May 3, 2026

Hide and sneak

Article URL →HN comments →

Security Through Obscurity Is Not Bad

Turns out hiding the spare key still works if your front door actually locks

TLDR: The article argues that hiding parts of a website can still help, as long as it’s only one extra barrier and not the whole plan. Commenters were split between “duh, every little bit helps” and “you’re mangling the rule,” turning a simple safety tip into a full-on philosophy fight.

A spicy little civil war broke out after one developer argued that “security through obscurity” isn’t evil — it’s just not enough on its own. In plain English: don’t rely only on hiding things, but yes, hiding things can still slow down bad actors and make them move on. The writer used a very relatable image — a spare key under the doormat — and the comments immediately split into Team “obviously, every layer helps” and Team “hold on, that slogan means something more specific.”

A lot of readers were practically standing on chairs cheering. Bender said they’ve been preaching this forever, arguing that a little obscurity keeps junk traffic out, reduces noisy alerts, and generally makes life less miserable. INTPenis came in with the blunt version: it’s one layer of security, period. And the WordPress crowd showed up with battle stories, with fortran77 saying that simply changing the usual login page cut down on unwanted attention — the digital version of not putting a giant “rob me here” sign on your house.

But the thread wasn’t all applause. thephyber played the role of debate cop, saying the article was oversimplifying a famous security principle and warning that what works for a lone website owner may not scale to bigger systems. catoc even tried to rebrand the whole phrase, suggesting “security including obscurity” because the original wording sounds like the hiding itself is doing all the work. In other words: same old internet classic — one side yelling “common sense!”, the other yelling “that’s not what the textbook says!”, and everyone somehow feeling extremely passionate about a doormat.

Key Points

  • The article argues that obscurity can be beneficial when used as an additional security layer rather than as the sole defense.
  • It defines security through obscurity as keeping implementation details less visible to attackers to reduce exposure.
  • The article frames obscurity as part of a defense-in-depth strategy that increases attacker time and cost.
  • A WordPress example is used to illustrate the argument, specifically changing the default database table prefix to a randomized one.
  • The author describes a 2015 case in which a vulnerable WordPress site was not affected by a common proof-of-concept SQL injection query because the expected default table name was absent.

Hottest takes

"one layer of security. That's undeniable." — INTPenis
"Security including obscurity is fine." — catoc
"just changing the default URL for the wordpress login" — fortran77

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.