Have you ever talked to someone who recommended you hide that your site is running on WordPress? It was somewhat jarring the first time I was recommended this, because well, what’s the point? Am I going to have to go through hours of work just so people don’t know I’m using WordPress?
Should I be embarrassed that I use WordPress?
The questions start rolling in, and the topic is rather controversial, so I wanted to put together a guide on the arguments for and against hiding WordPress, along with the best tools to do so if you decide on covering up the WP name.
What’s the Point of Hiding That Your Site is Using WordPress?
Hiding that your site is running on the WordPress platform is a divisive topic, in that it many folks are strongly against it, while others argue that it has some solid benefits. Below we will discuss the different arguments for and against hiding WordPress, but right now I want to cover why the “pro-hiding” folks are even talking about this in the first place.
It all comes down to two primary reasons: One, people want to secure their WordPress sites a little more, and some people think that WordPress is seen as an unprofessional or “cheap-o” platform.
I’ll give you my opinion on both of these reasons for hiding your use of WordPress.
Security is the big issue here, and although you should always implement other security measures, the idea is that you can prevent bots and the occasional direct attack (from someone who probably doesn’t know much about hacking) by simply hiding that you use WordPress. Some valid arguments are floating around the internet, but for now, just know that the main goal in hiding WordPress is to protect your sites.
For the second point (on WordPress being a cheap platform,) this is a terrible reason to consider hiding your WordPress usage, because although WordPress is an opensource platform, it’s still the most used and respected content management system out there.
The Arguments For and Against Hiding WordPress
Konstantin Kovshenin compiles the most valid arguments from around the web in terms of why it’s not a good idea to hide that your site is running on WordPress. Once again, people in the industry are always debating as to which is the best route, but here is a roundup of the primary points that Konstantin makes:
- The attackers don’t really care about which version of WordPress you’re running.
- The hackers don’t even care about the fact that you’re using WordPress at all, because they just send blind POST requests to your wp-login.php file.
- You’re better off using a strong password and always keeping your plugins and themes up to date.
- He also talks about how some people think WordPress is a cheap platform, so they hide it. His argument is that WordPress is the best in the business, so if you own a Ferrari, why not show it off? I completely agree.
On the other end of the spectrum we have those who argue that it can’t hurt hiding your WordPress version. I would completely agree with Konstantin’s argument that there’s no reason at all to hide WordPress due the fact that you think it’s a poor platform. Some web designers may remove some of the more visible “Built on WordPress” statements, but this is merely for white label branding.
Let’s take a look at some of the more valid arguments for hiding WordPress.
- Hiding your WordPress version prevents targeted attacks since the hackers can’t figure out where the vulnerabilities are.
- Since a dedicated attacker can get around your blocking of a WordPress version, you can focus most of your attention on bots. The good news is that bots account for most attacks, meaning that a simple change with your permalinks can fight off things like PHP file requests and brute-force attacks.
- WordPress is an extremely popular target, since it’s the most used CMS in the world.
- Hackers realize that many people using WordPress don’t think twice about securing their websites.
Keep in mind that you can never completely hide that your website is running on WordPress. So, in a sense, going through this process is not an all-in-one security solution. For example, hiding your version number just adds another step for the hackers. In my opinion, I’d rather add that extra step, but cunning hackers can find other ways to get around that anyways.
Experts also argue that hiding WordPress use can lead to laxness in security. In short, many webmasters may think that their sites are completely secure by hiding that they use WordPress. This is a huge no-no, and it adds to the strength of the “anti-hiding” group argument.
After all of that, is it still worth it to hide your WordPress usage?
The answer to this is unclear. You can make your own decision, but your choice really depends on how you plan on responding. If you hide your WordPress usage, are you going to forget about all of the other needed security measures? In that case, just leave your site the way it is and look into more reliable ways to protect your site.
However, if you keep your themes and plugins up to date, utilize security plugins and backup tools, I don’t see any problem with hiding the fact that your website runs on WordPress for an additional security measure. I will say, however, if your primary motive is because you think WordPress is cheap or not respected, that’s a poor reason, and simply untrue.
How to Hide That Your Site is Running on WordPress
The best solution is to use the Hide My WP premium plugin to completely get rid of most traces that WordPress is being used for your website.
What does the plugin do for your site?
- It boosts your security by controlling access to PHP files. The plugin claims to protect your site from 90% of all SQL-injecton and XSS attacks, which typically occur because of your PHP files.
- The plugin lets you change your WordPress permalinks, ridding the site of any traces that it is actually run on WP. Keep in mind that the plugin doesn’t change any of your files, but it takes control of the files to hide your status and prevent attacks.
- This dives into modifying items like your wp-admin, wp-login and all of their files.
- Feeds are disabled and author permalinks are hidden.
- Plugin directories are changed, and all WordPress files are hidden in the process.
- One of the best features is that the plugin sends you a message if someone is trying to attack your website. That’s the main reason I really like this plugin, since the verdict is still out about whether or not hiding your WP files is that effective, but coupled with this feature you can at least see when danger is coming.
- You also receive a custom 404 page and various other features for hiding your WordPress usage.
For a more technical method on hiding your WordPress URL rewrites, using relative links and cleaning up the head, check out Kevin Leary’s post where you really dive deep into your files and mess around with code.
Additional Ways to Secure Your WordPress Site
Seeing as how our primary goal is to protect our websites from hackers, you’re best bet is to implement some of the following tools and tasks, regardless of whether or not you decide to hide that your site is running WordPress.
- Change your passwords on a scheduled basis (weekly, monthly, bi-monthly).
- Generate strong passwords and use a password storage tool so that you don’t have to remember them.
- Update your themes and plugins constantly.
- All-in-one security plugins like iThemes Security are the best solution for all-around website protection.
- Stop using themes or plugins that don’t get updated, and delete all plugins and themes that are inactive on your site.
- CAPTCHA on Login is a nice tool for fighting off brute-force attacks.
That’s it! I know this is a little confusing, but I trust you to make your own judgement. Hopefully this guide helped clarify the situation a little bit and show you the proper ways to hide your use of WordPress if needed.
Now it’s your turn. Let us know in the comments section if you have any thoughts on hiding that your site is running on WordPress.
Good clarity about WordPress powered websites. Even, the iThemes security too is wonderful. I recommend to all those who prefer WP. Thanks to you!
Let me respond:
When it comes to agencies, YES wordpress is the ‘cheap’ option rather than a custom CMS that the customer THINKS they are paying for.
As for Konstantin Kovshenin’s comments:
1. The attackers don’t really care about which version of WordPress you’r running.
But giving them a version makes it quicker, and not giving them access to the admin directory at all by changing it reduces the attack surface considerably (90%)
2. The hackers don’t even care about the fact that you’re using WordPress at all, because they just send blind POST requests to your wp-login.php file.
Wrong, if you’re hiding wordpress, you change the admin path, so wp-login.php doesn’t exist in the normal directory structure (standard wp security practice these days anyway)
3. You’re better off using a strong password and always keeping your plugins and themes up to date.
Hackers don’t need a password to get into your site, they get in through bugs in the core (mostly) and plugins (extra).
He also talks about how some people think WordPress is a cheap platform, so they hide it. His argument is that WordPress is the best in the business, so if you own a Ferrari, why not show it off? I completely agree.
If you own a Ferarri ‘kit’… it’s not close to the best CMS out there (not nearly), but it’s used that way for smaller sites. WordPress is free, therefore implied ‘cheap’. one of the downsides of being free open source. It’s not a ferarri, it’s a 2 litre pretending to be a ferrari… it’s close to ux best practice, but still a way off. When my mum can use it without a manual, then it’s a ferarri… people use it because it’s free, and there’s so many plugins because it’s incomplete (by a longshot) – it’s like buying a mac vs pc – pc comes with everything you need to use it immediately, with mac you need dongles, then software to make it work and you spend $200+ on extras before you start… wordpress is the same.
Also captcha doesn’t stop brute force attacks. There are many ways around them which is why the web industry is moving AWAY from them completely – even recaptcha is moving away from traditional captcha.
Move to 2 factor auth if you want dencent security. Either way you wordpress will always be a security risk. I’d recommend not storing any personal details in it.
Another good idea is to limit access to the WP login via the .htaccess file by an IP range.
Can this procces affect seo quality of a website?