Can a WordPress site be configured to hide that it uses WordPress?

Yes. Developers can rename the /wp-content/ directory, remove the generator meta tag, and block access to /wp-login.php and /xmlrpc.php. However, complete masking is difficult—many plugin and theme assets still reference WordPress-specific patterns that automated tools can detect.

How to Tell if a Website Uses WordPress (2026 Guide)

Q: How can I tell if a website uses WordPress?

The fastest way is to use Web Reveal—a free scanner that detects WordPress and the full tech stack of any URL in seconds. Manual signs include /wp-content/ in URLs, a WordPress generator meta tag in the page source, and /wp-login.php being accessible.

Q: What is /wp-content/ and why does it reveal WordPress?

WordPress stores uploaded media files, themes, and plugins in a directory called /wp-content/. When a page's HTML contains image or script URLs with /wp-content/ in the path, it is a strong indicator that the site runs on WordPress.

Q: Is there a free tool to check if a website uses WordPress?

Yes. Web Reveal at webreveal.io is a free tool that detects WordPress (including the version and active plugins where visible) and the full technology stack of any website. No account or sign-up is required.

Why Detect WordPress?

Detecting whether a site runs on WordPress is useful across many professional contexts:

Web development agencies: Quickly identify which prospects are on WordPress before reaching out about maintenance, redesign, or migration services.
Security researchers: WordPress sites running outdated core, plugins, or themes are a major attack vector—identifying them is the first step in vulnerability assessment.
Plugin and theme vendors: Find potential customers running WordPress for targeted outreach.
Competitive intelligence: Understand whether a competitor is running a custom WordPress theme or a page builder like Elementor or Divi.
Recruiters and job seekers: Identify companies using WordPress to tailor applications or sourcing strategies.

Fastest Method: Free Scanner Tool

The quickest and most reliable way to detect WordPress is to use Web Reveal—a free technology scanner that analyses the live site and returns a full technology stack breakdown including the CMS, theme, plugins (where visible), and version information.

Simply enter the website URL on the Web Reveal homepage. Within seconds, the results will confirm whether the site uses WordPress and provide additional context on the hosting provider, JavaScript frameworks, and analytics tools in use.

For passive detection while browsing, install the Web Reveal Chrome extension—it automatically identifies WordPress and displays the result in the browser toolbar on every page you visit.

URL and Path Signals

WordPress has a distinctive file and directory structure that leaks into URLs visible in the page HTML. Look at any image, script, or CSS file URL on the page and check for:

/wp-content/uploads/ – WordPress stores all uploaded media here.
/wp-content/themes/theme-name/ – Active theme assets are loaded from this path.
/wp-content/plugins/plugin-name/ – Plugins load assets from this path.
/wp-includes/js/ and /wp-includes/css/ – Core WordPress scripts and styles.

Simply press Ctrl+U (or Cmd+U on Mac) to view the page source and search for "wp-content" — if it appears, the site almost certainly runs on WordPress.

Page Source Code Signals

WordPress generator meta tag

Many WordPress sites include a generator meta tag in the <head> section of the HTML:

<meta name="generator" content="WordPress 6.4.2" />

Search for name="generator" in the page source to find this tag. Note: some security plugins remove this tag to obscure the CMS version, but the site may still be identified via other signals.

Script and style handles

WordPress adds unique identifiers to scripts and stylesheets called "handles". You'll often see patterns like id="jquery-core-js", id="wp-embed-js", or id="dashicons-css" in the source code. These are distinctive WordPress patterns.

RSS feed URL

WordPress sites typically expose an RSS feed at /feed/ (e.g., https://example.com/feed/). The feed includes a generator tag: <generator>https://wordpress.org/?v=6.x</generator>. Visit /feed/ and search for "generator" to confirm WordPress and find the version.

HTTP Headers

HTTP response headers can reveal WordPress and its hosting environment. Open browser developer tools (F12), go to the Network tab, reload the page, click the main document request, and check the Response Headers for:

X-Powered-By: PHP/x.x – WordPress requires PHP, so this confirms the server language (though not exclusively WordPress).
X-Powered-By: WP Engine – Specific to the WP Engine managed WordPress host.
X-Kinsta-Cache or X-Cache: HIT from a Kinsta server – Kinsta is a managed WordPress host.
Link: <https://example.com/wp-json/> – WordPress REST API discovery header. This is a very strong indicator of WordPress.

WordPress has well-known default admin URLs. While security-conscious site owners block or redirect these, many sites leave them exposed:

/wp-login.php – The default WordPress login page.
/wp-admin/ – Redirects to the login page if the user is not authenticated.
/wp-json/ – WordPress REST API endpoint; returns a JSON response confirming WordPress.
/xmlrpc.php – WordPress XML-RPC endpoint (often disabled for security).

Important: Do not attempt to access admin pages with the intent to gain unauthorised access. These checks are purely for identification purposes using publicly accessible URLs.

Detecting the WordPress Version

Once you have confirmed the site uses WordPress, you can often determine the version from:

The generator meta tag: <meta name="generator" content="WordPress 6.x.x" />
The RSS feed at /feed/: search for <generator>https://wordpress.org/
Version-stamped script URLs: ?ver=6.4.2 appended to script and CSS file paths
The /readme.html file (if not deleted): displays the WordPress version prominently

Tools like Web Reveal can also surface the WordPress version automatically when it is detectable from these signals.

When WordPress Is Hidden

Some site owners take steps to obscure the fact that their site uses WordPress, particularly for security reasons. Common obfuscation techniques include:

Renaming /wp-content/ to a custom directory name
Removing the generator meta tag via a plugin or functions.php
Blocking /wp-login.php, /wp-admin/, and /xmlrpc.php
Stripping the ?ver= parameter from script and style URLs
Placing the WordPress installation in a subdirectory

Even with these measures, automated tools like Web Reveal use multiple signal layers and can often still confirm WordPress through patterns in JavaScript bundles, REST API responses, and other lower-level signatures.

Frequently Asked Questions

How can I tell if a website uses WordPress?

The fastest method is to scan the URL with Web Reveal. Manually, look for /wp-content/ in image or script URLs in the page source, or check for <meta name="generator" content="WordPress"> in the page HTML.

What is /wp-content/ and why does it reveal WordPress?

WordPress uses a directory called /wp-content/ to store uploaded media, themes, and plugins. URLs referencing this path in a page's HTML are a definitive indicator that the site runs on WordPress.

Can a WordPress site hide that it uses WordPress?

Yes. Developers can rename /wp-content/, remove the generator meta tag, and block admin URLs. However, complete concealment is difficult—automated scanners like Web Reveal detect WordPress through multiple signal layers even when basic obfuscation is applied.

Is there a free tool to check if a website uses WordPress?

Yes. Web Reveal is a free scanner that detects WordPress (including version and active plugins where visible) along with the full technology stack. No account or sign-up required.