Give away signs that a site is Drupal?

Question

I'm trying to alter my site in such a way so that when people view it, they don't know it's powered by Drupal. So, was wondering if there are any signs that give this away that I should know about?

Some of the giveaways I know of, are:

1. When adding content, it will say "node/add".
2. If the following file exists: misc/favicon.ico

etc

I'm looking for similar stuff?

Answer 1

You can't really escape people's suspicions. To do so, you'd have to change file-systems, stylesheets, markup, etc. This is unreasonable. Why does it matter if you're using Drupal?

Answer 2

People who knows Drupal may identify it by the source. But Drupal has no Generator Header like Joomla or others.

Answer 3

Let's look at a fairly customized page based on Drupal: http://www.losttheatre.co.uk/ (a random page from a Drupal sites repository). There are many giveaways:

• if you change www.example.com/link/link2 to www.example.com/?q=link/link2 and it still works and points to the right page
• www.example.com/user/1 gives you a profile page
• resources (imgs, css, etc) are in /sites/all|example.com/themes/ or sth similar
• there are CSS classes applied to many key elements of the site (like body) that do not change appearance - Drupal uses them to provide some info about the state of the page (like <body class="front not-logged-in page-front-page two-sidebars">)
• probably many others

My advice is: don't try too hard with hiding the CMS of your website, if a hacker wants to find out what CMS you are running, he/she will find out. I'd focus on keeping the CMS up-to-date (Drupal makes this easy) and also watching out which modules you are installing - they are the most likely attack vectors.

---

Since this question is still getting many hits, let me update it with an example of a website of a major company (one of the biggest telephone companies in Poland), that, to my (pleasant) surprise ,is using Drupal for its main site, http://dialog.pl/:

• The usual giveaway pages like /user/1, /login, etc. redirect to main page, so you can see the creators of the site have done their homework ;)
• ...but the source of the page contains my favourite give away: the usage of the zen theme: urls like /sites/all/themes/zen-dialog-main-page/../zen/css/page-strona_glowna.php or CSS styles applied: <body class="front not-logged-in node-type-page two-sidebars">
• One more give away is the update.php page that has the familiar Garland theme (props to Kevin for this one).

As you can see, it's still possible to tell that the website is using Drupal - and this is a website of a major corporation. So the above advice still holds: don't waste your resources on trying to hide the CMS you used, keep it up to date (that's why the update.php file is probably still in place), monitor security vulnerabilities, use strong passwords, etc.

Answer 4

• Login page is /user or /user/login
• Admin page is /admin or ?q=admin
• /node displays a listing of the latest nodes
• /node/n where n is a number displays the node with that number (for example /node/1 displays the first node ever created)
• The word 'node' or 'views' in objects' classes in view source.
• In things which are paginated, page 2 is actually displayed as page/1 or /1 in the URL (Drupal pagination URLs are sort of geeky like that).

Like others have said, don't worry too much about this. It's a waste of time. Just keep Drupal core and all your modules up to date (you can even set it to email you when security releases are released for your installed modules) and you shouldn't have to worry about a thing.

Answer 5

Quick ways to find out if a site is a Drupal site.

• Browse the source code and search for or Drupal.settings (appears on all sites using the google analytics module)
• go to www.example.com/CHANGELOG.txt if Drupalsite, will show the current version.

There are a lot of other ways that indicate if a site is a Drupal site, but the above is fast and certain.

Other signs would be.

• markup:
  • <div id="node-2020 ... (divs with id node-[number])
  • <div class="views- ... (divs with a class of views-[something]
  • class="clear-block" (clear-block is the drupal implementation of the clear-fix CSS trick)
• Urls:
  • node
  • node/[number]
  • node/add
  • admin -> giving 403
  • admin/build/modules -> giving a 403
• HTTP Expires header set to Dries' (the creator of Drupal) birthday

Answer 6

You're wasting your time:

Obscurity is not a form of security. And trying to hide Drupal may only tempt a hacker to beat you.

If there is a security flaw, you will almost certainly miss it and the hacker only has to try a specific attack vector. He or she is not going to check if it's Drupal or not. Your attack may come from software that won't care.

The changes you make to hide Drupal may actually make your site less secure. Especially if you change the core and are no longer able to tell if your site is up-to-date.

It's very likely that the effort you spend hiding Drupal can, instead be applied to a proven, effective security policy and get better results.

Answer 7

The expires headers are pretty unique as well. In fact they are set to Dries Buytaert (creator of Drupal) date of birth. As far as I can tell they have been set like the below since Drupal 4.6.

Expires: Sun, 19 Nov 1978 05:00:00 GMT

Answer 8

Dead giveaway:

Try going to update.php, you'll get Access Denied (and the Garland theme).

Answer 9

New Answer to old question. This site will tell you if a site is built with Drupal, and could give your game away. It does give false negatives though, so it might be worth it to test it out with that website and see how well you can obfuscate.