← Back to Blog
🎯

Everything About Detecting WordPress Sites

📅 December 21, 2025 ⏱️ 13 min read

Everything You Need to Know About Detecting WordPress Sites (From Someone Who's Seen Thousands)

Here's a fun fact: I can usually tell if a site is built with WordPress within about 5 seconds of loading it. My friends think it's a weird party trick. My girlfriend thinks I need more hobbies. But you know what? It's actually a useful skill, and I'm going to teach you everything I know about detecting WordPress sites.

Why? Because WordPress powers 43% of all websites. That's not a typo – forty-three percent. Which means you're going to encounter it a lot, whether you're a developer, business owner, or just someone who's curious about how the web works.

The "Too Easy" Methods (Start Here)

Let's begin with the obvious stuff that works 90% of the time.

Method 1: Just Look at the URL

Seriously, it's often this simple. Try adding /wp-admin/ to the end of any URL:

https://example.com/wp-admin/

If you see a WordPress login screen? Boom. That's WordPress. Took you 2 seconds.

I've actually had clients try to convince me their site wasn't WordPress while I'm literally looking at the wp-admin login page. "Are you sure it's WordPress?" Yes, Karen, I'm sure.

Method 2: The Famous /wp-content/ Directory

This is the biggest giveaway. Right-click on any page, select "View Page Source," and search for "wp-content."


See that? That's WordPress waving at you saying "Hey! I'm WordPress!"

The wp-content directory is where WordPress stores themes, plugins, and uploaded media. It's in virtually every WordPress site. If you see it, you've got WordPress. Case closed.

Method 3: The Generator Meta Tag

WordPress is polite enough to introduce itself in the page source. Look for this:


Well, hello there! Not only does it tell you it's WordPress, but it even tells you the version number. How nice.

Though, heads up – security-conscious site owners often remove this tag. So if you don't find it, that doesn't mean it's not WordPress. It might just mean they know what they're doing.

The "Pretty Easy" Methods (When the Obvious Fails)

Sometimes sites remove the obvious signs. That's when you dig a little deeper.

Check the Login Page Directly

WordPress login pages have a very specific look. Try these URLs:

- https://example.com/wp-login.php
- https://example.com/wp-admin/
- https://example.com/login/ (if they're using pretty permalinks)

Even if they've customized the login page, it often retains that distinct WordPress feel. The layout, the field names, the "Lost your password?" link – they all give it away.

I once spent 20 minutes trying to figure out what CMS a heavily customized site was using. Then I tried the wp-login.php URL and felt like an idiot. Always check the basics first.

Look for /wp-includes/

This is WordPress's core files directory. Search the source code for "wp-includes" and you'll often find:


Nobody voluntarily creates a directory called "wp-includes" except WordPress. If you see it, you've found your answer.

Check the REST API

WordPress has a REST API built in (since version 4.7). Try visiting:

https://example.com/wp-json/

If you get a JSON response with WordPress routes, congratulations – it's WordPress. Even better, this often works even when other signs are hidden.

The response will look something like:

{
  "name": "Example Site",
  "description": "Just another WordPress site",
  "url": "https://example.com",
  "namespaces": ["wp/v2", "wp/v1"],
  ...
}

See "Just another WordPress site" in there? That's the default tagline, and many people never change it.

Theme Detection (Getting Specific)

Once you know it's WordPress, you might want to know what theme they're using. Here's how.

The Manual Way

Look in the source code for theme references:


That tells you they're using Divi. Pretty straightforward.

You can also usually access the theme's stylesheet directly:

https://example.com/wp-content/themes/themename/style.css

The header of that file typically includes theme information:

/*
Theme Name: Twenty Twenty-One
Theme URI: https://wordpress.org/themes/twentytwentyone/
Author: the WordPress team
*/

The Easy Way: Use a Tool

I'll be honest – I usually just use the WP Theme Detector plugin for Chrome. It's free, works instantly, and tells you:

- Theme name
- Theme author
- Theme version
- Whether it's a free or premium theme
- Where to download it (if it's free)

Click the extension icon while on a WordPress site, and boom – instant information. Saves so much time.

There's also IsItWP.com which does the same thing online if you don't want to install an extension.

Why Theme Detection Matters

Knowing the theme can tell you:

1. Budget Level: Free theme = bootstrap budget. Premium theme = some investment. Custom theme = serious investment.

2. Technical Sophistication: Using a page builder theme like Divi or Elementor? They probably aren't developers. Using a framework like Genesis? They might be more technical.

3. Design Inspiration: Love their design? Knowing the theme can help you achieve something similar.

I've used theme detection countless times for competitive research. See a competitor's beautiful site? Detect the theme, buy it yourself, and you've got a head start on your redesign.

Plugin Detection (The Deep Dive)

Themes are one thing, but plugins are where WordPress sites really differ. Detecting plugins is trickier, but possible.

What You Can Easily Find

Many plugins leave traces in the source code. Search for:


That tells you they're using Contact Form 7. Easy.

Common visible plugins:
- Contact Form 7 (everyone uses this)
- Yoast SEO (leaves metadata)
- WooCommerce (e-commerce plugins are obvious)
- Cookie consent plugins (visible by design)
- Social sharing buttons
- Caching plugins (leave HTML comments)

What's Harder to Detect

Some plugins run entirely in the admin area or backend. These don't leave visible traces in the frontend code. You can't easily detect:

- Backup plugins
- Security plugins (ironically)
- Analytics plugins
- Database optimization tools

Using Detection Tools

For comprehensive plugin detection, there are specialized tools:

WPScan (Command Line)

wpscan --url https://example.com --enumerate p

This will enumerate plugins, but note: it's aggressive and some might consider it intrusive. Use responsibly and only on sites you own or have permission to scan.

BuiltWith.com

BuiltWith's commercial service can detect many WordPress plugins. It's not perfect, but it catches the major ones.

Browser Extension Method

Some detective extensions try to identify plugins by:
- JavaScript files they load
- CSS they add
- HTML they inject
- Cookies they set

Why Plugin Detection Matters

Understanding what plugins a site uses tells you:

1. Functionality: What features they've added
2. Tech Stack: What third-party services they integrate with
3. Potential Vulnerabilities: Outdated plugins are security risks
4. Performance Impact: Too many plugins = slower site
5. Cost: Premium plugins add up

I once analyzed a competitor's site and found they were using a specific lead generation plugin. Tried it ourselves, and it worked great. Saved us weeks of research.

Version Detection (The Security Angle)

Knowing the WordPress version is important for security assessment.

How to Find the Version

Method 1: Generator Tag


Simple, but often removed.

Method 2: readme.html File

Try accessing:
https://example.com/readme.html

This file comes with every WordPress installation and includes version information. Many sites forget to delete it.

Method 3: RSS Feed

Check:
https://example.com/feed/

The feed often includes:

https://wordpress.org/?v=6.4

Method 4: JavaScript File Versions

WordPress core JavaScript files often have version numbers:


That ?ver=6.4 tells you the version.

Why Version Matters

Outdated WordPress versions have known security vulnerabilities. If you're doing security research (ethically!), knowing the version helps you:

1. Identify potential vulnerabilities
2. Recommend updates
3. Assess overall security posture

I've contacted several site owners over the years to let them know they're running ancient, vulnerable WordPress versions. Some were grateful, others thought I was trying to hack them. Can't win 'em all.

When WordPress Hides (Advanced Detection)

Some sites really don't want you to know they're WordPress. They remove all the obvious signs. Here's how to still find them.

Check the Admin AJAX

WordPress uses admin-ajax.php for AJAX requests. Even heavily customized sites usually keep this. Look for:

https://example.com/wp-admin/admin-ajax.php

If it exists (even if it returns errors), it's probably WordPress.

Look for WP Emoji Script

WordPress adds emoji support by default. Look for:

wp-emoji-release.min.js

This is harder to remove and often overlooked by people hiding WordPress.

Check for WP JSON API

Even with other signs removed, the JSON API often remains:

https://example.com/wp-json/

If you get a response, it's WordPress.

Examine the HTML Comments

WordPress and many plugins leave HTML comments:



They're easy to miss but often forgotten when hiding WordPress signatures.

Look at the Cookie Names

WordPress sets cookies with specific names:

- wordpressloggedin_[hash]
- wordpresstestcookie
- wp-settings-[number]

Check the cookies (in DevTools → Application/Storage → Cookies) and you might see these.

Real-World Detection Examples

Let me share some actual experiences:

Case Study 1: The Custom WordPress Site

Had a client insist their competitor's site was "custom built from scratch" and way better than WordPress. Took me 2 minutes to find wp-content references in the source. It was WordPress with a custom theme. Client was relieved they didn't need to spend $50k on custom development.

Case Study 2: The Hidden WordPress

Analyzed a site with zero obvious WordPress signs. No wp-content, no generator tag, nothing. But the wp-json endpoint was active. One API call later, confirmed it was WordPress. They'd done a good job hiding it, but not good enough.

Case Study 3: The Security Disaster

Found a WordPress site running version 4.2 – which was released in 2015 and has dozens of known vulnerabilities. Contacted the owner, they had no idea. They thought because it was "still working" it was fine. Helped them update and secure it. Felt good.

Tools I Actually Use

Here's my honest toolkit for WordPress detection:

Daily Use:
- Chrome DevTools (built-in, free)
- Wappalyzer Extension (instant, easy)
- WP Theme Detector Extension (specific to themes)

When I Need More:
- BuiltWith.com (comprehensive)
- IsItWP.com (quick check)
- Netcraft Site Report (historical data)

For Serious Analysis:
- WPScan (command line, powerful)
- Manual source code review (old school but effective)

Never Use:
- Sketchy online scanners
- Tools that require downloading software
- Anything that feels too intrusive

Ethical Considerations

Let's have a serious moment. Just because you can detect all this information doesn't mean you should use it unethically.

Ethical Uses:
- Competitive research (understanding tech choices)
- Security research (finding vulnerabilities to report)
- Learning and education
- Client work (analyzing their own site)

Unethical Uses:
- Exploiting vulnerabilities
- Unauthorized penetration testing
- Stealing exact site setups
- Harassment or stalking

If you find a vulnerability, do the right thing: contact the site owner privately, give them time to fix it, and only disclose publicly if they ignore you for months.

I take this seriously. The web security community operates on trust and responsible disclosure. Don't be the person who breaks that.

What You Can Learn from WordPress Detection

Beyond just "it's WordPress," you can learn:

1. Development Budget: Theme and plugin choices indicate investment level
2. Technical Expertise: Custom vs off-the-shelf tells you about their team
3. Performance Priorities: Fast sites are optimized; slow ones aren't
4. Security Posture: Updated software shows they care about security
5. Growth Stage: Simple sites = early stage; complex sites = established
6. Design Trends: What themes and styles are popular in different industries

This information helps with competitive analysis, hiring decisions, partnership evaluations, and strategic planning.

Common Mistakes People Make

After teaching this to hundreds of people, here are the mistakes I see:

Mistake 1: Assuming wp-content means it's definitely WordPress

99% of the time, yes. But theoretically, someone could create a fake wp-content directory. I've never actually seen this, but it's technically possible.

Mistake 2: Thinking no obvious signs means it's not WordPress

Absence of evidence isn't evidence of absence. Dig deeper.

Mistake 3: Using sketchy detection tools

Stick to reputable tools. Some "WordPress detector" tools are actually malware or data collectors.

Mistake 4: Not checking multiple methods

One method might fail. Use several to confirm.

Mistake 5: Forgetting to check on mobile

Sometimes mobile sites are different. Check both desktop and mobile versions.

The Future of WordPress Detection

WordPress is evolving. Here's what I'm watching:

Headless WordPress

Using WordPress as a backend with a React/Vue/Next.js frontend makes detection trickier. The traditional signs aren't there, but the wp-json API usually is.

Better Security by Default

Future WordPress versions will probably hide more identifying information by default. Detection will require more sophisticated methods.

Block Editor Evolution

The Gutenberg block editor is changing how WordPress sites are built. This might create new detection patterns while making old ones obsolete.

SaaS WordPress

WordPress.com and managed WordPress hosts sometimes strip out identifying features. This trend will probably continue.

My Personal WordPress Detection Workflow

When I need to confirm if something is WordPress, here's exactly what I do:

1. Quick Check: Look for /wp-content/ in page source (10 seconds)
2. Try Login: Access /wp-admin/ (10 seconds)
3. API Check: Test /wp-json/ endpoint (10 seconds)
4. Tool Check: Use Wappalyzer extension (5 seconds)
5. Deep Dive: If still unsure, check multiple methods (2-5 minutes)

This workflow is fast and accurate. Works 95% of the time within the first minute.

Wrapping Up

WordPress detection is easier than most people think. Once you know what to look for, it becomes second nature. You'll start noticing WordPress sites everywhere (sorry, I've ruined the internet for you).

The key takeaways:

- Check /wp-content/ first – it's the biggest giveaway
- Try /wp-admin/ and /wp-json/ endpoints
- Use tools like Wappalyzer for speed
- Multiple detection methods confirm accuracy
- Respect privacy and security while detecting
- Use the information ethically and legally

Whether you're doing competitive research, security assessment, or just satisfying curiosity, these techniques will serve you well.

Now go forth and detect some WordPress sites! And maybe get a hobby that's less weird than mine...

---

What's your favorite WordPress detection method? Or have you found a site that successfully hid all signs? Share in the comments – I'd love to hear about it!

Related Articles

📚

What is a CMS? Everything You Need to Know

A complete beginner's guide to Content Management Systems. Learn what they are, why they matter, and which one might be right for you.

Read More →
🔍

How to Detect What CMS a Website Uses

Learn multiple methods to identify what CMS or platform any website is built with. From basic techniques to advanced detection methods.

Read More →
🔬

How CMS Detection Actually Works: The Technical Breakdown

A deep dive into the technical methods behind CMS detection. Learn the five main detection techniques used by professionals.

Read More →