[didgeoridoo]

I'm curious what efforts you've made to "hide" WordPress. Can you share any of your techniques? I assume it's stuff like:

- Rename paths to eliminate "wp-" prefixes and recognizable folder structure (wp-content, wp-include, etc)

- Remove or rename any common plugins that inject recognizable WP-specific code into the page

- Rewrite requests to bare paths instead of e.g. index.php

I assume you'd also try to do as much handling as possible at the Apache/NGINX layer instead of letting requests hit the WP application.

Seems like a HUGE amount of effort, and I'm probably not even getting everything. Is there a more efficient way of securing/locking-down a WP site?

[buu700]

For cyph.com/blog, we have a WordPress instance accessible only by SSH tunnel, and what gets deployed publicly is a static site generated using a plugin called Simply Static (with a little bit of additional processing).

[ValentineC]

How long does it usually take for a small site to be generated using Simply Static? I tried it once before, and wasn't very impressed by the performance (I don't think it's a problem with the plugin, but maybe PHP itself).

[buu700]

Simply Static itself takes about a minute, but it's actually a decent amount longer because we have to simulate a browser and run retry logic to handle failures. All in all, with post-processing included, the static blog generation is the single longest part of our deployment process.

Ultimately it isn't a huge deal for us though, since it runs concurrently with other build/deployment steps that in total (sequentially) take a similar amount of time.