Threat analysis, security by obscurity and WordPress

Rusty Lock
  Image by Mykl Roventine

I’ve been running wordpress for a long time now, and luckily so far, it hasn’t been hacked.
Of course – this doesn’t prove anything, as I didn’t count hacking attempts. It also doesn’t show it’s unhackable – on the contrary, I believe that my wordpress installation is hackable by a determined attacker.

However, there’s a subtle issue at play regarding the ‘determined attacker’. There are several kinds of attackers today, and the two most notable ones are the ‘targeted attacker’ and the ‘mass attacker’. The targeted attacker aims to attack your resources specifically, probably because his interest in them. The mass attacker on the other hand, is interested in any resource like your own.

From this premise it follows that the two attackers will likely use different methods of operation. The mass attacker is looking to increase his ROI. He will use mass tools with the most coverage, and if an attack doesn’t work on a specific target, nevermind, it will work on others. For him, work is worthwhile only if it allows him to attack a substantial number of new targets.
In contrast, the targeted attacker’s goal is to break into your resources. For her the fact that a given attack will yield hundreds of other targets is irrelevant, unless it helps attacking you. She might start with top-of-the-shelf mass tools, but when these won’t work, the targeted attacker will study her target, until she finds a vulnerability, and then use it.

Now the question you should ask yourself – who are you defending against? When defending against a mass attacker, making yourself unnoticed and uncommon might be worthwhile. A little security by obscurity will most likely be enough to thwart most of the attacks.
Against targeted attacks you need a more solid defense, utilizing all the tricks in your bag, and still be aware that it probably won’t be enough. You should also seek to minimize damages in case of a successful attack.

Today, most wordpress blogs are under mass attacks. WordPress blogs are searched, exploited and the 0wned automatically, with the goal of getting the most coverage.
For some time now I’ve been using a small trick that helps to defend against mass attacks. The trick is simple – I added a small .htaccess file password-protecting the admin directory of my wordpress installation. Of course, in all probability the password may be bruteforced or completely bypassed by a very determined attacker, but against a mass attacker it is very effective.

I’ve seen suggestions to rename your files and dirs – this will probably also work. Still, it should be noted that this kind of methods only add obfuscation, thereby only protecting from mass attacks. Personally, I don’t consider the last method worthwhile – it complicates your installation and upgrade process, it requires much more work to be done right, and at most adds similar security to the .htaccess file, most likely less.

To conclude – do your threat analysis, and use the defense methods with the most ROI relative to that analysis. Just as another method – do consider using .htaccess files to prevent access to your admin directory.

This entry was posted in Security and tagged , , , , . Bookmark the permalink.

7 Responses to Threat analysis, security by obscurity and WordPress

  1. rmn says:

    Just as a side note, nowadays most of who you refer to as “mass attackers” are basically “script kiddies”: people who are just using tools written by others without a proper understanding of what really goes on. Any action that will render your installation not-standard will work tremendously well against that kind of evil doers.

    Thanks for the read, thumbs up.

  2. Inger says:

    Everyone knows that security in the web is bullshit. Conspiracy. The government wants our money.
    And who are these so-called hackers anyway? Never seen one of them…

  3. lorg says:


    Funny you should say that, I just met one the other day :)

  4. yuval says:

    Well now if the .htaccess thing becomes mainstream you’ll be in the same position you were before. Lucky for you it probably won’t…

    @Inger: and could be nice places to go if you want to be enlightened.

  5. lorg says:

    1. You’re right, it probably won’t.
    2. Many vulnerabilities today target the admin capabilities of wordpress. This thing is just another small thing against them.
    3. Even if it were mainstream, bypassing it would require bypassing the web-server’s security. This pits the attacker against a potentially harder wall.

  6. Great post, many of the better web hosts(HostGator) have deployed something called “Mod Security” which acts somewhat like a Firewall.

    Do backup a copy of htaccess before you add anyhing. Remember each new item needs it’s own seperate line. Do not use a plug-in to try to accomplish hardening or you may find your blog is “borked”(messed up Big time). This was learned from experience and required deleting two htaccess files and deleting the plug-in before i could use my site again. Probably couldn’t hurt to do some googling about htaccess before doing anything.

    WordPress in a sense has the same problem as Microsoft they both have a significant portion of in WP’s case Blogs and in MS’s the OS. This fact makes it more interesting to try to hack. Do stay up to date with the latest stable version of WordPress as the WP developers do there level best to patch any known problems. Blog On!