To hide your WordPress site from theme detectors, CMS scanners, and hacker bots, you need to remove every WordPress fingerprint from your public HTML source and change the default paths. This means hiding HTML headers (generator meta, DNS prefetch, RSD), stripping version tags, renaming wp-content, wp-includes, plugin and theme paths, blocking access to files like readme.html and xmlrpc.php, and replacing “wp-” class names in source code. You can do this manually with PHP knowledge, but the faster and safer method is to install WP Ghost, which covers all of this through one plugin without editing WordPress core files.
Why Hiding WordPress Matters
WordPress powers 43% of all websites, which makes it the most targeted CMS on the internet. Attack bots know WordPress’s default structure by heart: they scan for /wp-login.php, /wp-content/plugins/, /readme.html, and dozens of other predictable patterns. If those signals are present, your site is flagged as WordPress and added to attack lists for scripted exploits targeting known plugin and theme vulnerabilities.
Most attacks do not target you specifically. They target anyone running WordPress with detectable default patterns. Remove the patterns, and bots move on to the next predictable target. This is attack surface reduction, not obscurity, it breaks scale-based automated attacks at the reconnaissance phase.
What Theme Detectors and Bots Look For
Theme detectors and CMS scanners identify WordPress through multiple signals in your public source code. To hide your site, all of these need to be removed or changed:
| WordPress Signal | Where It Appears | How to Hide |
|---|---|---|
Directory paths (/wp-content/, /wp-includes/, plugins, themes) | CSS, JS, image URLs in page source | Rename paths + Hide old paths |
Default files (readme.html, license.txt, wp-config.php, install.php, xmlrpc.php) | Direct URL access | Hide WordPress Common Files |
Generator meta tag (<meta name="generator" content="WordPress...">) | HTML <head> | Hide WordPress Generator META Tags |
Version query strings (?ver=6.7.1) | CSS and JS file URLs | Hide WordPress Version |
DNS prefetch (s.w.org, w.org) | HTML <head> | Hide DNS Prefetch META Tags |
WordPress emoji script (Twemoji from s.w.org) | Inline JS and CSS on every page | Hide Emoji Icons |
| RSD and WLW Manifest links | HTML <head> | Hide RSD / WLW Manifest |
WordPress HTML comments (<!-- Begin Yoast -->, etc.) | Page source | Hide HTML Comments |
Class names (wp-block, wp-image, wp-caption) | HTML elements | Text Mapping |
REST API (/wp-json/) and AJAX endpoint | API responses and AJAX calls | Change REST API path, hide wp-json |
| Sitemap plugin branding and XSL stylesheet | /sitemap.xml | Change Paths in Sitemap XML + Remove Plugin Authors & Style |
Author URLs (?author=1) | Author enumeration attacks | Change author path and hide user IDs |
Option 1: Manually (Requires PHP Knowledge)
If you want to hide WordPress manually, you will be editing multiple files and writing custom code. This requires comfort with PHP, .htaccess or Nginx configuration, and WordPress filters. At minimum, you will need to:
- Remove WordPress HTML headers (RSD, DNS Prefetch, Generator Meta) through
functions.phpfilters - Strip WordPress comments and version tags from CSS/JS output
- Rewrite WordPress common paths (
wp-content,wp-includes, plugins, themes, cache directories) through server-level rewrite rules - Block access to default files (
readme.html,xmlrpc.php,install.php,wp-config.php,license.txt) - Replace or remove “wp-” prefixed class names in page output (while ensuring no plugins depend on them)
Risks of the manual approach: edits to functions.php break if you switch themes. Custom .htaccess rules can conflict with caching plugins or hosting rules. You have to maintain the code through every WordPress update. One wrong rewrite rule can lock you out of your admin or break plugins. For most site owners, the time cost and risk outweigh the benefit.
Option 2: Use WP Ghost (Recommended)
WP Ghost handles the entire hiding checklist through one plugin, with one dashboard, and zero code edits. Everything above is a toggle. The plugin never modifies WordPress core files, it uses server rewrite rules and WordPress filters, so you can deactivate it at any time and your site returns to defaults instantly.
Install WP Ghost (free from the WordPress.org plugin repository or the Install WP Ghost Lite guide), then activate the full hiding checklist:
- Select Safe Mode or Ghost Mode at WP Ghost > Change Paths > Level of Security. Safe Mode works on all servers. Ghost Mode (Premium) adds aggressive hiding with file extension replacement.
- Customize WordPress paths (wp-admin, wp-login, wp-content, wp-includes, plugins, themes, uploads, REST API, AJAX). Use the default randomized names or pick your own.
- Hide WordPress Common Paths and Files at WP Ghost > Change Paths > WP Core Security. Old paths return 404.
- Enable Hide Options at WP Ghost > Tweaks > Hide Options: Generator Meta, DNS Prefetch, Version tags, HTML Comments, Emoji, WLW Manifest, Embed scripts.
- Replace WordPress class names in Text Mapping if your theme/plugins use “wp-” prefixed classes.
- Clean sitemap and robots.txt at WP Ghost > Tweaks > Feed & Sitemap to remove WordPress references from public XML files.
- Enable Block Theme Detectors Crawlers in the firewall to reject scans from known detector services.
- Run a Security Check at WP Ghost > Security Check to verify every hiding task is complete.
Full walkthrough in the Hide from WordPress Theme Detectors guide.
How to Verify Your Site Is Hidden
After completing the hiding checklist, test with real-time theme detector services (not cached ones):
Recommended real-time detectors: wpthemedetector.com, whatwpthemeisthat.com, whatcms.org. These scan your site fresh each time, so the test reflects your current state.
Avoid cached detectors for testing: BuiltWith and IsItWP cache CMS results for months, even after you’ve hidden your site. If they previously detected WordPress, they may continue to report WordPress even though your site is now hidden. To remove your site from BuiltWith, submit a removal request at their Removals page.
Avoid browser extension detectors: Chrome extensions like Wappalyzer may pick up WordPress when you are logged in as admin (because admin-side paths are always WordPress). Test in a private/incognito browser window without any detector extensions installed.
Frequently Asked Questions
How do I hide my WordPress site from detectors?
Remove all WordPress fingerprints from your public HTML: generator meta, DNS prefetch, version tags, WordPress comments, emoji script, WLW manifest, plus change the default paths (wp-content, wp-includes, plugins, themes, uploads, REST API, AJAX). You can do this manually with PHP/htaccess edits, or install WP Ghost and toggle everything through one dashboard. WP Ghost is the faster and safer option.
Why would I want to hide that I’m using WordPress?
Because the vast majority of WordPress attacks are automated bots targeting known WordPress patterns. When a bot scans your site and sees /wp-content/plugins/ paths, default login URLs, and the generator meta tag, it flags you as a WordPress site and adds you to scripted attack lists for known plugin/theme exploits. Hide the patterns and most of those bots move on to the next target. This can reduce your attack volume by up to 99%.
Does hiding my site affect SEO?
No. Google and other search engines don’t index based on your CMS or plugin paths. Your public URLs, content, sitemap XML, and structured data remain unchanged. Search engines crawl and rank your site exactly as before. If anything, faster page loads (from removing emoji scripts and other unnecessary resources) can slightly improve Core Web Vitals scores.
Will hiding WordPress break my site or plugins?
No, not when done through WP Ghost. WP Ghost uses server rewrite rules and WordPress filters rather than modifying files. All plugins, themes, and WooCommerce continue working normally. If a plugin depends on default paths (rare), you can exclude specific paths from hiding. Full compatibility list at WP Ghost Compatibility Plugins List.
Can I do this for free?
Yes. WP Ghost’s free version (Lite) covers the core hiding checklist: path security, Hide Common Paths and Files, Hide Generator Meta, Hide DNS Prefetch, Hide HTML Comments, Hide Version, Hide Emoji, brute force protection, and 2FA. Premium adds Ghost Mode (file extension replacement), country blocking, vulnerability management, and security threats logs.
What about BuiltWith showing me as WordPress even after hiding?
BuiltWith caches CMS results for months and may continue reporting WordPress long after you’ve hidden your site. This is not a failure of the hiding, it is a cache issue on their side. To remove your entry, submit a removal request at BuiltWith’s Removals page. For accurate testing, use real-time detectors like wpthemedetector.com, whatwpthemeisthat.com, or whatcms.org instead.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules (.htaccess on Apache/LiteSpeed, hidemywp.conf on Nginx) and WordPress filters. No core files, theme files, or plugin files are modified. Deactivating the plugin restores every default instantly, which makes it safe to test and reversible at any time.