Cloaking WordPress with “hide my WP”?

There’s a bunch of companies that provides services for cloaking the user’s website.

In the previous articles Web scraping – part 1 and Web scraping – part 2 we learned how easy it was to scan multiple sites for vulnerabilities using footprints.

This very exact method is dependent on that out footprints can be found on the site – so can we simply prevent this from happening by cloaking WordPress and thereby hide all footprints?

 I got a client who want to hide the WordPress site identity overall. So it would not be traced as a WP website at all by bots & firewalls.

This is a very bad attempt to protect our site from being hacked and in this article we will demonstrate why.

But first’s let’s have a look back in history

Protection in other industries


 Game industry

Copy protections like SafeDisc, SecuROM and StarForce is/has been used to protect games from being copied.

Real effect

  • Short time protection since it created a competition between warez groups such as: DEViANCE, Fairlight and Razor1911
  • Contributed to unwanted, “malware likely”, drivers on the computer
  • Slower and unstable
  • Unstable effects on the operating system

 

Music industry

DRM protections and watermarks. Did it work? Nope. What really affected the music industry was in 2007 when apple decided to double the price and remove the DRM protection.

Luckily for the music industry; they seem to learn from their earlier mistakes and taking part of the digital era where streaming is the likely winner in future.

Music acquisition is not a problem

Music acquisition is not a problem

 

Real effect

  • Growth of digital sales was delayed
  • Music cannot be played

Why security through obscurity is never a good idea


 Updates will be delayed

When creating a cloaking plugin there is two ways to handle updates of WordPress engine.

  1. Start researching all changes directly after release. Design, Develop, Test and Deploy a patch.
  2. Bury head in the sand and pretend that there isn’t any new footprints included.

Option 1 is bad because it will delay each released security update forever – which makes the site vulnerable.

Option 2 is bad because obviously WordPress developers will leave footprints, and for sure will do this by changing their design patterns, files included in packages and how code is triggered.

It will break code

When a new version of WordPress is released it’s going through a heave process to determinate that the quality will meet the expectations. Adding a extra layer of “unneeded” code will contribute to making the site slower and sooner or later it will break functionality as well as design.

Can’t guarantee that other plugins will not leave foot prints

WordPress is not only a blog publishing platform, it’s also a Content Management System. This means that it’s very unlikely that there is no other plugins installed.

Even if they “hook” when a plugin is loaded and obfuscate the URL, changing the name of the variables in the CSS; they can really can not control which footprints

it leaves.

Review of “Hide my WP”


 Author: wpWave
hide my wp by wpwave

hide my wp by wpwave

On their blog they tell us to visit their cloaking admin site: hide-my-wp.wpwave.com/wp-login.php and then to visit wpwave.com/wp-login.php. Without digging any
deeper we can see that the first site loads in 12 seconds and the second in 18 seconds.

 

  1. It takes longer time for the web server to detect that the page does not exist than to serve us with the requested website.

    Speed difference in cloaked site and wp-login.php itself.

    Speed difference in cloaked site and wp-login.php itself.

  2. Loading the 404 takes twice the time then if we type wrong URL. This is not logical and can only be described by bad implementation.

    Fake "404 - File not found" takes longer time than if we update the URL to another page that doesn't exist

    Fake “404 – File not found” takes longer time than if we update the URL to another page that doesn’t exist

  3. The “fake” 404 makes 68 requests, but the rest of the site makes 64 (404).

    Why does the fake "404 - File not found" more server requests then a real one?

    Why does the fake “404 – File not found” more server requests then a real one?

  4. We can see the wordpress logo and I would expect such a watermark to be removed or even renamed.
    Wordpress logo still accessible from original location

    WordPress logo still accessible from original location

    http://hide-my-wp.wpwave.com/wp-admin/images/wordpress-logo.svg

 

More to consider before buying


  • Hide my WP” hasn’t been updated in more than a month, which means they haven’t done any adjustments or statements if the users can update to WordPress 4.2.
  • They don’t offer support. However they do reply to issues, but it seems to take time.
  • It’s obviously breaking code

 

Finally


Security

… This shows that security through obscurity does not work – Darren Mutz

Leave a Reply

Your email address will not be published. Required fields are marked *