Why information about your plugins should to be hidden?
Programmers made mistakes and errors in one of your plugin version 1.4.5. As a result, the plugin has become vulnerable. The attacker knows on this vulnerability and he is quite sure that your site with the fictitious plugin version 1.4.5 can be easily and successfully cracked.
How attacker can find out the version and name of the plugin?
All plugins in the WordPress are stored in the directory /wp-content/plugins. If you take a closer look at page’s HTML source code on the front side of the website, you can see how plugins enable its resources and those becoming vulnerable:
Simply looking at URL below we obviously can determine that plugin elementor is installed on the blog
https://-domain-name-/wp-content/plugins/elementor/assets/lib/jquery-numerator/jquery-numerator.min.js
Now we can easily find out the version of the plugin:
https://-domain-name-/wp-content/plugins/elementor/readme.txt
Hide information about plugins
To implement this task we need plugin Clearfy and its active component Hide my wp.
In the plugin Clearfy go to the category “Protection”, push tab “Confidentiality of main directories” and find category “Change path to the plugins directory”. This setting category helps to hide your plugins and its content from attackers.
Now we need to correctly set this group of options.
New path to plugins directory
Enter a new path to your plugins directory using only alpha-numeric characters without slash characters at the beginning of the line and at its end. For example, if you enter word “modules”, your path to the elementor plugin looks like as http://-domain-name-/modules/elementor/
Comment: this setting does not change actual names of directories. If plugin to be turned off, the plugin effect will disappear without consequences.
Rename plugins
This setting replace plugin name by the random character set 79f6d4d2.
If path to the elementor plugin previously looked like as http://-domain-name-/modules/elementor/, now after replacing name the path would be as http://-domain-name-/modules/79f6d4d2/.
There are two options in this setting. The first one is to rename only active plugins and the second is to rename all plugins. Is it really necessary to rename inactive plugins? The fact is that if the plugin is deactivated, any person can get access to its content. If inactive plugins are not violated coding standards, they will not be under the threat of hacking. If you would like to optimize the site speed you can select option “Only active”. If you would like to hide the fact that you use WordPress for running your website, you have to choose “All plugins”.
Block access to the directory
After you have changed the path to plugins directory, access to the directory is still open as it is linked and referenced. This option will block user’s access by URL http://-domain-name-/wp-content/plugins/elementor/readme.txt. Now, if user tries to ask this page he will get 404 error page of your theme by default.
Hide file readme.txt
We changed the path to the plugins directory and hid names of plugins. But if we click on a link:
https://-domain-name-/modules/79f6d4d2/readme.txt
file readme.txt will be opened and you will see the name of the plugin and its version. This is why, it is important to close access to this file for all users.
In Clearfy plugin go the category “Protection”, push tab “Main settings” and find out sub-category “Files & Directories”.
Turn on option “Hide service files (.txt,.log,.html)”. This option will block access to all service files that contain information about your website.