promote hiding your WordPress installation version and obscuring it.
Does the method of hiding the version of your WordPress code core work against security attacks? Will your WordPress site be protected if you simply hide a bunch of numbers from hackers?
The answer is no. The sad truth is, this misconception is common among users, and because it’s all over the Internet, people believe it. The whole thing is actually a security “gimmick,” or as people nowadays like to say – a myth.
In most cases, hiding the WordPress version of a site won’t even protect it against automated mass hacker attacks. This article is to explain why such attacks cannot be prevented by hiding the version of your site’s WordPress code.
This post will cover:
Most Popular WordPress Hacks
When talking about malicious hacker attacks against WordPress, there have been lots of successful ones (different types) over the years. However, the two most common hacker attack cases have to be:
- Exploiting of known vulnerabilities in older versions of the WordPress core, plugins or themes;
- Guessing a WordPress admin (or another account) password.
How Do WordPress Attacks Work?
Exploiting Known WordPress, Plugins, and Theme Vulnerabilities
To date, there are hundreds, maybe even thousands of known and reported vulnerabilities in older WordPress versions, plugins, and themes. Malicious hackers tend to use automated tools and scan an extensive number of websites automatically, exploit the known vulnerabilities, using them to hack into WordPress sites.
Those automated tools are not even going to check if websites are using WordPress, or let alone the software version the sites are using. It’s quite simple – they begin scanning websites on a random basis, checking whether the target websites are vulnerable to particular attacks. Vulnerable websites are being flagged and then attacked. Of course, if the target sites are vulnerable to particular WordPress or plugin vulnerabilities, that means such sites are running on an older WordPress core version, or that there is a vulnerable plugin installed.
As we just mentioned, in such attack types, malicious hackers do not target only specific websites, and thus hiding your WordPress version will not protect you from the attacks.
There are best ways to protect your WordPress website or blog from this particular attack type, and they are:
- Making sure that your site is always using the latest versions of WordPress, plugins, and themes;
- Deleting unused/disabled plugins and themes, in addition to other files, containing code snippets;
- Making sure to check properly whether it is vulnerable before installing plugins or a theme.
Guessing WordPress Credentials
The other popular attack on WordPress among malicious hackers is guessing the WordPress credentials (also referred to as brute force attacks). During this kind of automated attack, the tools used by malicious hackers scan an extensive number of websites to:
- Check whether a site has a
/wp-admin/directory (WordPress dashboard)
- Try logging in by using common WordPress usernames and passwords (“admin” and “password”).
Similar to the previous method, the attackers here do not check or target specifically WordPress sites. They just launch their tools to start scanning on a random basis. The websites responding positively to the tool’s requests are certainly WordPress sites. They will be attacked, and when the credentials are guessed, such websites are going to be further attacked.
In order to make sure your WordPress blog or site is protected against brute force attacks, always use non-default (strong) credentials. For example, escape using the default “admin” as your username and try to implement some random password generators – they always create strong passwords and are free tools on the web.
A strong password consists of at least eight characters that don’t create a dictionary word. Such passwords contain a good mixture of uppercase and lowercase letters, special characters, and numbers.
You can also use two-factor authentication (2FA) on WordPress via a plugin like Google Authenticator, or protect your login page with HTTP authentication. It strengthens the security of the WordPress login and further protects your WordPress installation from brute force attacks.
Why do Many Recommend Hiding your WordPress Version?
This idea originated from the web security application industry as a type of false advertising. Because there are a lot of organizations unable to always provide their product for the latest WordPress versions, they often suggest that hiding your WordPress version is a good security method. Well, it can work for some single cases, but as we already explained, nowadays, most of the time, attacks are automated.
With the security tools that are currently available and most of which are free, even non-seasoned hackers can identify the CMS of a website and its version within minutes.
Conclusion: Hiding your WordPress Version is Not a Solution Against Hackers
After taking a look into the WordPress attacks that are currently trending, one can quickly come to the conclusion that hiding their WordPress version won’t improve the security of their website against malicious hackers.
Even when there is a targeted attack, there are plenty of tools that can identify a site’s WordPress version, in addition to the theme and plugins it is using. So, once again, your solution for the best possible security is always update everything you are using, and remove everything that you are not. Otherwise, your WordPress site can potentially be a victim of malicious attacks.
Feel free to comment in the section below. We would be happy to answer any questions and to hear opinions on the matter of WordPress security.
The latest tips and news from the industry straight to your inbox!
Join 30,000+ subscribers for exclusive access to our monthly newsletter with insider cloud, hosting and WordPress tips!
Joseph, good article.
In isolation hiding WP elements wont be effective – obviously. But as part of an overall security plan it does work. Not sure why you dont raise that as an issue. The article seems to address a narrow question – which is not too useful to the user. No website can be protected entirely by doing one single thing, you need a raft of security features –
hiding WP elements, adding a firewall, keeping all your plugins up-to-date bla bla the list goes on. Bye
Yes, the article is written to answer the very specific question of hiding the WP version, as we have seen such questions pop-up in our live chat and ticketing system.
We also have an extensive list of articles covering WordPress security features, plugins, best practice, etc, for anyone interested in more than just this very basic idea of hiding the version of the platform they use.