In order to hide the WordPress from Theme Detectors you need to activate some extra features in Hide My WP Ghost.
These features don’t affect the website security but the Theme Detectors will also check some WP signals like plugins HTML comments, WordPress version, RSD header, and more.
Redirect Hidden Paths
When the WordPress common paths are changed and hidden, all the calls like /wp-admin and /wp-login are redirected to Front Page by default.
Use the Select to change the page where you want visitors or hackers to be redirected.
To customize the redirect, just select a new page from Hide My WP > Tweaks> Redirect Hidden Paths
Login Redirect URL & Logout Redirect URL
Since Hide My WP Ghost version 5.0.13 you have the option to set the login and logout redirects based on user role.
With this option, the authors can be redirected on login to the right page, same with the editors and administrators.
To customize the redirects, go to Hide My WP > Tweaks> Redirect Settings.
Select Default to set the redirects for all users or select the User Role and enter a custom URL for Login and Logout.
Change Paths For Logged Users
Most of the themes are working fine with the paths changed while the user is logged in but there are some who need the WordPress common paths unchanged.
We recommend to activate this option so that the customers can’t see the common paths while they’re logged in their account.
To activate this feature, switch on Hide My WP > Tweaks > Change Paths for Logged Users
Change Paths In Cached Files
This feature is useful when the website has a cache plugin installed. Once the website is loaded in the frontend, the cache plugin will add all the CSS Styles, JS, and HTML content into the cache directory.
Hide My WP Ghost runs a background process that checks the cache directory for unchanged paths and changes them. This feature will not affect the loading speed and works with all the WordPress cache plugins.
To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files
Change Paths in Ajax Calls
Some plugins are using Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case the images are usually called through Ajax and you need to be sure that these images’ path are also changed.
If some themes are loading CSS styles through Ajax you may have CSS duplicates if the paths are not always the same.
To change the paths in ajax calls, switch on Hide My WP > Tweaks > Change Paths in Ajax Calls
Change Relative URLs to Absolute URLs
Having all the WordPress common paths changed with the custom ones will avoid any relative URL to point to the old paths. We recommend using this feature and change all the HTML URLs into absolute URLs.
To change relative to absolute URLs, switch on Hide My WP > Tweaks > Change Relative URLs to Absolute URLs
Change Paths in Sitemaps XML
For better Search Engine Optimization we recommend using this feature and change all the images path with the custom ones in sitemap.xml.
Also, Hide My WP Ghost will remove all the Sitemap style added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, that reveal the plugin’s author. The sitemap will be shown as required by Google and other search engines.
To change the image URLs in sitemap.xml, switch on Hide My WP > Tweaks > Change Paths in Sitemaps XML
Change Paths in Robots.txt
This option will remove any path to WordPress common paths that show that you’re using a WordPress CMS.
Robots.txt will have the minimum requirements for Google Search Engine to index the website and to not affect the rankings.
To activate the Robots.txt security, switch on Hide My WP > Tweaks > Change Paths in Robots.txt
Hide Admin Toolbar
This feature is useful when the website is an e-commerce or a profile site and the admin toolbar should not show while the customer is logged in.
Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from the logged in users.
To hide the admin toolber, switch on Hide My WP > Tweaks > Hide Admin Toolbar
Hide WordPress Version
It’s important to hide the version info from all plugins, themes and WordPress core in order to hide from Theme Detectors.
For every new website, WordPress is adding a Generator META in the header with its signature. Many other plugins are doing the same so the choice is to completely remove Generator META from the header.
This feature also:
- removes the version parameters from CSS Styles loaded in the source-code
- removes the version parameters fromJS Scripts loaded in the source-code
- removes the generator Meta to WordPress
- removes the generator Meta to WPML (WordPress Multilingual Plugin)
- removes the generator Meta to Slider Revolution Meta Generator
- removes the generator Meta to Visual Composer / WPBakery Page Builder
- removes the dns-prefetch link to WP.org
- hides the Jetpack analytics trails to WordPress
To activate this feature, switch on Hide My WP > Tweaks > Hide Version and WordPress Tags
Hide RSD (Really Simple Discovery) header
Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.
In our case this header will expose the WordPress service on every website call.
Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.
This feature also:
- removes all the WordPress cache plugins headers
- removes the x-cf-powered-by header
- removes the Link header
- removes the rsd_link header
- removes the PHP info header
To activate this feature, switch on Hide My WP > Tweaks > Hide RSD (Really Simple Discovery) header
Hide WordPress HTML Comments
Not only WordPress is adding comments into source-code but also the plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.
Removing the HTML comments is also a must if you want to hide the website from detectors.
To remove the HTML comments, switch on Hide My WP > Tweaks > Hide WordPress HTML Comments
Hide Emoji icons
Emojis are little icons used to express ideas or emotions. If you don’t use them into your website you don’t need to load them.
Another reason to disable Emojicons is for speed optimization. You will notice a significant improvement in your page loading when these libraries are not loaded.
To disable Emojicons, switch on Hide My WP > Tweaks > Hide Emojicons
Disable XML-RPC access
The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.
This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.
Please read before activating this feature: Should You Disable XML-RPC on WordPress?
JetPack Plugin Compatibility: To hide the XML-RPC from hackers but to let Jetpack IPs to access the website add this code in .htaccess at the beginning of the file:
<Files xmlrpc.php> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from *.wordpress.com Allow from 18.104.22.168/18 Allow from 22.214.171.124/22 Allow from 2a04:fa80::/29 Allow from 126.96.36.199/22 Allow from 188.8.131.52/22 Allow from 184.108.40.206/22 Allow from 220.127.116.11/22 Allow from 18.104.22.168/22 Satisfy All ErrorDocument 404 / </Files>
Now whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.
To completely disable XML-RPC access, switch on Hide My WP > Tweaks > Disable XML-RPC access
Disable Embed scripts
oEmbed allows users to embed YouTube videos, tweets, and many other resources on their sites simply by pasting a URL, which WordPress automatically converts into an embed and provides a live preview in the visual editor. Most of the themes are already coming with this option included so you don’t need to load these scripts anymore.
Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading when these libraries are not loaded.
To disable Embed scripts, switch on Hide My WP > Tweaks > Disable Embed scripts
Disable WLW Manifest scripts
If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed.
To disable WLW Manifest scripts, switch on Hide My WP > Tweaks > Disable WLW Manifest scripts
Disable DB Debug in Frontent
It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.
To disable DB Debug, switch on Hide My WP > Tweaks > Disable DB Debug in Frontent