Don’t Use HideMyWP

Quick look: HideMyWp changes the URLs (“Change WordPress permalinks” and the URLs for plugins and administrative pages). Whoop-tee-doo.

Hackers getting in from server-level security breaches don’t use a URL, they are already inside the security system.

Hackers from bad plugins know the internal location they are run from (a necessary PHP function), and easily get the location of all other plugins, with a single database query; they’re already inside the security system.

HideMyWP thinks that’s “good security”. The site says, “This means you can install unsafe plugins without worry about security.” — they are lying or incompetent. An unsafe plugin can change the content of your post/pages/comments, ruin your database, install malware, collect your user names and passwords, send out emails, etc.

The “Better WP Security” plugin has a “Hide WordPress Backend” feature, as a tiny part of the security they provide, and consider it optional.

I refuse to install unknown “security” plugins like HideMyWp.

Below is what the free check from a good site checking and malware removal company found about their site:

Ah, they have /wp-login.php?hide_my_wp=1234 instead of /wp-login.php, they have /wp-admin/, themes in /template/main.css, some kind of program modules in
/modules/0f6a208e/shortcodes.php, Ooooh I know where jQuery is /lib/js/jquery/jquery.js, and their media goes in /file/2010/08/test-image-landscape.jpg. That’s plenty for hackers to start probing.

Web Server Details
Scan for:
IP address:

System Details:
Running on: Apache/2.2.22
System info: (Ubuntu)
Powered by: PHP/5.4.6-1ubuntu1.3

List of Links Found
Hello world! List of scripts included






Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.