Hide your WordPress Identity – and why?

I admit that WordPress is a good possible target for hackers. There are over 6 million WordPress websites, so statistically, there are going to be quite a few that have not put in the latest updates for WordPress Core and plugins. Therefore there will be quite a few that are vulnerable to exploits that have been fixed but never implemented.

So how about hiding the fact you are WordPress Site from Bots and hackers? – It is quite possible if you know what commonly identifies WordPress to them.

If your website is up to date is this needed? – Well, many hacker tools are indiscriminate. Once they find a WordPress site, they will just try all the exploits they have.- Better to not be seen as a potential target and their unwanted attention.

Disclaimer: A WordPress developer could probably still pick up tell tail signs, but these are too refined for a hacker chasing bot.

Most Common Signs for WordPress Site

  • Your theme.
    Almost always in the wp-content/themes/mytheme directory. In our case it is “/wp-content/themes/wpbusinessclub2017″.  All your style sheets and javascript theme code are going to point to this so it is easy to catch. However, did you know you can change this and WordPress can still work.
  • Your style.css stylesheet
    Your main style sheet, style.css contains a header that tells WordPress all the info about your theme. This is a gift to hackers. it tells you the name, the version etc. So, we could change its name and then remove that header information when it is requested.
  • /WP_includes
    This WordPress directory holds much of the core code required to make pages. It is possible to move it, so it looks less like WordPress.
  • /wp-content/uploads,
    Where you upload all your media. Images, PDF etc are all here and mark your site as WordPress. However, that is just the default. You can move that too.
  • /wp-content/plugins
    All your plugins live, here. But you can change this folder and all properly written plugins will continue to work. So hackers trying to target a specific plugin would not find it where they expect it!. You should also even be able to change the folder names of any plugin folder. Again, if written well, it will continue to work. (Why: Because WordPress provides a function to tell a plugin what URL and directory it is in. So it should not matter where it was installed.)

Turn off unwanted functions

There are some XML functions that are rarely ever used now. Pingbacks and such.

Unwanted files

WordPress has a licence.txt and a readme.txt. You can delete them, but the next WordPress update will drop them back in, so a better strategy would be to block their access.

OK, I  am convinced – Where do I sign?

Well, you will be pleased and probably not surprised to know that all this and more can be achieved by using a security styled WordPress plugin. In fact, there are a few different plugins that provide a range of these options, so that will save you having to write the code yourself. 😉

Some plugins are premium and offer more features, but there are some free tools too.

Just five final points.

  1. Please try all the settings in a test site copy of your main site. See what a feature does and then check it works on your site. But then you do this for all plugins – right?
  2. Don’t try and use multiple security plugins on top of each other. – This is very likely to cause a problem. Let one plugin fix a feature.
  3. Make sure you clear all cache options, so that all changes are seen.
  4. Nothing is perfect. So make sure you have actionable and regular backups.
  5. Does this affect my SEO – No. We are changing the supporting pages, not the main content pages.

Remember that most of the ‘tweaks’ used are to trick bots incoming requests from outside. Moving the location of files should not confuse properly setup plugins, and the rest of the features tend to change (‘filter’) output coming from a URL and therefore not even seen by normal plugin operation.

Plugins to consider

We will be reviewing these and update those reviews periodically. We have, or our customers have used all of these.

WP Hide & Security Enhancer

A free plugin covering all the issues we have raised. Locks down the site and hides its WordPress origin.

Wordfence Security – Firewall & Malware Scan

Watches out for bot and malicious code attacks and actively stops them. A premium version is also available.

iThemes Security (formerly Better WP Security)


Provides a range of over 30 ways to lock down your site.  A premium version is available.

Acunetix WP Security

Locks down many common features. Also, can scan your site for vulnerabilities. Not been updated for 2 years which is a little concerning.