How to conceal what plugins I've used on my site?


(Rob) #1

There are tools that will scan your site and give you a list of plugins used on the WP site.

This is one example of a site that does this: http://www.wpthemedetector.com/

If I would like my site to be more private, or at least keeping such backend information private, is there a way to conceal what plugins I’ve used on my site?

Also curies as to how this tool is able to detect what plugins were used. Any ideas?


(Ben) #2

I don’t know - but I assume the script reads the html and looks at what javascript and css is being included in the site and then guesses from that. This means they won’t be able to tell all the plugins in use since they can only see things that are publicly displayed.


(Leland Fiegel) #3

The “detector” part of the name is a bit disingenuous. Sites like this are not actually traversing through your plugins and themes directories and cataloging everything that’s in there.

They’re scanning through the source of your webpage for known plugin signatures. Something that any human can do by right-clicking on the page and selecting “View Source.”

Like if there’s something like “<!-- page cached by WP Super Cache! -->” …it would be safe to assume you used WP Super Cache. (I don’t know if WP Theme Detector actually does this, but they could.)

Or if you have a stylesheet link to /wp-content/themes/some-detected-theme/style.css with the default theme style header information (which includes theme author, theme URI, description, etc.), it could see that, just like any person could see manually.

The only way this would be possible to actually “detect” everything is if you allowed the public to see your directory indexes. WordPress usually puts a blank index.php file in directories to prevent this from happening.


Anyway, to answer your question:

  1. Make sure that you can’t see anything at example.com/wp-content/plugins/ …if a directory index is displayed, then anyone can see that. This probably won’t happen unless your server is configured weirdly.

  2. What other plugins do you want to conceal? If the presence of a plugin you want concealed is apparent in the public source code, you could rename the plugin and obfuscate other public “clues”…but that would be a lot of work and would be a huge pain when updating. Otherwise, there’s no way to know.


(Rob) #4

Yeah that makes sense. Thanks for the reply guys. I was asking just to know how to tighten up security for some sites. The way I think about it is that the less is know about how a site is built and what plugins it uses the better for security.


(Miroslav Glavić) #5

wouldn’t renaming a plugin mess with the updating aspect of it? or at least notifications on the dashboard that there is a new version of the plugin?


(Miroslav Glavić) #6

many themes and plugins will have a readme.html file. delete all those.


(Miroslav Glavić) #7

you could also change the stylesheet.css parts below

Theme Name:
Theme URI:
Author:
Author URI:
Description:
Version:


(Dan Knauss) #8

It’s not worth it trying to maintain a bunch of hacks to obscure your plugins. Security by obscurity is no security at all. It’s not hard to guess, and some people actually advertise the plugins they are using, which is not a bad thing – that public confidence may play a role in keeping strong, well supported plugins at the front of the pack. If you’re using something you’re ashamed or scared of, think again about using it at all.


(Mark Senff) #9

If you want to hide the fact that you’re using Plugin X because you think hackers might use it to hack your site, it shows that you don’t trust the security of this plugin and believe it’s easily hackable, and therefore you shouldn’t use it in the first place.

I’d say, if you only use plugins that you trust and that you think are safe, you should have no reason to hide them in the first place.

I know that’s not answering your question, and so it’s probably not very helpful, but just something to think about. :slight_smile:


(Rob) #10

Good point guys.

I try to use plugin I think are secure but would like to know more about strategies for determining if a plugin is secure. Any tips?

Actually I’m starting a new post for this to keep this forum organized.
Lets carry this over on this post: