We’re usually asked if there is a chance to “completely” hide a website from WordPress theme detectors.
It’s a good question, but usually, the real question behind it is if there is a chance to protect the website so that hackers will not be able to break in.
A human hacker loads software with tons of actions and URLs that are designed to find breaches on a specific CMS. From URL to URL on the internet, the software (bot) is loading all the actions and URLs without checking the website CMS first. Once the bot gets a signal that a breach was found, it will automatically inject the script/worm and the rest … well … is not bright.
As most of the attacks are made by bots and not by human hackers, there can be thousands of calls per minute for each website and the owner does’t even know about it.
Type of Actions and URLs
I will resume the actions and the URLs to the WordPress CMS to keep it simple.
As most of the plugins and themes owners are not familiar with the types of bot attacks, offer their work with small windows for hackers to find usernames and passwords, to upload files on the server, to inject scripts in files and the list can continue.
For websites like WordPress, most of the attacks contain paths to /wp-content/plugins/ and /wp-content/themes/, to the default /wp-login.php and /wp-admin.
As you can’t guarantee that all the plugins you have installed are secured or that an update can’t come with a breach, I can say that it’s a lottery and it’s a matter of time until a bot finds a breach.
Hide WordPress For Security
If we get deeper into the question, we would say that the reason to hide a website CSM is to protect the vulnerable themes and plugins from being attacked by hacker’s bots.
Again, this is a really good question and this is the reason we’ve created Hide My WP Ghost plugin for WordPress.
The plugin works like a security through obscurity solution for a WP website. All the WordPress common paths can be changed (not physically changed to avoid massive problems) together with the plugins and themes names.
Once the paths are changed, the old paths can be hidden and get the 404 error (page not found) or 403 error when hackers bots access these paths.
Here is the list with some of the common paths we are hiding:
wp-admin, wp-login.php, wp-includes, wp-content, wp-json REST API, uploads, author, wp-comment, plugins and themes, wp-config.php, install.php, update.php, etc.
Hide My WP Ghost will also add a firewall in the config file against Script Injection and SQL injection. This way you will have a fully protected website.
In Hide My WP Ghost you find many security add-ons you can activate for your website:
- Hide author by ID URL
- Hide RSD (Really Simple Directory) endpoint
- Disable directory browsing
- Hide Emojicons if you don’t use them
- Disable XML-PRC access
- Hide/Disable REST API access
- Disable Right Click, Copy-Paste, Drag-Drop, Inspect Element
- Disable Embed scripts
- Disable DB-Debug in Frontend
- Disable WLW Manifest scripts
- Brute Force Protection with Math Captcha
- Brute Force Protection with Google reCaptcha V2 & V3
- Events Log & Security Email Alerts
Also works with other 2 Factor Authentication plugins that work on the login page if you have an e-commerce website or a website with members who need to login to your website.
We worked hard to make the plugin compatible with almost all the server types and hosts so that it will be easy to configure the plugin no matter where you host it.
We made the plugin compatible with:
WordPress Multisite, Nginx Servers, IIS Windows Servers, LiteSpeed Servers, Apache Servers, Bitnami Hosting, WP Engine, Inmotion Hosting, Hostgator Hosting, Godaddy Hosting, Host1plus, Payperhost, Fastcomet, Dreamhost, Bitnami Apache, Bitnami Nginx, and more.
Find how to configure Hide My WP Ghost plugin and how to hide your website from theme detectors: