Lesson 3 – How to Hide Your Site From WordPress Theme Detectors & Hackers Bots

November 17, 2018

In the previous lesson you learned how to protect your login page from Brute Force attacks, it’s time to learn how to hide your website from WordPress theme detectors and hackers’ bots.

Note! Please read Hide WordPress from Theme Detectors or from Hackers Bots?

Changing the common WordPress paths will not guarantee that the WordPress CMS is completely hidden. The old paths are still accessible and hackers are still able to inject SQL and Javascript into vulnerable installed plugins and themes.

Follow the next steps, and learn what you need to do to fully protect your website.

Note! Don’t use the WordPress demo article, Tagline, footer text, etc. Make sure you have your own posts, pages, categories, tags. Don’t load the theme demo data into your website. This will easily be detected by theme detectors.

Step 1. Hide WordPress Common Paths

If you changed wp-login, wp-content, wp-includes, plugins and themes paths using Hide My WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.

To hide the common WordPress paths, you need to switch on the option, “Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Paths” and save the settings.

After you activate the option, you can access the /wp-content URL from another browser or from incognito, and you should receive the 404 error (Page not found).

Now it’s time to hide the common WordPress files from hackers, who can easily detect the WordPress CMS if they can access the common WordPress files: /wp-config.php, /readme.html, etc. All these files should be accessible only if you are logged into your website.

Hide My WP Ghost will add a filter to protect all these files if you switch on the option “Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Files“.

Hidden URLs:
https://demo.wpplugins.tips/wp-content/
https://demo.wpplugins.tips/wp-content/plugins/
https://demo.wpplugins.tips/readme.html

Step 2. Block Theme Detectors

To avoid any crawling from theme detectors, activate the firewall and block the detectors by known IPs and agent.

Switch ON the option Hide My WP > Change Paths > Firewall & Headers > Block Theme Detectors .

Also select a different CMS name from Hide My WP > Change Paths > Level Of Security > Simulate CMS to stop detectors from deep scanning the website.

Step 3. Activate Tweaks

Now activate the main options from Hide My WP > Tweaks to hide the CMS version, header and referrals.

Switch ON options like:

Change Paths for Logged Users
Change Paths In Cached Files
Hide Version from Images, CSS and JS in WordPress
Hide WordPress Generator META Tags
Hide WordPress DNS Prefetch META Tags
Hide HTML Comments
Hide Emoji icons
Disable Embed scripts
Hide WLW Manifest Scripts

Step 4. Use Text Mapping

You can use Text Mapping to hide classes like wp- from your website that may be detected by Theme detectors. Even if it’s a good option to add all the plugins’ classes in Text Mapping, this is not always a good idea because it may affect the website functionality.

Note! Some Theme Detectors are looking for classes that are used by WordPress plugins and they will jump to say that you’re using WordPress CMS even if you don’t have any WordPress common path.

It’s important to decide how far you want to go to hide all the known plugins. To hide the classes or IDs of a plugin, you need to also dynamically change the classes and IDs in all JS and CSS files to prevent javascript and style errors.

Add these records in Hide My WP > Mapping > Text Mapping and hide the WordPress common classes:

wp-caption => caption
wp-custom => custom
wp-block => block
wp-image => image
wp-smiley => smiley
wp-embed => embed
wp-i18n => i18n
wp-hooks => hooks
wp-util => util
wp-polyfill => polyfill
wp-escape => escape
wp-element => element
wp-post => post
wp-switch-editor => switch-editor

If the theme is not using WordPress default wp-block classes, you can also add these classes in Text Mapping:

wp-block => block
–wp– => {{blank}}

Step 5. Use URL Mapping or Cache Plugins

Some plugins use filenames with the same name as the plugin. To hide these files, you can use Hide My WP > Mapping > URL Mapping or a cache plugin.

URL Mapping option will let you change any URL from your website to one that is more user-friendly and hides a plugin name.

Now, If you already have a cache plugin installed, check if the cache plugin has the option to minify/combine the CSS and JS files that can be detected.

We recommend using cache plugins for our compatibility list that are periodically tested with Hide My WP Ghost.

https://hidemywpghost.com/hide-my-wp-compatibility-plugins-list/

Step 6. Other Configuration

As we know that the small things can make a huge difference in security and hiding the CMS, make sure you have these settings active in Hide My WP Ghost:

5.1 Add a custom name for the admin-ajax.php path even if the wp-admin path is set to default. Also, hide the wp-admin from ajax path.

Follow this tutorial: https://hidemywpghost.com/kb/customize-paths-in-hide-my-wp-ghost/#customize_ajax

5.2 Hide the REST API wp-json path from the source code even if the path is not customized. We recommend not to disable the Rest API calls but disable XML-RPC access as it’s used for Brute Force attacks made by hacker bots.

Follow this tutorial: https://hidemywpghost.com/kb/customize-paths-in-hide-my-wp-ghost/#hide_rest_api

5.3 Activate the Brute Force protection on Login, Lost Password, and SignUp paths (only if there is no other brute force protection activated yet)

Follow this tutorial: https://hidemywpghost.com/kb/brute-force-attack-protection/

Step 7. Run a Security Check

It’s time to check the website security and make sure there are no URLs containing /wp-content/.

Go to Hide My WP > Security Check and run a report. If the report doesn’t find the old WordPress paths in source code than the config is correct.

You can also check the Source Code of your website using a different browser or from incognito.

Most browsers let you see the website’s source-code if you type “view-source:” before your domain, like this:
view-source:https://demo.wpplugins.tips/. Now search for wp- using the search option (Ctrl + F).

If you find URLs containing “/wp-content/”, make sure they were not generated by a cache plugin like Autoptimizer or Wp-Rocket. If they were, activate the Combine JS and Combine CSS option in your cache plugin to add all the JS and CSS in the same file.

If you don’t use a cache plugin, and you want to change some URLs in your source code, use the Hide My WP Ghost > Mapping > URL Mapping option and follow the instruction in the next step.

Step 8. Hide Path in Sitemap XML and Robots.txt

Some themes detectors are looking in the /sitemap.xml URL to check if there is any reference to the plugin’s author.

In /robots.txt URL you can also find restrictions to the wp-admin and wp-includes paths and the theme detectors will know that you’re using WordPress CMS because of that.

Hide My WP Ghost is removing any style from sitemap.xml and all the WordPress common paths from robots.txt.

Website SEO and Indexability

These options will not affect the SEO on your website. All the links will appear in the sitemap and all the required rules will be present in robots.txt. Google will index all the content of your website as before.

Step 9. Use Theme Detectors Tools

If you applied all the steps in the last three lessons, your website should be safe from hacker’s bots, and hidden from all WordPress theme detectors:

We checked with many other detectors, but some of them save a long-term cache, and the results are not relevant.

Don’t use Buitwith and Isitwp detectors!

The detectors are caching the CMS information for a long time once they detect a CMS. We’ve tested with a blank website, and we get the same information even after a few months. Use real time detectors to check if the plugin is configured correctly.

Don’t use Browser Extensions!

If you install a Chrome extension with a WordPress theme detector, the extension will detect the WP CMS when you’re loged as admin and it may keep a cache with this info. Some detectors like Builtwith and Wappalyzer keep a long term cache once they detect the WordPress CMS.

To remove your website from BuitWith website, access: Removals (builtwith.com)

Conclusion

Hide My WP Ghost is a complex security tool and covers all the security needs to protect the vulnerable plugins and themes from Script and SQL Injections. It can be used together with other security plugins like Wordfence, Sucuri, iThemes Security etc.

Note! The plugin is compatible with other security plugins and you don’t have to deactivate all other security plugins if you install Hide My WP Ghost.

To see what Hide My WP Ghost can’t do on your website in order to avoid errors, please read:
https://hidemywpghost.com/what-hide-my-wp-ghost-cant-do/

Feel free to contact us with feedback and suggestions here

In the next lesson, you will learn how to use the Events Log feature, and how to set Security Email Alerts in your Hide My WP Ghost account.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.