Why and how to hide a wordpress site

Why and how to hide a wordpress site

This article also suits webmasters looking for:
WordPress Security, Hardening WordPress, Preventing WordPress website from getting hacked, Hide My WP Review
About an year ago, my long time client approached me as all 72 of his brother’s wordpress websites had been hacked and their frontend was showing “hacked by xyz” in the title and the entire page had gone blank. It was an sql injection attack that the hacker had used to inject malicious code into his database. An automated script was used to achieve this. After checking his server’s request log, I found out that the hacker had also tried to guess his admin password multiple times.
Since then, I have taken extra measures to prevent any possibilities of such attacks. I will be publishing my post on wordpress security very soon but in this post, I will show you how to hide a wordpress site from looking like one. What it essentially means is visitors, and more importantly, an automated script won’t be able to detect if you are using wordpress.

Why you should hide the fact that you are using wordpress?

Now, some people might argue that you should not hide wordpress as wp-login.php is still accessible but our solution prevents that. The objective is to give your website an extra layer of security, that is security from obscurity.
Security from obscurity creates a few advantages that you will have from a security point of view.

  1. Automated softwares won’t be able to target your wordpress installation
  2. Some noobs try to go to yoursite.com/wp-login.php or yoursite.com/wp-admin/ and start guessing your admin password. That won’t happen anymore since only you will know your custom login url
  3. Visitors won’t be able to trace your wordpress theme easily
  4. Change of default login url and default file locations also helps fending off massive brute force attacks that wordpress sites often experience (perhaps because wordpress is such a common cms these days).

I am not suggesting that hiding wordpress should be your only security mechanism. I use wordfence along with Hide my wp and the combination has shown some very amazing results so far.

How to hide wordpress installations

how to hide wordpress
The plugin you will need to achieve this is called “Hide my WP” and you can purchase it for just $20. If you view the source of this site, you will notice there are no signs of wordpress.
For example, in the header you will see:



On your typical wordpress site, stylesheet url would look something like:



Some of the main features include:

  1. Ability to hide both http://yoursite.com/wp-login.php page and http://yoursite.com/wp-admin/ area
  2. Spy notifications feature – if someone tries to access 404 page
  3. Ability to remove auto generated feed from header
  4. Ability to clean automatic classess added by wordpress (won’t recommend this personally)
  5. Ability to disallow direct access to php files (except the ones in wp-admin)
  6. Minification of code
  7. Ability to replace/remove a piece of text in finally rendered code
  8. Ability to set custom urls for static files like images, css and javascript
  9. Ability to customise post, page and search queries (/?p=1 can be changed to /?page=1)
  10. Ability to change pagination url
  11. Ability to disable Archives
  12. Ability to completely disable queries for taxonomies, comments and attachments

My favourite features include the ability to completely hide wp-login.php page and to set custom urls for static files.
Setting custom urls is an easy way to hide your wordpress from novice ‘hackers’ or some curious competition analysists. The ability to customize your login url so that only you know the way to access it, takes it even further so that even if the hacker has found out you are using wordpress, he won’t be able to start with his attack just yet as he will have to guess url also 😎
The plugin delivers more than what I was expecting as when you see static stylesheet that’s mandatory with every wordpress theme, you don’t see any information that lets people know that this is a wordpress theme. Usually the first few lines of a theme would look like:

/*
Theme Name: Twenty Fourteen
Theme URI: http://wordpress.org/themes/twentyfourteen
Author: the WordPress team
Author URI: http://wordpress.org/
Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design. Feature your favorite homepage content in either a grid or a slider. Use the three widget areas to customize your website, and change your content's layout with a full-width page template and a contributor page to show off your authors. Creating a magazine website with WordPress has never been easier.
Version: 1.0
License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
Tags: black, green, white, light, dark, two-columns, three-columns, left-sidebar, right-sidebar, fixed-layout, responsive-layout, custom-background, custom-header, custom-menu, editor-style, featured-images, flexible-header, full-width-template, microformats, post-formats, rtl-language-support, sticky-post, theme-options, translation-ready, accessibility-ready
Text Domain: twentyfourteen 

This theme, like WordPress, is licensed under the GPL.
Use it to make something cool, have fun, and share what you've learned with others.
*/

You can pair this plugin with wordfence to improve your wordpress security even more. Stay tuned for my next post on wordpress security.

Hide my wordpress backend screenshots:

The following two tabs change content below.

Subscribe to the Tips & Tricks newsletter and get the best of our tricks in your inbox every month.

19 Comments

  • Yuri April 10, 2014 at 10:45 am

    Nice Plugin Matt. I am glad I found this post as our company has tried to hide wordpress files but it wasn’t working very well. This plugin has taken good care of it. Best $22 I’ve spent on wordpress code package.

    • Matt April 11, 2014 at 7:15 am

      No worries mate. I am glad it worked out for you.

      • Todd May 31, 2014 at 4:03 am

        Matt,
        Will this work when using a child theme – meaning hide both the parent and child theme info?

        • Matt June 1, 2014 at 2:45 pm

          Yes Todd, it works with child theme as well.
          The theme information from the stylesheet is not shown to your visitor.

  • Somesh June 9, 2014 at 12:25 am

    Can you help me out in configuring the plugin

    • Matt June 9, 2014 at 8:49 pm

      Sure Somesh, please send me an email via the contact form.

  • Bamie June 25, 2014 at 2:38 am

    The last time I used this plugin it slowed my clients website down seriously.I guess it was down to the fact that i didn’t configure it properly. Can you help me on how to configure it? thanks

    • Matt July 6, 2014 at 7:36 am

      Hey Bamie,
      I do not provide official support for this plugin but I don’t mind helping you since I don’t think it will take too long to configure it. Please contact me using the contact form.

  • mae September 3, 2014 at 2:57 pm

    hi, thanks for the info. but I have one question. Is this compatible with multisite?

    • Matt September 3, 2014 at 3:12 pm

      Hi Mae,
      Yes, Hide my wp officially supports multisite 1.5 onwards.

  • AJL October 23, 2014 at 2:57 pm

    No, it’s a horrible plugin, with no support and it’s been deleted from ThemeForest. I got my money back as well.

  • Pat October 28, 2014 at 2:47 am

    Hi Matt,

    I own over 100 sites, do I need to buy the plugin for each wp-site or is there a developer version for a one time fee?

    Thanks!

    Pat

  • Alan November 11, 2014 at 3:15 pm

    Created a few sites recently with premium wordpress themes and bought HideMyWP for $24 (Envato) and quickly felt very overwhelmed as I am not a programmer. I simply wanted to be able to hide the fact that I am using wordpress (security).

    I use http://wpthemedetector.com and it shows a lot of information. I tried it on your site and see your plugin information (for a single plugin only) and it does detect you are using a wordpress theme, just not which one.

    I simply want to be able to have all the results from WPThemeDetector.com be null. Do you think this can be achieved? It’s almost like I need to hire a programmer just to set HideMyWP up correctly.

    I use the recommended All in one WP Security (as well as WPfence) because I am truly Mr Security.

    I recently found that somehow, someone was able to get all my user names and try to mass login with each one of them. How the heck could someone get this information? That is what prompted me to purchase HideMyWP and All in on WP Security.

    Sorry for the long one, but simply want to hide everything.

    • Vikas November 26, 2014 at 12:32 am

      Hey Alan, I have discovered myself that hidemywp does not hide everything on your site. For example you can still access some of the static files included with the wordpress core which lets sites like wpthemedetector detect wordpress.

      There is definitely a way to hide everything, just not available as a commercial package (perhaps because it would need a lot of testing to work with different kinds of server configurations). I suggest you hire a developer to remove/hide all the traces of your wordpress core files.

  • Nico November 29, 2014 at 11:48 pm

    Hi, really good plugin 🙂

    I search to hide theme name when I use child-theme. So I see source code of a website that use your plugin with “New name path” + “New style name” + “Minify style” : css style of used child-theme is rename & minify BUT THE MAIN THEME CSS IS NOT MINIFY !

    See that :
    http://img15.hostingpics.net/pics/712290lol.jpg

    • Matt December 1, 2014 at 8:09 pm

      Hi Nico,

      Firstly, it’s not my plugin. I simply shared with folks who visit my website so that they can make use of it. Try enabling minification and see if that helps.

      You should get in touch with the plugin developer. Perhaps he is the best person to contact regarding this.

      Good luck 🙂

  • Steve February 2, 2016 at 11:55 pm

    Thanks for your article, it opened my eyes, I couldn’t imagine something like this would work on WordPress. However I found a free plugin which does that just fine, see the WordPress repository for https://wordpress.org/plugins/wp-hide-security-enhancer/stats/

  • GIOVANI PEREIRA January 7, 2017 at 4:43 am

    Cool stuff. Do you know if this plug in will also hide the website from google (which I don’t want to).

    We have a good SEO placed I am afraid to mess it up by using this plug in.

    Keep up the good work.

Post a Comment

Your email is kept private. Required fields are marked *

hits counter