What is STO?
Security through Obscurity (STO) is the reliance on secrecy and confusing attackers instead of building proper controls to keep them out. It is based on secluding important data. It provides protection from attacks, but it is not a panacea. Hackers and bots can try to exploit the user’s plugins in order to access the system. If plugins' and themes’ names are hidden deep on the server inside a ‘.htaccess’ file, it would take time for the attacker to access the user’s information, but as soon as the attacker gains full access to the server and files, all the server and website data is in danger.
What are the loopholes in website security?
The first step to building a good obscurity security system is therefore to hide all important details and give no access to anyone without checking their credentials and reliability. But this is not all. There are several possible loopholes threatening the safety of data, applications and website information.
- High security level owing to SSL. Not all the websites are protected by web application firewalls (WAF), and those without it are vulnerable even if a security SSL certificate is applied. This type of protection concerns the data passing between the site and the visitors (including sensitive information), but it encrypts only traffic, not the data residing on the website.
- Database prefix change. This method, recommended to be used by default, can prevent SQL injection, but it is not a panacea either. Moreover, erroneous changes may crash the entire web-ite.. The only way to prevent hackers’ attacks via vulnerabilities and user plugins is to take the so-called ‘three-pronged approach’ (using WAF, monitoring websites for malware and scam and updating plugins in time).
- Hiding the wp-admin and wp-login pages. The most malicious bot attacks involve bruteforcing usernames and passwords to gain administrative access. The names consisting ‘admin’ are on the offensive end, so many website owners try to hide their ‘wp-admin’ folders and ‘wp-login’ pages. However, hiding the login page does not provide the necessary level of protection and simply changing the path to the wp-login folder still leaves it vulnerable. Moreover, most attacks are aimed not at the login page, but at the XMLRPC.
- Strong user ID and password. Complex username and password creation is highly recommended, but it does not protect from all attacks, as long as attackers use various vulnerabilities (for example, outdated themes or add-ons). Two-step authentication (when a disposable code is used to log in) is recommended to keep the danger out.
- High security level owing to CDN/cloud-based firewall. Content Delivery networks and cloud-based firewalls provide security by means of redirecting traffic to their servers, filtering it and then directing the corrected traffic back to the website. In this case the IP is not secure and can be tracked and attacked straightforwardly. Endpoint protection is more reliable and robust. Protecting data at the original location is a much better defense.
- Security owing to size and low ‘level of attraction’. Smaller blogs and sites are attractive targets for several reasons. According to statistics, the bigger number of attacks is taken against the smaller targets, which lack the necessary defense resources. Such sites are then often used to spread spam or malware. Also, the bigger the crowd attracted to the site, the higher is the possibility to attract hackers and bots, which focus more on quantity than quality. So no website is small enough to stay away from this danger.
Security by obscurity is not totally reliable because confidentiality works well until it is discovered. Once someone finds the obscurity, the system falls in danger. Secrecy is not the primary method of security, which is not about ‘hiding’, but about the hard path to get to the data. Thus, focusing only on the security through obscurity is not a safe path.