Is it possible for a 3rd party to reliably discern your CMS?

Question

I don't know much about poking at servers, etc, but in light of the (relatively) recent Wordpress security issues, I'm wondering if it's possible to obscure which CMS you might be using to the outside world.

Obviously you can rename the default login page, error messages, the favicon (I see the joomla one everywhere) and use a non-default template, but the sorts of things I'm wondering about are watching redirects somehow and things like that. Do most CMS leave traces?

This is not to replace other forms of security, but more of a curious question.

Thanks for any insight!

Answer 1

Yes, many CMS leave traces like the forming of identifiers and hierarchy of elements that are a plain giveaway.

This is however not the point. What is the point, is that there are only few very popular CMS. It is not necessary to determine which one you use. It will suffice to methodically try attack techniques for the 5 to 10 biggest CMS in use on your site to get a pretty good probability of success.

Answer 2

A lot of CMS's have id, classnames and structure patterns that can identify them (Wordpress for example). URLs have specific patterns too. You just need someone experienced with the plataform or with just some browsing to identify which CMS it's using.

IMHO, you can try to change all this structure in your CMS, but if you are into all this effort, I think you should just create your own CMS.

It's more important to keep everything up to date in your plataform and follow some security measures than try to change everything that could reveal the CMS you're using.

Answer 3

In the general case, security by obscurity doesn't work. If you rely on the fact that someone doesn't know something, this means you're vulnerable to certain attacks since you blind yourself to them.

Therefore, it is dangerous to follow this path. Chose a successful CMS and then install all the available security patches right away. By using a famous CMS, you make sure that you'll get security fixes quickly. Your biggest enemy is time; attackers can find thousands of vulnerable sites with Google and attack them simultaneously using bot nets. This is a completely automated process today. Trying to hide what software you're using won't stop the bots from hacking your site since they don't check which vulnerability they might expect; they just try the top 10 of the currently most successful exploits.

[EDIT] Bot nets with 10'000 bots are not uncommon today. As long as installing security patches is so hard, people won't protect their computers and that means criminals will have lots of resources to attack. On top of that, there are sites which sell exploits as ready-to-use plugins for bots (or bots or rent whole bot nets).

So as long as the vulnerability is still there, camouflaging your site won't help.

Answer 4

Since this question is tagged "wordpress:" you can hide your wordpress version by putting this in your theme's functions.php file:

add_action('init', 'removeWPVersionInfo');

function removeWPVersionInfo() {
    remove_action('wp_head', 'wp_generator');
}

But, you're still going to have the usual paths, i.e., wp-content/themes/ etc... and wp-content/plugins/ etc... in page source, unless you figure out a way to rewrite those with .htaccess.