Quick look: HideMyWp changes the URLs (“Change WordPress permalinks” and the URLs for plugins and administrative pages). Whoop-tee-doo.

Hackers getting in from server-level security breaches don’t use a URL, they are already inside the security system.

Hackers from bad plugins know the internal location they are run from (a necessary PHP function), and easily get the location of all other plugins, with a single database query; they’re already inside the security system.

HideMyWP thinks that’s “good security”. The site says, “This means you can install unsafe plugins without worry about security.” — they are lying or incompetent. An unsafe plugin can change the content of your post/pages/comments, ruin your database, install malware, collect your user names and passwords, send out emails, etc.

The “Better WP Security” plugin has a “Hide WordPress Backend” feature, as a tiny part of the security they provide, and consider it optional.

I refuse to install unknown “security” plugins like HideMyWp.

Below is what the free check from a good site checking and malware removal company found about their site:

Ah, they have /wp-login.php?hide_my_wp=1234 instead of /wp-login.php, they have /wp-admin/, themes in /template/main.css, some kind of program modules in
/modules/0f6a208e/shortcodes.php, Ooooh I know where jQuery is /lib/js/jquery/jquery.js, and their media goes in /file/2010/08/test-image-landscape.jpg. That’s plenty for hackers to start probing.

Pin It on Pinterest

Share This