Plugin provide many options to secure and hide your WordPress website. Is important to understand what each option do, the results should be checked on front side to ensure no incompatibility / conflict is taking place. Also not every option may be necessarily to be used as certain functionalities are not available unless use specific themes and certain plugins. For detailed explanations upon all see Plugin Options Explained
The plugin menu is structured into three main sections:
- General / Html
This include functions to control pretty much everything related to URL’s. Parent Theme / Child Theme, Individual Plugins, Default WordPress folders structure, Uploads, XML-RPC, JSON REST, all default url’s can be changed to something else, disguising the WordPress identity which is very easy to identify. This makes structure reading and identification through html code near to impossible as it simply does not match anymore with anything commonly used. The majority of WordPress identify / theme detectors will fail to find anything regarding WordPress, they will not see as being the CMS of a site at all.
General / Html
Html structure output can be maintained from that area. Different tags replacements or removal are controlled through those options. Meta tags like WordPress generator, wlwmanifest, feed_links, adjacent post links, canonical links, emoji, oembed, headers, Html classes and Id’s cleanup etc. At this point, taking advanced of those settings, WordPress become virtually impossible to detect. Even for large sites with complex structure and functionality, detection of WordPress fail since to tracks of it are being found anymore.
This include two powerful options, a default WordPress wp-login.php and admin slug change. This is the place through which the login/admin aspects of your site can be managed. Default urls can be set as default theme 404 errors (Not Found type) so it will not give any hint on a potential WordPress install. User is being show a default 404 error page like the link does not exists at all. Changing default login / admin slugs brings huge improvement over site security. One of the most important, is to eliminate the brute force login attempt which is pretty common for almost all sites. Hackers/hack boots always search WordPress sites and try to guess and jump in by exploiting weak logins. Since the default login / admin link is not available anymore, they will not know where to try. Beside the security aspect, the overall site speed also increase, imagine a hack boot trying out thousand of logins attempts in a hour, the server processing power dramatically reduce, translating in a much slower page load response for regular users.