After configuring WP Ghost, verify your hiding with external WordPress detector tools. Run your site URL through WhatCMS, WPThemeDetector, WhatWPThemeIsThat, Wappalyzer, and BuiltWith. If WP Ghost is properly configured, these detectors return “Unknown CMS”, identify your site as something other than WordPress, or cannot detect the theme and plugins you are using. You can also view your page source manually and search for WordPress-identifying strings like “wp-content”, “wp-includes”, “generator”, or “WordPress”, a properly hidden site shows none of these.
Before You Verify, Complete the Setup
Verification only makes sense after you have fully configured WP Ghost’s hiding features. Make sure you have followed the setup instructions:
Hide Your Site From Theme Detectors and Hacker Bots
This covers all the toggles, path changes, and tweaks needed to remove WordPress fingerprints from your public site.
Run WP Ghost’s Built-In Security Check First
WP Ghost includes a Security Check that scans your configuration and flags any gaps before you test externally. Go to WP Ghost > Security Check and run the scan. The report shows which hiding features are active and which are still needed. See Website Security Check for details on interpreting the results.
External WordPress Detector Tools
Once the Security Check looks clean, test your site against the same detectors attackers and competitors use:
Recommended verification tools:
WP Ghost Security Check online, the public scanner at wpghost.com/#security_check reports whether WordPress signals are detectable on your site.
WPThemeDetector, wpthemedetector.com attempts to identify WordPress themes, plugins, and version.
WhatWPThemeIsThat, whatwpthemeisthat.com focuses on theme detection.
WhatCMS, whatcms.org identifies the CMS itself (WordPress, Drupal, Joomla, etc.).
MyCodelessWebsite, mycodelesswebsite.com additional detection checks.
For the specific Wappalyzer verification, see the dedicated guide at Hide WordPress from Wappalyzer.
What “Hidden” Looks Like on Each Tool
A properly hidden site returns different results depending on the tool:
CMS detectors (WhatCMS): return “Unknown CMS” or identify the site as something other than WordPress.
Theme detectors (WPThemeDetector, WhatWPThemeIsThat): cannot identify the theme name, or return “Theme not detected”.
Tech stack profilers (Wappalyzer, BuiltWith): cannot identify WordPress, or identify only non-specific server and language information (Apache, PHP) without revealing the CMS.
If a detector still shows your site as WordPress after full configuration, one or more signals are leaking through. The most common causes are listed below.
Manual Verification Through Page Source
External detectors are helpful but not exhaustive. You can also inspect your own page source directly:
1. Open your site in an incognito or private browser window. 2. Right-click anywhere on the page and select “View Page Source”. 3. Use Ctrl+F (or Cmd+F on Mac) to search for the following strings: wp-content, wp-includes, wp-json, generator, WordPress, wp-.
A fully hidden site shows zero matches for any of these. If you find matches, note which file or feature is exposing the signal, and review the corresponding WP Ghost settings.
If Detectors Still Identify Your Site
If WordPress detectors still find your site after completing the full hiding setup, the most common causes are:
Theme or plugin incompatibility. Some themes or plugins hardcode WordPress-specific references that WP Ghost cannot automatically override. Check if your theme and plugins are on the compatibility list: Theme Compatibility List and Plugin Compatibility List.
Caching interference. Cached pages may still contain pre-hiding content. Clear your WordPress cache, CDN cache, and server cache, then retest.
Missing hiding options. Return to WP Ghost > Tweaks and verify every toggle under Hide from Theme Detectors is enabled.
CMS simulation for edge cases. For stubborn detectors, Premium users can simulate running Drupal or Joomla instead of WordPress, which actively misdirects detectors rather than just removing signals. See Simulating Drupal or Joomla with WP Ghost.
If none of these resolve the issue, contact WP Ghost support and include the detector URL showing the WordPress identification. The support team can investigate specific theme or plugin incompatibilities.
Frequently Asked Questions
Which detector is the most accurate?
No single detector catches everything. Each tool checks different signals, so use several detectors together for complete verification. If your site is hidden from all of the tools listed above, it is likely hidden from most real-world attackers and competitors as well.
Do I need to check after every WordPress update?
It is a good idea to re-verify after major WordPress updates and after installing new plugins or themes, because those updates can occasionally reintroduce WordPress-identifying code. A quick Security Check and one detector test takes a few minutes and confirms your hiding still works.
What if my site is identified as WordPress but the theme and plugins are hidden?
That is still a significant improvement. Most targeted attacks rely on knowing specific plugin and theme versions to exploit known vulnerabilities. If detectors can confirm “WordPress” but cannot identify which theme or plugins you use, attackers cannot target specific CVEs on your site. For complete hiding including the CMS itself, enable all the options in Hide from Theme Detectors, and consider CMS simulation for Premium.
Does my hosting affect detector results?
Server headers can reveal some information, but not WordPress specifically. Server type (Apache, Nginx) and PHP version may show in detector results, these are separate from WordPress identification and typically not considered security risks.
Does WP Ghost modify WordPress core files?
No. WP Ghost works through server rewrite rules and WordPress hooks that filter HTML output at runtime. No WordPress core files, theme files, or plugin files are modified. Deactivating WP Ghost restores every default signal and WordPress becomes identifiable again, proving the changes are reversible at any time.
If the WordPress detectors still find your website after completing the full setup, please contact us and we will check if there are any theme or plugin incompatibilities.