Website Security with a Little Obscurity

While strolling around the Internet the other day, I stumbled upon this solid post on and thought I would share.

Security By Obscurity

Security by Obscurity is a term that describes security through secrecy. If you don’t tell anyone that you have a million dollars buried in your backyard, then it is “secure” because nobody will find it.

There’s a saying in the security field: Security by Obscurity (SbO) does not work. If you are vulnerable, then you are still vulnerable. You’re just hoping that nobody discovers the exploit.

In my opinion, SbO does work to a degree. While SbO should not be your only security option, it does deter pre-attack reconnaissance. For example, most automated scanners look for obvious signs that can be used to identify a vulnerable system. If the scanner finds something, then the attack will come later. However, if you remove these markings then the scanners won’t flag your site for an attack. SbO removes the “low hanging fruit”.

The first thing you want to remove is anything that denotes what software version you are running. For example, WordPress is a very popular blog software package. If the bottom of your blog says “Powered by WordPress“, then everyone knows what software you are running. Knowing “WordPress” isn’t that bad. However, WordPress also embeds the version in the HTML content. For example, the “We Love WP” site runs WordPress. If you “view source” of their web page, you will see at the top:

<meta name="generator" content="WordPress 2.8.4" />

Now we know that they are running WordPress version 2.8.4. If you happen to know of a security vulnerability for version 2.8.4 (such as a XSS or Traceback denial-of-service), then you know that the “We Love WP” blog is vulnerable.

Similarly, the popular vBulletin web forum software includes the version at the bottom of the page and in the HTML meta data. Does the world really need to know that theGraphic Forums uses version 3.6.1?

So the first thing to do (regardless of whether you know of a vulnerability or not): remove all information about software and version from your site. This includes information embedded in your HTML pages and RSS feeds. Where to do the change depends on your software. With blogs, it is usually in the custom template, default template, or PHP/ASP pages. You probably don’t need to change every single web page — but you will probably need to change it in a few places.

This won’t stop someone from attacking you and does not close the security hole. What it does do: this prevents automatic scanners (and casual observers) from quickly determining that you are vulnerable. (Congratulations, you are no longer the lowest hanging fruit and most likely to be attacked.)

For the really creative types out there, don’t just remove it. Change it! Misinformation is far more damaging to an attacker than no information. Rather than removing the “Powered by WordPress”, change it to say “Powered by Serendipity” — a totally different blog package, or just lie: BlogProKit 9.8.1. Now if someone if going to attack you, then they will initially do so with the wrong set of exploits.


Hope you found it at least a little informative as I did.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s