View Source Unveils WordPress Sites

It’s not guessing, and it’s not magic. It’s not technical, either.

I can identify if a site’s using WordPress in a couple of seconds, depending on the speed of my very-slow Internet.

A web browser’s got a feature called View Source.

On Chrome, you can right click on a webpage, and you’ll see it in the lower part of the menu that pics up. (Or you could use the key combo Control+U)

Which, y’know, is fitting. If I am a cybercriminal and I know a whole lot about you, I could Control U. WordPress’s exposed code is quite gregarious.

From here, take a look at some code with me. Control+F opens up a Find window.

Type in wp- (that’s a hyphen). Or, if you want to be more scientific, the longer wp-includes.

If you get something – or better yet a lot of somethings – hello WordPress.

I built my first WordPress site in late 2003. A blog back when blogs were fairly new. The core structure of WordPress hasn’t changed much from when it was released 20 years ago as a blogging platform.

✦PHP Language
✦MySQL database
✦Templates/themes
✦Hierarchy to the underlying/supporting files
✦User interface where static (unchanging) pages can be set up and managed, menus built. Blog styling.
✦Oh, and plugin management

Plugins are external, or third-party programs. WordPress didn’t write them but supports their incorporation.

With each plugin a WordPress site uses, there’s risk of it being buggy, being out of date. That include themes – the core layout style you select when you build a WordPress site.

WordPress’ website tells you 43% of the web is built on WordPress.

It’s worth securing. As a priority. Here’s a quick laundry list to consider – not comprehensive.

🔎Change the administrator username to be something other than admin.
🔎Remove all unused themes.
🔎Back up your WordPress site.
🔎Ensure all plugins you use are up to date. If they can no longer be updated, replace them.
🔎Remove any plugins not in use.
🔎Make sure your site’s being regularly backed up.
🔎Add a TLS certificate (SSL) if you don’t have one
🔎Add multifactor authentication.

If your website merely displays data and has no additional users except you, this alone may be enough. If not, consider a strategic review and some poking around to find vulnerabilities in the code and operations of the site.

So back to this under-the-hood View Source code stuff. How cool is that?

I can discern the WordPress theme and some of the plugins used for the site I’m viewing…and more.

Related Posts

subdomain hijacking

Subdomain Hijacking and Trust

Cybersecurity /

What if https://www.something.com was the most trusted website in the world. What would you think of… heather.something.combuymystuff.something.com The heather.something and buymystuff.com are subdomains. Large companies often have a lot of subdomains mapped to various IP addresses via DNS. What does this mean? It means they may not have a good handle of all of…

Read More »

Scroll to Top