I'm sorry this is not true. Every website using TLS certificate from public CA (e.g. letsencrypt) must be listed in a certificate transparency log so server fqdn is not a secret but publicly known - try yourself crt.sh | discourse.joplinapp.org. and even if it would remain private "security by obscurity" doesn't work and MFA is a must for every internet facing service.. even better is support for SSO (openidconnect is welcome as requested here 
2 Likes