News

Article updates

Replacing a word, sentence or anything from your Html

September 3, 2016 No Comments

The also support a visual interface module easier to use, please check with this instead Replace arbitrary words from page HTML through a visual interface module.

As default the plugin offer quite many options to control HTML data through the options. Giving the complexity of environment, sometime require specific functionality to achieve desired results.

There are multiple ways to make replacements within the outputted HTML, by making direct changes within the plugin/theme which produce the code block (obliviously not preferable as in majority will break update functionality), through plugin functionality extend (see Create a custom Module Component, extending the plugin functionality), or through filters wph/ob_start_callback which would be the easiest way.

In a scenario of using a custom WordPress plugin, let’s presume it output a sentence like Powered by WordPress so we need this replaced.

The easiest way would be to use wph/ob_start_callback filter along with a custom code. This should be placed wither within theme functions.php or within a custom plugin (see Simple plugin framework to be used along with Wp Hide filters / actions and functionality extend)


        add_filter( 'wph/ob_start_callback', 'custom_ob_start_callback' ); 
        function custom_ob_start_callback( $buffer )
            {
                
                $buffer =   str_replace("Powered by WordPress" , "", $buffer);
                
                return $buffer;
                   
            }

The above code use a simple str_replace to replace all occurrences of the search string “Powered by WordPress” with the replacement string, in our case an empty text.

Plugin Usage

September 3, 2016 No Comments

This Plugin provides many options to secure and hide your WordPress website. It is important to understand what each option does, so the results should be checked on front side to ensure no incompatibility / conflict is taking place. Be aware that not every option may be necessarily to be used as certain functionalities may not be available in specific themes and certain plugins. For detailed explanations upon all see Plugin Options Explained

The plugin menu is structured into three main sections:

  • Rewrite
  • General / Html
  • Admin

Rewrite

This section includes functions to control almost everything related to URL’s. Parent Theme / Child Theme, Individual Plugins,  Default WordPress folders structure, Uploads, XML-RPC, JSON REST, all default url’s can be changed to something else, disguising the WordPress identity which actually is very easy to be identified without the application of this plugin. This plugin makes structure reading and identification through html code almost impossible as it simply does not match anymore with anything commonly used.  The majority of WordPress identifying / theme detectors will fail to find anything regarding WordPress, not being able to see the CMS of a site at all.

General / Html

Html structure output can be maintained from this section area. Different tags replacements or removals are controlled through these options. Meta tags like WordPress generator,  wlwmanifest, feed_links, adjacent post links, canonical links, emoji, oembed, headers, Html classes and Id’s cleanup etc.  At this point, taking advanced of those settings, WordPress becomes virtually impossible to be detected. Even for large sites with complex structure and functionality, detection of WordPress fails since no tracks of it are being found anymore.

Admin

This section includes two powerful options, a default WordPress wp-login.php and admin slug change.  This is the place through which the login/admin aspects of your site can be managed. Default urls can be set as default theme 404 errors (Not Found type) so it will not give any hint on a potential WordPress instalment. End-user is being shown a default 404 error page, suggesting that the link does not exist at all.  Changing default login / admin slugs brings huge improvement over site security. One of the most important things is to eliminate the brute force login attempt which is pretty common for almost all sites. Hackers/hack boots always search WordPress sites and try to guess and jump into them by exploiting weak logins. Since the default login / admin link is not available anymore, they will not know where to try.  Besides the security aspect, the overall site speed also increases. Just imagine a hack boot trying out thousands of logins attempts in an hour, dramatically reducing the server processing power, thus translating in a much slower page load response for regular users.

Admin – Change wp-admin

September 1, 2016 12 Comments

Despite the flexibility of WordPress framework, there are few ways to configure the admin login url customization for making a bit safer against unauthorized access and brute force attempts. All methods are not provided out of the box through WordPress core but require custom code to make it happen.

Completely hide default WordPress admin url

As default when accessing any WordPress site through wp-admin slug it will redirect to actual login page, this is an example of url format

http://-domain-name-/wp-admin

This redirect to 

http://-domain-name-/wp-login.php

But this is something which everyone know. we don’t want that, access to site management shuld be something private and definitely require a higher protection. How about changing to something different, a link that only you know about it?

New wp-admin slug

 
Type in the new admin url slug which will be used instead the default e.g. new-admin

Per above example the new admin url become

http://-domain-name-/new-admin

Once changed, the above url will be used to access any resources within WordPress Dashboard, from Posts and Pages section to Plugins, Appearance and Settings.

Block default wp-admin

 
To make the old slug totally invisible and disable it, this option can be used. Any reference to this old url will redirected to a default theme 404 error page.

Admin – Change wp-login.php

September 1, 2016 2 Comments

Using the WordPress as CMS to manage your website it turns into a magnet for all brute force attempts to login, from boots and hackers. On CODEX there’s a dedicated page for such topic Brute Force Attacks it’s a very sensible area of your website and should get the appropriate attention from everyone.

There are different methods to increase protection for the login page, from strong password to multiple factors protections. But still the above does not block any attempts from unauthorized, anyone can try a brute force access. Boots can do that by trying out hundred of username and password combination in a matter of minutes. Oblivious that will slow down your site and eventually the hacker will find a working login credentials.

Completely hide default WordPress login url

As default the login page your your site will be

http://-domain-name-/wp-login.php

That’s something which everyone know. How about changing to something else, a url that only you know?

New wp-login.php

 
Type in the new login page slug which will be used instead the default e.g. new-login

Per above the new login url become

http://-domain-name-/new-login

Once the login url has been changed an automated e-mail is being sent to admin e-mail with a recovery link which can be used if the new login url has been lost.

Block default wp-login.php

 
If this option is activated the old login url will be blocked and a default theme 404 error page will be returned.

General / Html – Scripts

September 1, 2016 No Comments

This section provides a way to control aspects of the front-side scripts loaded using the HTML script tag. An example of such a link:

<script type='text/javascript' id='jquery-framework' src='https://-domain-name-/wp-includes/js/jquery/jquery.js?ver=1.12.4'></script>

Remove Version

The option method helps to remove the JavaScript version number which is being appended at the end of every script file. Generally, the version number is plain information upon the used JavaScript code. Keeping version numbers for scripts, grant additional information to hackers who try to identify specific JavaScript code and versions known as being vulnerable.

Activating the option, per the above example the new tag becomes:

<script type='text/javascript' id='jquery-framework' src='https://-domain-name-/wp-includes/js/jquery/jquery.js'></script>

Remove ID from script tag

This removes the id property inside the script tags. Most of the JavaScript assets IDs, include references to WordPress and used plugins, like wp- qxshop-js erc.

Activating the option, the tag becomes:

<script type='text/javascript' src='https://-domain-name-/wp-includes/js/jquery/jquery.js'></script>

General / Html – Styles

September 1, 2016 No Comments

This section provide methods to control the style links format being displayed on front side. An example of such link:

<style rel='stylesheet' id='id-of-style' type='text/css' media='all' href='http://-domain-name-/wp-content/themes/default/css/style.css?ver=1.12.4'></style>

Remove Version

 
This provide a method to remove the Style file version number which is being append at the end of every style tag. Generally this is intended to be a plain information upon the style code version, however not being used within any functionality or code run. Keeping version number for styles provide additional information to hackers which try to identify specific code and version which know as being vulnerable.

Remove ID from link tags

 
This provide a method to remove the Style file ID attribute which has no usage.

General / Html – Emoji

September 1, 2016 No Comments

Originating on Japanese mobile phones in the late 1990s, emoji have become increasingly popular worldwide since their international inclusion in Apple’s iPhone, which was followed by similar adoption by Android and other mobile operating system.

But not everyone use Emoji. Since WordPress load the dependencies as default, it decrease the overall site speed. Disabling this will remove any code and related resources from being loaded on front side.

Disable TinyMCE Emoji This is also loaded along the WordPress default TinyMCE editor, but it can be disabled through this option.

Boot options can be used separately, each control either front side or admin editor.

General / Html – Meta

September 1, 2016 No Comments

Remove WordPress Generator Meta

Remove the autogenerated meta generator tag within head (WordPress Version).
Tag example:

<meta name="generator" content="WordPress 4.6.1" />

Remove Other Generator Meta

Remove other meta generated tags within head (eg Theme Name, Theme Version).
Tag example:

<meta content="Divi -  Child v.1.0.0" name="generator"/>

Removing such meta tag create  issues for BuddyPress plugin which require this piece of code for Photo manipulation.

Rewrite – URL Slash

September 1, 2016 No Comments

As default the WordPress url’s format include an ending slash. There are situations when this slash is not being append. Turning on this option, all links will get a slash if not included as default.

This is also useful when someone try to view a directory content. On majority of servers, when try to open through an url an existing directory or file, if the server configuration does not allow directory listing it will return a machine default 404 error page. But this reveals the structure directory existence, which is really not wanted. Turning on the URL Slash option, the above url returns a theme 404 error page, like there’s nothing at that link.

Scroll to top