Ask Acquia: Is it worth the effort to hide that my site runs Drupal?

You might think that hiding the content management system (CMS) your site is running will make it difficult for attackers to identify your site as a target when new security vulnerabilities come to light. But it turns out that hiding Drupal doesn’t actually give you a leg up in the security game.  

One reason: most attacks are executed by bots, which generally do not even check what CMS your site is running before attempting known security vulnerabilities.

“Security through obscurity” won’t even deter human hackers looking to execute targeted attacks against your website. Anyone making the effort should be assumed to have the time and resources to find what you’ve hidden - or at least to bruteforce your site if that fails. Obscuring the vulnerabilities your site might have does nothing to address the vulnerabilities that are there.

What if I want to hide it anyway – are there any downsides?

Hiding that your site runs Drupal can actually make it harder to maintain real security. The changes you’d need to make to completely conceal Drupal are so extensive that they will break core. Security updates and patches will no longer be readily compatible with your altered version of Drupal, requiring time and extensive effort before they can be applied. The longer your website is without the latest security update, the longer known vulnerabilities exist in your code – ready to be exploited by bots searching for late adopters.

I still want to hide Drupal. How can I do so?

The Acquia Help Center provides detailed instructions forHiding the fact that your site runs Drupal - with the caveat that the outlined steps take a significant amount of effort to implement and maintain, and probably aren’t worth your effort.