Seven reliable signals that reveal whether any website runs on WordPress — no technical skills required.
WordPress powers over 40% of all websites on the internet. Whether you're researching a competitor, evaluating a potential client's site, or just curious, here are seven ways to find out if a site uses WordPress.
Our WordPress theme detector checks all seven signals below in one scan. Paste a URL and get an instant answer with confidence level, theme name, and detected plugins.
View the page source (Ctrl+U) and search for meta name="generator". WordPress sites often include:
<meta name="generator" content="WordPress 6.5">
This is the most direct confirmation, though some security plugins remove it.
Search the source code for wp-content. WordPress stores themes, plugins, and uploads in this directory. If you see paths like /wp-content/themes/ or /wp-content/uploads/, it's WordPress.
WordPress loads core JavaScript and CSS files from the /wp-includes/ directory. Finding wp-includes/js/jquery or similar paths confirms WordPress.
WordPress exposes its REST API via a Link header containing api.w.org. You can check this in browser DevTools under the Network tab — inspect the response headers for the main page request.
WordPress supports pingbacks (a legacy notification protocol). Check the response headers for X-Pingback pointing to /xmlrpc.php.
WordPress loads an emoji compatibility script by default. Search the source for wp-emoji-release.min.js. It's present on most WordPress sites unless explicitly disabled.
Sites using the WordPress block editor (Gutenberg) have CSS classes prefixed with wp-block-. This is a strong signal of modern WordPress installations (5.0+).
A single signal could theoretically be a false positive, though it's rare. Finding two signals gives medium confidence. Three or more signals is virtually certain — the site runs WordPress. Our detector uses all seven signals and reports a confidence level automatically.
Some WordPress sites are intentionally hardened to hide their CMS. Security plugins can remove the generator tag, rename the wp-content directory, and disable the REST API. Sites behind aggressive bot protection (like Cloudflare's challenge mode) also can't be scanned externally.
Headless WordPress setups — where WordPress serves as a backend API while the frontend uses React or Next.js — won't show typical WordPress signals either, since the rendered HTML comes from a different framework.
As of 2026, WordPress holds approximately 43% market share among all websites with a detectable CMS. This includes everything from personal blogs to major news sites like TechCrunch and The New Yorker. If you're checking a random website, there's nearly a 1 in 2 chance it's WordPress.
Technically yes, but it requires significant effort — renaming core directories, proxying assets, removing all default headers. Very few sites go this far. Even hardened WordPress sites usually leave at least one detectable signal.
No. These platforms have completely different source code signatures. Our detector won't produce false positives for non-WordPress platforms. If it says WordPress, it is WordPress.
WordPress.com is a hosted service that runs WordPress software. Both WordPress.com and self-hosted WordPress.org sites produce the same detection signals. Our tool detects both.
Want to check a specific site? Use our WordPress detector — paste any URL and get results in seconds.