People have been misinterpreting “security by obscurity is bad” to mean any obscurity and obfuscation is bad. Instead it was originally meant as “if your only security is obscurity, it’s bad”. Many serious real-world scenarios do use obscurity as an additional layer. If only because sometimes, you know that a dedicated attacker will be able to breach, what you are looking for is to delay them as much as possible, and make a successful attack take enough time that it’s not relevant anymore when it’s broken.
I think we can kind of view obscurity in the same way. It’s a way to signal to a predator that we’re a hard target and that they should give up.
Isn’t a password a form of security through obscurity? You are right in that a password is only secure if it is obscure. But the “obsure” part of “security through obscurity” refers to obscurity of the system. With passwords, the system is completely open — you know the exact method that is used to unlock it, but the key, which is not part of the system, is the unknown.
If we were to generalize, then yes, all security is by means of obscurity.
With the knowledge that your site is WordPress, a hacker can
- Access your login portal and attempt a dictionary or brute force login attack (all WordPress login pages are domain.com/wp-login.php)
- Look for any known vulnerabilities in older versions of WordPress
- Look at your source code to see any active plugins. Look for any known vulnerabilities in those
- Attempt to access files that may be on your server if popular plugins or themes with known vulnerabilities exist
- Automate things like comment or user registration spam
Almost all of the above can be accomplished by freely accessible scripts that automate all of the above. It is because of this that the best thing you can do to significantly reduce the number of attempted attacks on your site, is to simply hide (or obfuscate) the fact that you are using WordPress to begin with.
But what if a hacker already knows that you are using WordPress? Obfuscation to the rescue yet again.
The idea is to use obfuscation to reduce the amount of attempts.
- Change the WordPress admin login link, making it next to impossible for a hacker to attempt brute force logins since they no longer know where the admin login page is.
- Brute force protection. Too many failed attempts from the same user, and that user is banned.
- Automated scripts cannot look for vulnerabilities in plugins if my plugins are housed in a different location than the traditional wp-content folder.
And of course, the best WordPress security you can have is to always stay updated with the latest versions of WordPress, themes, and plugins.
WordPress itself is secure. Be mindful of the the themes and plugins you install. That’s where you introduce vulnerabilities. Also your host environment.