Lesson 3 – How to Hide WordPress from Theme Detectors and Hacker Bots
November 17, 2018
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Changing WordPress paths is the first step, but additional configuration is needed for full protection. Hide old paths so bots cannot still access /wp-content/ directly. Enable security tweaks to remove WordPress fingerprints from source code. Use Text Mapping to replace WordPress CSS class names. Clean up sitemap and robots.txt references. Then verify by checking the source code and testing with real-time theme detectors.
Hide Old WordPress Paths
After changing paths in WP Ghost, the old paths (/wp-content/, /wp-includes/, /readme.html) are still accessible by default. Bots can still probe these locations unless you hide them.
Go to WP Ghost > Change Paths > WP Core Security. Enable Hide WordPress Common Paths and Hide WordPress Common Files. After saving, test by visiting /wp-content/ in an incognito browser — you should get a 404 error.
Block Theme Detectors
Go to WP Ghost > Firewall. Enable Block Theme Detectors. This blocks known detector IPs and user agents from crawling your site.
For deeper protection, go to WP Ghost > Tweaks > Change Options > Simulate CMS and select a different CMS name. This stops detectors that perform deep scans beyond path checks.
Enable Security Tweaks
Go to WP Ghost > Tweaks. Enable the following options to remove WordPress fingerprints from the HTML source code: Change Paths in Cached Files, Hide Version from Images/CSS/JS, Hide WordPress Generator META Tags, Hide DNS Prefetch META Tags, Hide HTML Comments, Hide Emoji Icons, Disable Embed Scripts, and Hide WLW Manifest Scripts.
Use Text Mapping to Replace WordPress Classes
Some theme detectors identify WordPress by CSS class names (wp-block, wp-caption, wp-image, etc.) even when all paths are changed. Use WP Ghost > Mapping > Text Mapping to replace these classes.
Recommended Text Mapping entries:
wp-caption → caption, wp-custom → custom, wp-block → block, wp-image → image, wp-smiley → smiley, wp-embed → embed, wp-i18n → i18n, wp-hooks → hooks, wp-util → util, wp-polyfill → polyfill, wp-escape → escape, wp-element → element, wp-post → post, wp-switch-editor → switch-editor
If your theme does not rely on wp-block classes for styling, you can also add: –wp– → {blank}
Test after adding Text Mapping entries. If any styling breaks, remove the entry that caused the issue. Not all WordPress classes can be safely replaced — some themes depend on them for layout.
Use URL Mapping and Cache Plugins
Some plugins use filenames matching the plugin name. Use WP Ghost > Mapping > URL Mapping to change specific URLs, or use a cache plugin with Combine CSS/JS Files to merge all files into anonymous combined files.
If using a cache plugin, enable Change Paths in Cached Files in WP Ghost > Tweaks so custom paths apply inside the cached output. See the Compatibility Plugins List for tested cache plugins.
Additional Configuration
Custom admin-ajax.php path: Add a custom name even if wp-admin stays at default. Hide the wp-admin from the ajax path. See AJAX Path Configuration.
REST API and XML-RPC: Hide the wp-json path from source code. Disable XML-RPC access (used for brute force attacks). See REST API Configuration.
Sitemap and robots.txt: WP Ghost automatically removes WordPress path references from sitemap.xml and robots.txt. This does not affect SEO — all content remains indexed normally.
Verify Your Configuration
Go to WP Ghost > Security Check and run a scan. If the report finds no old WordPress paths in the source code, your configuration is correct.
You can also verify manually: open your site in an incognito browser, type view-source: before your domain, and search for “wp-” using Ctrl+F. If /wp-content/ references appear in cached files, enable Combine CSS/JS in your cache plugin or use URL Mapping.
Test with real-time theme detectors (not cached ones):
wpthemedetector.com · whatwpthemeisthat.com · whatcms.org
Do not use BuiltWith or browser extensions for testing. BuiltWith caches CMS detection for months — even blank sites show old results. Browser extensions detect WordPress when you are logged in as admin and cache that information. To remove your site from BuiltWith, use their removals page.
Frequently Asked Questions
Will hiding all WordPress paths affect SEO?
No. All content remains indexed. Sitemap links work normally. Robots.txt rules are preserved. Only WordPress-identifying references are removed.
A theme detector still identifies my site. What should I check?
Check page source for remaining /wp-content/ references (often from cache plugins). Check for WordPress CSS class names (wp-block, wp-caption) — add them to Text Mapping. Check if the detector is using cached results — test with a real-time detector instead.
Is it safe to replace all wp- class names?
Not always. Some themes depend on WordPress class names for styling. Test after each Text Mapping entry. If styling breaks, remove that entry. The recommended list above covers the most common safe replacements.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses rewrite rules and WordPress hooks. Deactivating restores all defaults.
Related Tutorials
Getting Started with WP Ghost – initial path setup.
Advanced Text Mapping – detailed Text Mapping reference with {blank} and {rand} patterns.
URL Mapping – change specific URLs in source code.
Hide from Wappalyzer – handle browser extension detectors.
Hide from BuiltWith – handle BuiltWith’s long-term cache.