How to Hide WordPress Internal Path

sucuri-scan-result

Question:

Recently I scanned my website for malware using Sucuri’s Site Scanner, and while my site came back clean, I noticed there was a warning about “Wordpress internal path”…  Should I be concerned about this warning?

Answer:

Yes and no.  According to Sucuri’s documentation, such warning is a low level severity warning.  It is not an indication that your site has been hacked or infected.

However it does mean that someone from outside of your organization (i.e. hackers) could find out how your site is structured and organized internally.

While WordPress has a standardized file structure and it is not exactly a secret (all the information can be found in WordPress Codex), the internal path could reveal where your WordPress installation is at, which then could allow hackers to gain other information of your network.  And if you’re hosting your WordPress site on a shared host such as Hostgator, JustHost, BlueHost, GreenGeeks, GoDaddy, etc., your account username can be used as a folder name, and the internal path could be leaking your username by showing the folder path.

Luckily, you can hide this information fairly easily:

  • Find php.ini in your site’s root directory, and add the following line of code in the file
    display_errors = 0
    • If you have a dedicated server, or VPS, you should be able to find the file somewhere like /etc/php.ini
    • If you have a shared hosting service, you might be able to find it in /public_html or /etc
    • If you cannot find php.ini anywhere, you might not have the file in your directory. Some hosts allow you to create one. Contact your host or Google “php.ini [your host name]” (replace [your host name] with your hosting provider) to find out how to add a php.ini to your directory.
    • if you’re not sure, you should contact your host directly. Some hosts do not allow custom PHP environment configuration.
  • Find the specific file that the scan is warning about (for example, the current theme’s index.php), and add the following code at the beginning of the file (inside the PHP code bracket):
    error_reporting(0);

You might also want to add the following code your theme’s function.php to hide other WordPress information in the site’s header:


<?php      
      remove_action(‘wp_head’, ‘rsd_link’);
      remove_action(‘wp_head’, ‘wlwmanifest_link’);
      remove_action(‘wp_head’, ‘wp_generator’);
      remove_action(‘wp_head’, ‘start_post_rel_link’);
      remove_action(‘wp_head’, ‘index_rel_link’);
      remove_action(‘wp_head’, ‘adjacent_posts_rel_link’); 
?>

Additional Resources

WordPress Internal Path Warning (Sucuri documentation)
php.ini Directives
How to Hide The Fact That You’re Using WordPress
How to Hide WordPress Info from Your Source Code




  • cru

    FInally! Thanks for the solution!