Sourcemap Explorer
Add to Chrome
Detect CMS

How to detect WordPress on any website

The content management system that powers roughly 40% of the web.

Official site

What is WordPress?

WordPress is the single most-used CMS in the world, powering blogs, agency sites, e-commerce (via WooCommerce) and huge enterprise deployments. Its architecture revolves around plugins and themes loaded from predictable `/wp-content/` paths — which makes detection and enumeration easy.

WordPress was built on a simple premise: PHP-based templating plus a plugin/theme architecture that lets non-developers extend the system. Two decades later, that premise has produced the largest CMS ecosystem on the web. WordPress's plugin marketplace lists tens of thousands of plugins; its theme directory has more. The architecture of the site — how plugin assets are served from `/wp-content/plugins/<slug>/`, how themes live in `/wp-content/themes/<slug>/`, how `wp-includes/` serves core assets — is completely stable across versions, which makes detection and enumeration reliable. A WordPress site's plugin list often tells you more than its theme: WooCommerce means e-commerce; Elementor or Divi mean a page-builder-driven editorial experience; WPForms, Gravity Forms or Contact Form 7 tell you the form pipeline; Yoast or Rank Math is the SEO layer.

Why it matters to identify

On a WordPress site, the plugin list often matters more than the CMS itself. A single plugin can be responsible for page builders, checkout, forms, SEO, security or caching. Enumerating them turns a categorical 'WordPress' detection into an actionable tech breakdown.

A brief history of WordPress

WordPress started in 2003 as a fork of b2/cafelog. Its plugin system arrived in 2004 and has remained backwards-compatible for two decades. WooCommerce (the e-commerce plugin that dominates WordPress-based stores) was released in 2011. Gutenberg block editor replaced the classic TinyMCE editor in 2018 (WordPress 5.0). Full-Site Editing (FSE) with block themes arrived around 2022.

Ecosystem and common pairings

Common WordPress stacks: WooCommerce (e-commerce), Elementor (page builder), Yoast SEO, Advanced Custom Fields, Gravity Forms / WPForms, WP Rocket / W3 Total Cache, Wordfence / Sucuri (security), UpdraftPlus (backups). Hosting ranges from WP Engine / Kinsta / Pressable for managed installs to self-hosted on cPanel/VPS.

Detection signals we look at

Each signal alone is rarely conclusive; the detector cross-references all of them and weights by confidence. You can reproduce any of these checks yourself in Chrome DevTools.

Meta tag
<meta name="generator" content="WordPress

Default WordPress installs emit a generator tag with the version. Can be stripped by admins.

Script src URL
/wp-content/|/wp-includes/

Every WordPress asset is served from one of these paths. Almost impossible to hide on a working site.

Response headers
x-pingback: https?://.*/xmlrpc\.php

WordPress advertises its pingback endpoint via this header.

Cookies
wordpress_logged_in_|wp-settings-

Set after admin login. Present on editor/admin sessions.

URL pattern
/wp-login\.php|/wp-admin/

Admin entry points are identical across WordPress installs.

Versioning

Sites commonly running WordPress

  • techcrunch.com
  • thewaltdisneycompany.com
  • sony.com (regional)

Often confused with

WordPress vs Headless WordPress

A Next.js or Astro frontend backed by WordPress via WPGraphQL won't show `/wp-content/` on the page. The backend reveals itself only in API calls.

WordPress vs Ghost, Medium, Substack

These are blog-focused competitors but have their own asset paths (`/ghost/`, etc.) and their own meta-generator values.

FAQ

How do I find every plugin a WordPress site uses?

Enumerate `/wp-content/plugins/<slug>/` URLs in the Network tab. Sourcemap Explorer does this automatically and lists each slug on the Stack tab.

Can I tell if a WordPress plugin has a known vulnerability?

If you extract the slug and version from `?ver=` query parameters and correlate against the WordPress vulnerability database (wordfence, patchstack), yes. Not something casual detectors do automatically.

Related

Detect ShopifyList a site's WordPress pluginsIdentify a WP themeIdentify the CMS

See WordPress — with the exact version — on every site you visit.

Sourcemap Explorer runs these checks passively in the background. When the target library is bundled, you get the precise package.json-level version.

Install free on Chrome