IsItWP and similar detectors (BuiltWith, W3Techs) cache their CMS detection results for up to 30 days, sometimes longer. Once they identify your site as WordPress, they stop checking it fresh and keep returning the cached answer, even after you have configured WP Ghost to hide every WordPress fingerprint. To verify that your hiding is actually working, use real-time detectors like WPThemeDetector, WhatWPThemeIsThat, or WhatCMS, which rescan your site on every request. A blank page with no content will also return “WordPress” on IsItWP if your site was detected before, which is the clearest proof the result is cached.
Why IsItWP Still Shows WordPress After You Hide Everything
IsItWP is a service that offers WordPress-related tools and resources. One of its features is CMS detection: you enter a URL, and it tells you whether the site runs WordPress and which theme and plugins it uses. The catch is that IsItWP does not scan your site fresh each time. The first time it detects WordPress, it stores the result in its own cache and serves that cached answer to every subsequent lookup for roughly 30 days. Run IsItWP right after installing WP Ghost and you will almost certainly see the old WordPress detection, not the result that reflects your current configuration.
How to Prove the Result Is Cached
Here is the test that removes all doubt. Replace your homepage with a blank index.html containing no WordPress code at all, no wp-content paths, no WordPress classes, nothing. Then run IsItWP on the same URL. It will still report “Powered by WordPress” and even show the themes and plugins it thinks you are using. That is not a detection, it is a memory. The service is returning a 30-day-old answer because the entry has not expired yet. BuiltWith behaves the same way, and in some cases caches for several months. This is why WP Ghost’s own verification workflow explicitly recommends skipping these tools for testing.
Cached vs Real-Time Detectors
| Detector | Caches Results? | Useful for Testing? |
|---|---|---|
| IsItWP.com | Yes, up to 30 days | No, results are stale |
| BuiltWith.com | Yes, often months | No, caches long-term |
| W3Techs | Yes, long-term | No, caches long-term |
| WPThemeDetector.com | No, real-time scan | Yes, recommended |
| WhatWPThemeIsThat.com | No, real-time scan | Yes, recommended |
| WhatCMS.org | No, real-time scan | Yes, recommended |
| MyCodelessWebsite.com | No, real-time scan | Yes, recommended |
How to Verify WP Ghost Is Working Correctly
Step 1. Run the Internal Security Check
Before testing with any external detector, verify your configuration internally. Go to WP Ghost > Security Check and click Start Scan. WP Ghost runs through its security tasks and reports which checks pass. If all path-related checks are green and no /wp-content/ references appear in your page source, your configuration is correct, regardless of what a cached detector says. See the Website Security Check guide for details.
Step 2. View Source in an Incognito Window
Open your site in a private browser window (logged out), right-click, and select View Source. Press Ctrl+F (or Cmd+F on Mac) and search for wp-. If no WordPress paths, class names, or meta tags appear, your site is hidden from any scanner that reads the source honestly. This manual test is the ground truth.
Step 3. Test with Real-Time Detectors
Use detectors that rescan your site on every request. These give accurate, uncached results:
WPThemeDetector at wpthemedetector.com, WhatWPThemeIsThat at whatwpthemeisthat.com, WhatCMS at whatcms.org, and MyCodelessWebsite at mycodelesswebsite.com. Each one performs a fresh HTTP request to your domain and parses the response live. If these detectors cannot identify WordPress on your site, WP Ghost is doing its job.
Step 4. Use a Clean Browser Profile
Never test with browser extensions while logged into wp-admin. Extensions like Wappalyzer and WhatRuns detect WordPress through admin-only signals and cache the result in their own database. Use a separate browser profile or a different device (phone, tablet) for detection testing. The browser extension detectors FAQ covers this in depth.
How to Clear IsItWP’s Cache
IsItWP does not offer a public cache-clearing feature. Your options are to wait out the cache period (usually 30 days), contact their support, or simply move on to a real-time detector, which is what everyone else in the WP Ghost community does. For BuiltWith specifically, there is a removal request form at builtwith.com/removals that can clear their database entry, but most sites just ignore BuiltWith for testing and rely on fresh detectors instead.
Why This Matters for Hack Prevention
A cached “WordPress detected” result on IsItWP does not mean bots can find WordPress on your site. Hacker bots do not query IsItWP, they scan your server directly. What matters is whether your actual HTML, paths, and responses expose WordPress to a live request. If the real-time detectors and your source code show no WordPress fingerprints, your hack prevention is working as designed. The 115+ free features and 150+ premium features in WP Ghost strip those signals from live responses, which is exactly what bots see when they probe your site. A stale cache on a third-party service has no effect on your security posture.
Frequently Asked Questions
Does a cached IsItWP result mean my site is still vulnerable?
No. Bots do not use IsItWP to find WordPress sites to attack, they scan your server directly by probing known WordPress paths. The real test is whether your live HTML and paths expose WordPress. If incognito source view and real-time detectors show nothing, you are protected.
How long does IsItWP keep a site cached?
Roughly 30 days, based on testing. BuiltWith holds CMS detections longer, often months. W3Techs also caches long-term. There is no officially published cache duration, so treat anything you see from these services as potentially outdated.
Can I force IsItWP to rescan my site?
No, IsItWP does not expose a rescan option. Contacting their support sometimes works, but the faster route is to simply use WPThemeDetector, WhatWPThemeIsThat, or WhatCMS instead. These scan fresh every time.
What if a real-time detector still shows WordPress after I configured WP Ghost?
Three things to check. Are you testing while logged out in an incognito window? View source and search for wp-, if anything still appears, your cache plugin or a hardcoded theme reference is leaking the old paths, try enabling Change Paths in Cached Files. Did you activate Safe Mode or Ghost Mode? The full diagnostic walkthrough is in the Hide from WordPress Theme Detectors guide.
Should I worry about BuiltWith keeping my site in their database?
Only if you care about appearing in their marketing data sets. BuiltWith sells historical technology data, not real-time vulnerability information, so bots do not consult BuiltWith before attacking. If you want the record removed anyway, use the removal form at builtwith.com/removals.
Does WP Ghost modify WordPress core files?
No. WP Ghost never touches, moves, or renames any file or folder on your server. All fingerprint hiding uses URL rewrite rules, WordPress filters, and output buffering. Deactivating the plugin restores every original path and identifier instantly, which is what a real-time detector would see if you turned WP Ghost off.