You’ll find a lot of WordPress security advice floating around the internet from well-intentioned people who genuinely want to help. Unfortunately, some of this advice is built on WordPress security myths and don’t actually add any additional security to your WordPress website. In fact, some WordPress security “tips” may increase the likelihood you will run into issues and conflicts.
In this post and infographic, we’ll bust some of the most popular WordPress security myths so you can have a more informed approach to your website security strategy.
The Top 5 WordPress Security Myths From Thousands of Support Tickets
We have plenty of WordPress security myths to choose from, but we are only going to focus on the top 5 we have consistently seen in over 20,000 support tickets. These conversations were used as a basis for the following criteria to select the top myths:
- 1. The frequency the myth was mentioned.
- 2. The number of headaches that the myth caused.
- 3. The false sense of security the myth gives.
Myth 1: You Should Hide Your /wp-admin or /wp-login URL (Also Known As Hide Backend)
The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?
The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bullet-proof security strategy. While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them.
We frequently receive support tickets from people who are perplexed at how iThemes Security Pro is reporting invalid login attempts when they have hidden their login. That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.
In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.
The truth is that you can’t completely hide the backend login page of your WordPress website. If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.
Customizing the login URL is also known to cause conflicts. There are some plugins, themes or third party apps that hard code wp-login.php into their code base. So when a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.
What to Do Instead
Myth 2: You Should Hide your Theme Name and WordPress Version Number
If you use your browser’s developer tools, you can pretty quickly see the theme name and WordPress version number running on a WordPress site. The theory behind hiding your theme name and WP version is that if attackers have this information they will have the blueprint to break into your site.
For example, looking at the screenshot above, you can see this site is using the Twenty Seventeen and the WordPress version is 5.0.3
The problem with this myth is that there isn’t an actual guy behind a keyboard looking for the perfect combination of theme and WordPress version number to attack. However, there are mindless bots that scour the internet looking for known vulnerabilities in the actual code running on your website, so hiding your theme name and WP version number won’t protect you.
What to Do Instead
Myth 3: You Should Rename Your wp-content Directory
The wp-content directory contains your plugins, themes and media uploads folder. That is a ton of good stuff and executable code all in one directory, so it’s understandable that people want to be proactive and secure this folder.
Unfortunately, it’s a myth that changing the wp-content name will add an extra layer of security to the site. It won’t. We can easily find the name of your changed wp-content directory by using the browser developer tools. In the screenshot below we can see that I renamed the content directory of this site to /test/.
Changing the name of the directory will not add any security to your site, but it can cause conflicts for plugins that have hardcoded /wp-content/ directory path.
What to Do Instead
Myth 4: My Site Isn’t Big Enough to Get Attention From Hackers
This WordPress security myth leaves a lot of sites vulnerable to attack. Even if you are the owner of a tiny site with low traffic, it is still crucial for you to be proactive in securing your website.
The truth is your site or business doesn’t have to be big to gain the attention of a would-be attacker. Hackers still see an opportunity to use your site as a conduit to redirect some of your visitors to malicious sites, send out spam from your mail-server, spread viruses, or even to mine Bitcoin. They will take anything they can get.
What to Do Instead
Myth 5: WordPress is an Insecure Platform
The most damaging WordPress security myth is that WordPress itself is insecure. This is simply not true. WordPress is the most popular content management systems in the world, and it didn’t get that way by not taking security seriously.
The truth is that the biggest WordPress security vulnerability is its users. Most WordPress hacks on the platform can be avoided with a little effort from the site owners.
Keep in mind that the number one reason for successful WordPress hacks is outdated software. To get a patch for a security vulnerability, you have to keep things updated. WordPress even allows you to enable automatic updates so you don’t have to manually run updates. But some people still don’t make it a priority to update their sites on a regular schedule. So these sites are filled with outdated software that makes them ripe for attack. When a hacker uses a security hole it isn’t a WordPress flaw, it is a user flaw.
Download the Infographic: The Top 5 WordPress Security Myths
Lets Keep Busting WordPress Security Myths
Hopefully, we were successful in busting some myths you’ve heard related to WordPress security. If you hear someone sharing one of these popular WordPress myths, feel free to send this article their way.
If you have any other WordPress myths you would like to bust, please share them in the comments.
A WordPress Security Plugin Can Help Secure Your WordPress Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Get iThemes Security now
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
Regarding Myth #1. Why then is hiding the backend is one of the advanced features with iThemes Security Pro? I haven’t seen it break a site yet, but now I am very concerned after reading your post. I would think that seems like important information to include on the panel for that feature. Are you planning to remove this feature from iThemes Security Pro?
We are not planning on removing the Hide Backend feature. I am happy to hear you haven’t run into any conflicts! While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them. The reason why I included the myth is that people think it provides more security than it does.
Just wondered why iThemes allow advanced features such as hide back end if they don’t recommend it?
It can add a level of security through obscurity, and I didn’t mean to imply you should never use the Hide Backend feature. You should rely more heavily on features like Two-Factor Authentication.
I always hide wp-admin. It keeps those mindless bots from banging on the hundreds of doors and dragging my server down. It’s like Star Wars; “Move along…”
That is the best way to use it!
This was great and enjoyed the info. I have hidden the backend a few times back in 2013 using iThemes Security but a WordPress security guru told me it was a waste of time as there were ways around it as you have explained here.
I’m currently using .htaccess to allow only the IP addresses of those who should be accessing the wp-admin folder…primarily me and one other person for 90% of the sites I manage. Sure someone could spoof their IP address but they don’t know which IP address(es) I’m allowing.
However, I am curious if they can sniff packets to see the IP addresses that are connecting successfully to the wp-admin folder if the site is using up-to-date SSL certs.
They shouldn’t be able to identify the IPs that you have allowed to access the wp-admin directory. I would still suggest using two-factor authentication because it will add a strong layer of security.
With the many sites that I manage, two-factor authentication would be a major pain and time-consumer for me. The few clients who login to update content on their site content would be very likely to reject having to use two-factor authentication as they are very busy small business owners. That’s why I opted for IP based access to the wp-admin folder.
I use iThemes Sync to manage most of my clients’ sites. How would two-factor authentication effect my ability remotely update WP version and plugins via Sync? Would it prevent my access to the admin via Sync as well as? Just curious since it would be another layer of security. 🙂
Great question, adding two-factor to your sites will not have any effect on Sync ability to connect to your site.
In myth #2 you say there isn’t an actual guy trying to hack sites, rather automated bots, but in myth #3 the only evidence you present to debunk it is that an actual guy can find it in the inspector… Is it not the case that automated bots would simply pass by a site if they don’t find the wp-content directory? I realise they could probably just look for a /plugins/ or /themes/ directory, but as it stands, the debunking logic of myth #3 doesn’t really convince…
(p.s., if a plugin or theme has hard-coded the wp-content directory, the chances are it was poorly coded enough to be better off out of your site!).
I agree it is bad practice to hard code the directory path.
Hi there,
Recently I have been experiencing a lot of “failed login attempts” on my WordPress. I was thinking of changing my login URL and one of my friends told me to install 2-factor authentication.
Guess I will have to agree with him now (I hate that!)
Thanks for the amazing article though 🙂
Thank you for taking the time to read it!
I understand that #1 isn’t foolproof and may give a false sense of security but good security is based upon layers and it is just one layer of many and, as you say, it can help some. Just because my windows as easy to break doesn’t mean I should lock them 🙂
I’ll add that I’ve done this for over a decade with literally hundreds upon hundreds of sites and have never had a problem. In fact, if a plug-in or theme had a problem I’d question the quality of it and, in all likelihood, not use it.
Now, to me, SSL is the biggest myth and provider of a false sense of security. I don’t know how many times I’ve heard “my site uses SSL, so it is protected. Even after I explain that SSL does NOT protect the site at all, just the data sent from the site to the user/browser and vice versa, they frequently feel “protected”.
I am happy to hear that you have never run into a conflict using the Hide Backend feature! Using an SSL certificate is an excellent layer of security and does more to protect the site than hiding the backend. It helps to prevent credentials and credit card information from being intercepted.
That’s perspective by onpage. By offpage (at least when data accessed from your server to visitors) there are so many factor that fragile and we have to keep it secure. Beside SSL activated, I think security headers are important too.
The more layers of protection you can add, the better!