How to hide technologies from Wappalyzer

Most web technologies, including server-side software such as CMSs, leave trails of evidence of their presence in websites' HTML code. This code is publicly accessible, which is necessary for browsers to render and display the page. Wappalyzer is known to be very proficient exposing these technologies through various fingerprinting methods.

Keeping your website secure

It may seem concerning that information about your website's technology stack is exposed. After all, hackers often target platforms with known vulnerabilities all the time. However, simply knowing what software is in use is not enough to hack a website: there has to be a known, unpatched vulnerability to exploit.

It's crucially important to keep your software up-to-date. Well-known CMSs and frameworks are usually actively maintained by a company or community of skilled developers who fix security issues regularly. No software is perfectly secure and a level of maintenance will always be required.

Relying on secrecy as the main method of security is a practice widely rejected by security experts. However, a level of obscurity can help deter malicious hackers.

Hiding server-side technologies

Application security, at least in this context, mainly applies to server-side technologies as this is where database interactions and business processes happen. They're also easier to hide. Obscuring client-side libraries is a futile effort in almost all cases as the source code has to be sent to the browser to interpret and will always be discoverable.

To hide a technology from Wappalyzer, it helps to first understand how it works and what Wappalyzer looks for. Luckily, Wappalyzer is open-source and its library of fingerprints is publicly viewable. Refer to the documentation for more information.

We'll go through a few examples below.

Hide PHP from Wappalyzer

PHP can be identified by looking for the .php file extension in URLs the default PHPSESSID cookie. Rewriting URLs and changing the name of the cookie can make PHP harder to detect.

php.net/manual/en/session.configuration.php#ini.session.name

Hide Laravel from Wappalyzer

The Laravel PHP framework can also be identified by inspecting a websites' cookies. It's possible to change the default cookie name to prevent this.

laravel.com/docs/session

Hide Apache or Nginx version number from Wappalyzer

The Apache and Nginx web servers can be identified by looking for the Server response header when requesting a web page. By default this includes the version number. To avoid this, you can disable server tokens in the configuration file.

nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
httpd.apache.org/docs/current/mod/core.html#servertokens

Conclusion

The information exposed by Wappalyzer is already public to anyone and hiding it does not make your website secure. In most cases hiding a technology's characteristics ranges from impractical to impossible but as long as your software is up-to-date, it's not something to worry about.

Install the free browser extension to see technologies used on websites you visit at glance.

Subscribe to receive occasional product updates.