Don’t Hide the Fact That You’re Using WordPress

There are quite a few blog posts, plugins and hacks suggesting to hide the WordPress version number, or hide the overall fact that you’re using WordPress. Don’t do it — it’s pretty useless.

There are hundreds if not thousands of ways to not only find out the fact that you’re using WordPress, but also find out the exact version number, regardless of any plugins or hacks changing or hiding the “generator” meta tag, the readme file and so on. A great post by my brother Gennady illustrates that.

Security

Most of these “hide my WP” solutions tend to market themselves from a security standpoint, especially with the recent botnet attack on WordPress sites. The truth is that these attacks don’t really care which version of WordPress you’re running. In fact, they don’t even care whether you’re running WordPress at all! How? Well that’s easy, they just take your domain and blindly fire POST requests to a file called wp-login.php, even if you’re running a non-CMS pure HTML website.

The same applies to known theme and plugin vulnerabilities. Go ahead and check your web server’s access logs, there’s a pretty good chance you’ll find requests to timthumb.php even though none of your themes or plugins use the TimThumb library.

So from a security perspective, the secret sauce is to use a strong password, as well as keep your themes, plugins and especially WordPress core up to date. Plugins such as Google Authenticator and Limit Login Attempts can give you that little extra protection.

The Ferrari Analogy

Sometimes people try hide the fact that they’re running WordPress because they’re afraid other humans will spot that and think they’re “unprofessional” or cheap. Well WordPress is the most professional content management system known to human kind, trusted by some of the largest companies worldwide and although free and open source, certainly not cheap.

When you buy yourself a new Ferrari, do you remove the Ferrari logos before showing it to your friends? No. Although if you did, it would still be obvious.

To wrap that up — don’t hide the fact that you’re using WordPress. Use a strong password, keep it updated and drive it with pride. If you bought a premium “hide my WordPress” plugin, you should ask for a refund and buy something useful instead.

About the author

Konstantin Kovshenin

WordPress Core Contributor, ex-Automattician, public speaker and consultant, enjoying life in Moscow. I blog about tech, WordPress and DevOps.

27 comments

  • Hmm, i’m quite sceptical about the security part… You are right about botnet but a real hacker, not a script kiddies one cares a LOT about your WP version and your plugins versions, that’s where they can find a hole, use an exploit !
    Especially if you plugins/theme/core are not up to date

    • Hi Xavier, thanks for your comment! Indeed, a targeted attack is the most difficult one to deal with. A hacker can easily find out your version number, despite all the effort trying to hide it — read Gennady’s blog post, it’s fairly simple.

      That said, the real problem lies within this line:

      Especially if your plugins/theme/core are not up to date

      That’s a problem you should address by updating your WordPress core, themes and plugins, and not by trying to hide their version numbers :)

      Thanks for stopping by!

    • The other thing is that a *real* hacker might be able to grab your WordPress version whether you were using a plugin or not depending on what you were using to mask your version.

      For instance, you can remove the readme.html file, but if the meta tag is still in the header, they can get the version from that. If the meta tag is removed, they can easily find your login page and get a pretty good idea of what version you’re on based on that. And if that’s masked, there are browser plugins/extensions that can tell you what version of WordPress is being used as well as sites like ismyblogworking.com which grab that information.

      And if you went through all the trouble to mask every possible place where WordPress version or structure in general is exposed, what are you gaining? It’s far more trouble than it’s worth considering all you really need to do is make sure your stuff is up-to-date.

    • Hi Jazz!

      And if you went through all the trouble to mask every possible place where WordPress version or structure in general is exposed

      This is impossible, unless you rewrite WordPress from scratch, in which case it just is not WordPress anymore ;)

  • Great post and thanks for highlighting this, does seem like time wasted trying to hide the version, and Ferrari analogy: nice! :)

  • I have to agree with the other commenters, I love the Ferrari analogy. I love WordPress and am proud to use it.

    I may be missing something, but I don’t understand what drives the concern about security with WordPress. If you do the fundamentals, it is a secure as any other CMS.

    • Hi Alan! WordPress core is indeed secure, though being the most popular CMS in town makes it much more interesting for hackers to target. Thanks for your comment!

  • Totally agree. Although, to keep clients happy I mask certain things. But i tell clients: A WordPress site (any type of site really) is like the computer you built it with… If you don’t keep it updated and well maintained you’re asking for trouble. WordPress is my CMS of choice and I proudly tell people of all it can achieve in the right hands.

  • I’m not out to troll your post but I don’t necessarily agree with your claim that taking steps to hide your WordPress install is “pretty useless”. There’s a lot more to securing your WordPress install than just hiding the version number and I feel most people developing for WordPress should know that.

    My feeling is that steps like moving WordPress into a subdirectory, using plugins for login limiting or dual authentication (as you mentioned), .htaccess lockdowns in various directories to prevent directory listing or executing php, posting as a lower permission level user and other common tricks (like updating table prefixes) carry some merit when used in conjunction with a strong login and FTP password. The recent increase in bot attempts on WP sites is not the only hacking threat that WP sites face, and while the other lockdown tricks may not protect against login attempts directly, they still assist in closing other potential loopholes.

    By hey, like I said, not trolling just putting in my 2c.

    • Do those tricks hide it from a person viewing the source code? Obviously not. But they can help hide it from the bots that just pummel a database for tables beginning with wp_ or sniff out a login page at /wp-login.php. That in itself could be considered “hiding” WordPress and I wouldn’t personally stick them in the “useless” category.

      Last I checked hackers didn’t individually visit websites and look for the login page before beginning their bot attack :)

    • Hi Scott, I appreciate your comment!

      That in itself could be considered “hiding” WordPress

      Changing your database prefix is not considered hiding WordPress, but is in fact a good security precaution.

  • Thank you for this. All too often, I see unquestioned advice concerning security and especially SEO, and nobody bothers to check the facts. The fact is that WordPress is one of the most secure CMS’s out there, as long as you keep things updated.

  • You bring up some excellent points Konstantin. All I can add is a lesson any programmer should know which “security by obscurity is no security at all.”

    That said however there used to be room for hiding version numbers a few years ago when some bots would look for it first and proceed further if your version was determined to have a vulnerability. Frankly I haven’t seen anything like that in probably 2 years or more but for plugins that are already offering it I find no reason to remove it. I would much rather see folks change their wp-content folder name when they first install WordPress as many of the “dumb” bots out there now are purely opportunistic in looking for the existence of known bad files and nothing else. Even this however is admittedly only a very small step in preventing problems however it is a step that can be taken and I have personally seen effective over time, in particular on sites that never see updates.

    On a side note, not reporting version numbers to users is a personal preference I’ve seen many folks still enjoy.

    One more thing to add:

    It isn’t WordPress on its own that is the concern these days instead it is plugins, themes and apathetic site administrators that leave holes in WordPress sites. I don’t remember the last time I saw an exploited WordPress core vulnerability in the wild. You guys do one hell of a job keeping core out of the news to an extent I’ve never seen replicated in any other software package with such a large install base.

    • Hi Chris, you have some excellent points!

      I would much rather see folks change their wp-content folder name

      I tend to disagree here. It’s much better to secure your wp-content directory by disabling any php code execution within, rather than try and hide it by giving it a different name.

      https?://[^/]+/(.+?)/.+?/style.css
      

      This regex’s first match group is the name of the wp-content directory, despite all the effort to rename it. It’s not perfect, but you get my point :)

      You guys do one hell of a job keeping core out of the news to an extent I’ve never seen replicated in any other software package with such a large install base.

      So glad to hear that :) Thanks for stopping by to comment and have a great day!

  • ***Hide My WP’s*** author is hear!

    First thanks for article and comments. If I was just a visitor I’ll do agree with most of it but as someone who use this plugin and know its structure let me explain more.

    The first things that I understood from the post is that you don’t even read plugin description (at least carefully). This is not about hiding version number(!) or does not limited to source code scanning or brute-force attacks.

    It can block access to wp-login and it’s no matter whether it’s a direct access or a blind request. So it’s perfectly efficient in this case. Read here:
    http://wordfence.com/forums/topic/the-hide-my-wp-script-works-against-hacks-2/

    Further more it doesn’t limited to Brute-Force attacks (That is simplest type of hack). Currently major threats are XSS or SQL-Injection attacks generated by bad written plugins. Hide My WP can block all requests to PHP files (WP, themes and plugins). Of course you can except some files, login and write article without trouble but you’re no protected. You know it’s almost impossible to inject code or script to a site without access any PHP files .

    I love WP, too and am proud to develop for it since 8+ years ago. But is it really a ‘Ferrari’?

    Let assume you chosen a strong password, have a limited login page, installed Wordfence, Better WP Security and Bullet Proof security plugin (all together!). You even enabled SSL and pay $200 per month for a secure managed server.

    Right? Now, if I as a hacker can find you use a specific version of W3 Total Cache or WP Super Cache it’s enough for making my day :) (You know both plugins are popular and created by experts. Donncha even contributed in WP development)

    What can a hacker do now? I can easily edit your post, delete your entire database, change your passwords or download source codes. Further more I can even ***hurt*** other sites in your (secure) server! Why? Because you use a “Ferrari” that every other one has one model of it, …and every newbie can change it by making a plugin (read security hole) …and probably get millions of downloads!

    As a conclusion, I agree that most of security tips are usually useless but in fact it mainly depends on attack scenarios. This includes your above tips when we speak about non-brute-force attacks.

    I just try to email a free copy of Hide My WP to you but can’t find any email. I know Hide My WP is not perfect and may still have problems but it’s result of years of experience and months of developing. It’s not another WP toy! Believe me, it works It really works…

    • Hello Hassan, I appreciate you coming here to comment!

      Securing WordPress and hiding the fact that you’re using it are two totally different things.

      Like hiding the feed URL and feed discovery – how does that really help? I’d like to follow your blog, so I enter the domain in my RSS feed reader and meh! Google Reader, Feedly, WordPress.com Reader, etc. just can’t figure out your feed address, so you just lost a potential subscriber.

      Or masking the search query variable — did you know that Chrome can figure out how to trigger search on your site? Just enter a domain, hit space and start typing your query:

      WordPress Search with Chrome

      Neat feature, eh? Well, unfortunately it’s not for your site.

      Finally, if you’re running an outdated and vulnerable version of a plugin, you should update the plugin, not try to hide it.

      My point is, if you’re into security it’s okay to focus on making WordPress more secure for your users, but “Nobody can ever know you use WordPress!” that just pisses me off, sorry :)

      Have a great week!

  • I actually read the post for the plugin that probably prompted this blog post of yours (I saw your comment at the end of it the other day).

    I agree. It’s been stated numerous times from the WordPress devs themselves that trying to hide that you are using WordPress is futile. Which it is.

    Your post mentions the 2 primary things needed to secure your WordPress installation; 1. strong passwords, 2. up-to-date WP and plugins. I would add: choose a well regarded hosting provider.

    To enforce strong passwords when you’re working with a larger group you may want to look into this plugin:

    http://wordpress.org/plugins/enforce-strong-password/

    Otherwise, well done.