This article also suits webmasters looking for:
WordPress Security, Hardening WordPress, Preventing WordPress website from getting hacked, Hide My WP Review
About an year ago, my long time client approached me as all 72 of his brother’s wordpress websites had been hacked and their frontend was showing “hacked by xyz” in the title and the entire page had gone blank. It was an sql injection attack that the hacker had used to inject malicious code into his database. An automated script was used to achieve this. After checking his server’s request log, I found out that the hacker had also tried to guess his admin password multiple times.
Since then, I have taken extra measures to prevent any possibilities of such attacks. I will be publishing my post on wordpress security very soon but in this post, I will show you how to hide a wordpress site from looking like one. What it essentially means is visitors, and more importantly, an automated script won’t be able to detect if you are using wordpress.
Why you should hide the fact that you are using wordpress?
Now, some people might argue that you should not hide wordpress as wp-login.php is still accessible but our solution prevents that. The objective is to give your website an extra layer of security, that is security from obscurity.
Security from obscurity creates a few advantages that you will have from a security point of view.
- Automated softwares won’t be able to target your wordpress installation
- Some noobs try to go to
yoursite.com/wp-admin/and start guessing your admin password. That won’t happen anymore since only you will know your custom login url
- Visitors won’t be able to trace your wordpress theme easily
- Change of default login url and default file locations also helps fending off massive brute force attacks that wordpress sites often experience (perhaps because wordpress is such a common cms these days).
I am not suggesting that hiding wordpress should be your only security mechanism. I use wordfence along with Hide my wp and the combination has shown some very amazing results so far.
How to hide wordpress installations
The plugin you will need to achieve this is called “Hide my WP” and you can purchase it for just $20. If you view the source of this site, you will notice there are no signs of wordpress.
For example, in the header you will see:
On your typical wordpress site, stylesheet url would look something like:
Some of the main features include:
- Ability to hide both
- Spy notifications feature – if someone tries to access 404 page
- Ability to remove auto generated feed from header
- Ability to clean automatic classess added by wordpress (won’t recommend this personally)
- Ability to disallow direct access to php files (except the ones in wp-admin)
- Minification of code
- Ability to replace/remove a piece of text in finally rendered code
- Ability to customise post, page and search queries (
/?p=1can be changed to
- Ability to change pagination url
- Ability to disable Archives
- Ability to completely disable queries for taxonomies, comments and attachments
My favourite features include the ability to completely hide wp-login.php page and to set custom urls for static files.
Setting custom urls is an easy way to hide your wordpress from novice ‘hackers’ or some curious competition analysists. The ability to customize your login url so that only you know the way to access it, takes it even further so that even if the hacker has found out you are using wordpress, he won’t be able to start with his attack just yet as he will have to guess url also 😎
The plugin delivers more than what I was expecting as when you see static stylesheet that’s mandatory with every wordpress theme, you don’t see any information that lets people know that this is a wordpress theme. Usually the first few lines of a theme would look like:
/* Theme Name: Twenty Fourteen Theme URI: http://wordpress.org/themes/twentyfourteen Author: the WordPress team Author URI: http://wordpress.org/ Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design. Feature your favorite homepage content in either a grid or a slider. Use the three widget areas to customize your website, and change your content's layout with a full-width page template and a contributor page to show off your authors. Creating a magazine website with WordPress has never been easier. Version: 1.0 License: GNU General Public License v2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Tags: black, green, white, light, dark, two-columns, three-columns, left-sidebar, right-sidebar, fixed-layout, responsive-layout, custom-background, custom-header, custom-menu, editor-style, featured-images, flexible-header, full-width-template, microformats, post-formats, rtl-language-support, sticky-post, theme-options, translation-ready, accessibility-ready Text Domain: twentyfourteen This theme, like WordPress, is licensed under the GPL. Use it to make something cool, have fun, and share what you've learned with others. */
You can pair this plugin with wordfence to improve your wordpress security even more. Stay tuned for my next post on wordpress security.