In the previous lesson you learned how to protect your login page from Brute Force attacks, it’s time to learn how to hide your website from WordPress theme detectors and hackers’ bots.
After changing the WordPress common paths, you need to hide them completely. If not, the old paths are still accessible and hackers are still able to inject SQL and Javascript into vulnerable installed plugins and themes.
Follow the next steps, and learn what you need to do to fully protect your website.
Note! Don’t import demo data, tagline, footer text, etc. Make sure you have your own posts, pages, categories, and tags. Don’t load the theme demo data into your website. This will easily be detected by theme detectors.
Hide WordPress Common Paths
If you changed wp-login, wp-content, wp-includes, plugins, and themes paths using WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.
To hide the common WordPress paths, you need to switch on the option, “WP Ghost > Change Paths > WP Core Security > Hide WordPress Common Paths” and save the settings.
After you activate the option, if you access /wp-content URL when you are not logged into your website, you should receive the 404 error (Page not found).
Now it’s time to hide the common WordPress files from hackers, who can easily detect the WordPress CMS if they can access the common WordPress files: /wp-config.php, /readme.html, etc. All these files should be accessible only if you are logged into your website.
WP Ghost will add a filter to protect all these files if you switch on the option “WP Ghost > Change Paths > WP Core Security > Hide WordPress Common Files“.
Hidden URLs:
https://demo.wpplugins.tips/wp-content/
https://demo.wpplugins.tips/wp-content/plugins/
https://demo.wpplugins.tips/readme.html
Block Theme Detectors
To avoid any crawling from theme detectors, activate the firewall and block the theme detectors by IPs and agents.
Switch ON the option WP Ghost > Firewall >Block Theme Detectors Crawlers.
Also, select a different CMS name from WP Ghost > Change Paths > Level Of Security > Simulate CMS to stop detectors from deep scanning the website.
Activate Tweaks
Now activate the main options from WP Ghost > Tweaks to hide the CMS version, header, and referrals.
Switch ON options like:
- Change Paths for Logged Users
- Change Paths In Cached Files
- Hide Version from Images, CSS and JS in WordPress
- Hide HTML Comments
- Hide Emoji icons
- Disable Embed scripts
- Hide WLW Manifest Scripts
Use Text Mapping
You can use Text Mapping to hide classes like wp- from your website that may be detected by Theme detectors. Even if it’s a good option to add all the plugins’ classes in Text Mapping, this is not always a good idea because it may affect the website functionality.
Note! Some Theme Detectors are looking for classes that are used by WordPress plugins and they will jump to say that you’re using WordPress CMS even if you don’t have any WordPress common path.
It’s important to decide how far you want to go to hide all the known plugins. To hide the classes or IDs of a plugin, you need to also dynamically change the classes and IDs in all JS and CSS files to prevent javascript and style errors.
Add these records in WP Ghost > Mapping > Text Mapping and hide the WordPress common classes:
- wp-caption => caption
- wp-custom => custom
- wp-block => block
- wp-image => image
- wp-smiley => smiley
- wp-embed => embed
- wp-i18n => i18n
- wp-hooks => hooks
- wp-util => util
- wp-polyfill => polyfill
- wp-escape => escape
- wp-element => element
- wp-post => post
- wp-switch-editor => switch-editor
Removing wp-block with text mapping
If the theme is not using WordPress default wp-block classes, you can also add these classes in Text Mapping:
- wp-block => block
- –wp– => {blank}
Use URL Mapping or Cache Plugins
Some plugins use filenames having the same name as the plugin does. To hide these files, you can use WP Ghost > Mapping > URL Mapping or a cache plugin.
URL Mapping option will let you change any URL from your website to one that is more user-friendly and hides a plugin name.
Now, If you already have a cache plugin installed, check if the cache plugin has the option to minify/combine the CSS and JS files that can be detected.
We recommend using cache plugins for our compatibility list that are periodically tested with WP Ghost.
https://wpghost.com/kb/wp-ghost-compatibility-plugins-list/
Other Configuration
As we know small things can make a huge difference in security and hiding the CMS, make sure you have these settings active in WP Ghost:
Add a custom name for the admin-ajax.php path even if the wp-admin path is set to default. Also, hide the wp-admin from ajax path.
Hide the REST API wp-json path from the source code even if the path is not customized. We recommend not to disable the Rest API calls but disable XML-RPC access as it’s used for Brute Force attacks made by hacker bots.
Activate the Brute Force protection on Login, Lost Password, and SignUp paths (only if there is no other brute force protection activated yet)
Run a Security Check
It’s time to check the website security and make sure there are no URLs containing /wp-content/.
Go to WP Ghost > Security Check and run a report. If the report doesn’t find the old WordPress paths in the source code then the config is correct.
You can also check the Source Code of your website using a different browser or from incognito.
Most browsers let you see the website’s source-code if you type “view-source:” before your domain, like this:
view-source:https://demo.wpplugins.tips/. Now search for wp- using the search option (Ctrl + F).
If you find URLs containing “/wp-content/”, make sure they were not generated by a cache plugin like Autoptimizer or Wp-Rocket. If they were, activate the Combine JS and Combine CSS option in your cache plugin to add all the JS and CSS in the same file.
If you don’t use a cache plugin, and you want to change some URLs in your source code, use the WP Ghost > Mapping > URL Mapping option and follow the instructions in the next step.
Hide Path in Sitemap XML and Robots.txt
Some themes detectors are looking in the /sitemap.xml URL to check if there is any reference to the plugin’s author.
In /robots.txt URL you can also find restrictions to the wp-admin and wp-includes paths and the theme detectors will know that you’re using WordPress CMS because of that.
WP Ghost is removing any style from sitemap.xml and all the WordPress common paths from robots.txt.
Website SEO and Indexability: These options will not affect the SEO on your website. All the links will appear in the sitemap and all the required rules will be present in robots.txt. Google will index all the content of your website as before.
Use Theme Detectors
If you applied all the steps in the last three lessons, your website should be safe from hacker’s bots, and hidden from all WordPress theme detectors:
- https://www.wpthemedetector.com/
- https://whatwpthemeisthat.com/
- https://whatcms.org/
- https://mycodelesswebsite.com/
We checked with many other detectors, but some of them save a long-term cache, and the results are not relevant.
Don’t use Buitwith and Isitwp detectors! The detectors are caching the CMS information for a long time once they detect a CMS. We’ve tested with a blank website, and we get the same information even after a few months. Use real time detectors to check if the plugin is configured correctly.
Don’t use Browser Extensions! If you install a Chrome extension with a WordPress theme detector, the extension will detect the WP CMS when you’re loged as admin and it may keep a cache with this info. Some detectors like Builtwith and Wappalyzer keep a long term cache once they detect the WordPress CMS.
To remove your website from BuitWith website, access: Removals (builtwith.com)
Conclusion
WP Ghost is a complex hack prevention security tool and covers all the security needs to protect vulnerable plugins and themes from Script and SQL Injections. It can be used together with other security plugins like Wordfence, Sucuri, Solid Security, etc.
Note! The plugin is compatible with other security plugins and you don’t have to deactivate all other security plugins if you install WP Ghost.
Feel free to contact us with feedback and suggestions here