I wouldn’t bother attempting to obfuscate the fact you have a WP site. In some cases it might help, but in many other cases it wouldn’t make any difference. This measure would fall under “security by obscurity”, which isn’t real security, though it might help on occasion. For recommended security measures that are actually effective, review Hardening WordPress. Not all measures are for everyone, but if certain measures work for your situation and aren’t too onerous or difficult, then they’re likely worth implementing.
There’s all sorts of reasons how hackers find targets to attack. The mere mention of WordPress is sometimes enough. I have a completely static site the mentions WordPress a few times and it gets all manner of WP hack attacks despite the fact there isn’t a single form on the entire site. Just registering a new domain name seems to be an invitation for hackers to probe the domain’s site for vulnerabilities.
It seems all plugin vulnerability probes are for long ago patched vulnerabilities. If you’ve kept your plugins updated and they are regularly maintained by the authors, there’s not any reason for concern. Sure, there could be a zero day vulnerability, but that’s highly unlikely.
Brute force attacks do not leverage plugin vulnerabilities anyway. As long as all admin users use good strong passwords, there’s nothing to worry about from brute force attacks. Hack attacks happen, it’s part of having a website. Beyond having your security measures in place, there’s little need for concern. If you also keep good backups (you need to do this if you aren’t), and your DB does not contain anyone’s sensitive personal information, then there really is nothing to worry about.
Thanks for the reassurance. I have wordfence setup pretty secure with firewalls, login attempts, etc. The biggest concern was to cut down on server resources being used, I know how hard a brute force attack is on a site with a password over 6 characters so I’m not too worried about a hacker actually gaining access. I’d like to share this script in case anyone else is having issues. https://github.com/masterguru/antibot is a script that will cut down on brute force attacks, just add the script to the root of the site then use an include to add the script to wp-login.php. You will need to update it when wordpress updates though because it will be overwritten.
I’ve looked over hardening wordpress and going to watch a video by Brad Williams about security (http://wordpress.tv/2010/01/23/brad-williams-security-boston10/) but I think I’ve done just about all I can do. Thanks for the helpful advice.
