How Do I Know If My WordPress Site Is Hidden With WP Ghost?

Q: How do I know if my WordPress site is hidden with WP Ghost?

Run the Security Check at WP Ghost > Security Check. Then verify with external tools like WhatCMS.org and BuiltWith.com. If the Security Check shows all green and external tools cannot identify WordPress, your site is fully hidden.

Q: Why does BuiltWith still show some technologies?

BuiltWith detects third-party services like Google Analytics and Cloudflare independently from WordPress. Those detections are expected and unrelated to WordPress hiding.

Q: Should I enable the CMS Simulator?

For maximum hiding, yes. It injects fake Drupal or Joomla fingerprints so detectors report the wrong CMS instead of Unknown. Enable it after all other path changes are in place.

Q: Does WP Ghost modify WordPress core files?

No. All hiding uses server rewrite rules and output filtering. No files modified. Deactivating restores all original WordPress signals instantly.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Run the built-in Security Check at WP Ghost > Security Check, then verify with external CMS detection tools like WhatCMS.org and BuiltWith.com. If the Security Check shows all green and the external tools cannot identify WordPress, your site is fully hidden. If WordPress is still detected, the issue is usually a leaking signal in the page source that you can fix with a few setting adjustments.

Step 1: Run the Built-in Security Check

Go to WP Ghost > Security Check and click Start Scan. WP Ghost checks your site for exposed WordPress signals: default paths that are still accessible, version numbers in the source, missing security headers, and other common vulnerabilities. Each issue is listed with a status (green for resolved, red for exposed) and a Fix it button that takes you directly to the relevant setting. Work through any red items until the check shows all green. This is the fastest way to identify what is still exposed.

Step 2: Check Your Page Source

Open your site in a private browser window (to avoid logged-in caching), right-click, and select View Source. Search the source code for common WordPress fingerprints: wp-content, wp-includes, wp-json, wordpress, and generator. If WP Ghost is configured correctly, none of these strings should appear. If you find any, they point to a specific signal that needs to be addressed, typically a path that hasn’t been changed or a meta tag that hasn’t been hidden.

Step 3: Test with External Detection Tools

Use external CMS detection tools to see what the outside world sees. Visit any of these tools, enter your domain, and check the results: WhatCMS.org identifies your CMS. BuiltWith.com lists your technology stack including CMS, plugins, and frameworks. Wappalyzer (browser extension) detects technologies as you browse.

If WP Ghost is properly configured, these tools should either report a different CMS (if you enabled the CMS Simulator), report “Unknown,” or fail to detect WordPress entirely. If they still identify WordPress, see the troubleshooting section below.

What to Do If WordPress Is Still Detected

If external tools still identify your site as WordPress after activating WP Ghost, one or more WordPress signals are leaking through. The most common causes and their fixes are listed here.

wp-content or wp-includes still visible in the source. Go to WP Ghost > Change Paths > WP Core Security and make sure both the Custom wp-content Path and Custom wp-includes Path are set to custom values, not defaults.

Plugin or theme names still recognizable. Go to WP Ghost > Change Paths > Plugins Security and Themes Security. Make sure individual plugin and theme names are randomized. Some plugins add recognizable HTML class names that also need to be replaced using WP Ghost > Mapping > Text Mapping.

WordPress generator meta tag still present. Go to WP Ghost > Tweaks > Hide Options and enable Hide WordPress Generator Meta.

Cache serving old pages. Clear all cache (caching plugin, server cache, CDN, browser) and retest. Stale cached pages with old paths are the most common reason detectors still find WordPress after WP Ghost is configured.

If you have worked through all of these and detectors still identify WordPress, contact WP Ghost support. There may be a theme-specific or plugin-specific signal that needs a custom Text Mapping rule. For the complete detector-hiding walkthrough, see the Hide From Theme Detectors tutorial.

Frequently Asked Questions

Do I need to check external tools every time I change a setting?

No. The built-in Security Check covers most issues. External tools are useful as a final verification after your initial setup and after major configuration changes. Once your site passes both checks, you only need to retest if you install new plugins, change themes, or modify WP Ghost settings significantly.

Why does BuiltWith still show some technologies even with WP Ghost active?

BuiltWith detects technologies from multiple signals: HTTP headers, JavaScript libraries, CSS patterns, and DNS records. WP Ghost hides WordPress-specific signals, but third-party services like Google Analytics, Cloudflare, or payment gateways are detected independently and are not related to WordPress hiding. Those detections are expected and do not indicate a security issue.

Should I enable the CMS Simulator for maximum hiding?

The CMS Simulator is the final layer. It injects fake Drupal or Joomla fingerprints so detectors report the wrong CMS instead of “Unknown.” For maximum protection, enable it at WP Ghost > Change Paths > Level of Security after all other path changes are in place. See the CMS Simulator tutorial.

Does WP Ghost modify WordPress core files?

No. All hiding is done through server rewrite rules and WordPress output filtering. No files are renamed, moved, or modified. Deactivating WP Ghost restores all original WordPress signals instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.