True. Comparing with Wappalyzer and BuiltWith, here's why we think we have something different (and maybe better):
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies.
WhatRuns is trying to be the best of both worlds.
We are using a deep learning algorithm to improve the detection. We also have a built-in module that automatically detects new web patterns – which we then manually curate to ensure accuracy.
We use several signals like code snippets, filename, directory name, header info and several others to accurately identify technologies. However, there are many possibilities where this can go wrong even with few signals correct. Every time we detect a technology, we calculate a probability of its accuracy and filter out the rest. This system self-learns and improves the identification over time. Hope this helps.
I like your website but what you are describing is not a deep learning algorithm. I'm not a big fan of people who do something well and then start going overboard with buzz words.
You are most likely have a system that consumes content, compares that content against known hashed variants. If there is no match, you diff against known variants and check if the output matches any of the 'minimal' implementations.
If you can't match anything, you simply stage that content for a manual review.
Thanks for telling us what we do at Whatruns. I’ll let the team know ;)
On a serious note, I'm with you on how new start-ups go overboard with buzz words. As for WhatRuns, it was intentional that we do not use any jargons to advertise our product on the website, Product Hunt or HackerNews, so that it does not lose its charm.
For a new startup to achieve this scale in technology identification and accuracy compared to established players with more than a decade of development (and data), it is self-evident that manual labour would not yield such a result. In fact, technology breakthroughs and an excellent technical team were the reason why we decided to give this shot in the first place.
We plan to publish a comparative study on our experience with the effectiveness and superior prediction quality of deep learning vs normal pattern identification on our blog (which we will soon move to Medium). Stay tuned! :)
Your extension only works on Chrome, and it is for a feature that is not used commonly. There is no good reason to install it on a web browser.
Installing it in a browser is also a threat that the extension might do more than just scanning sites, and even if it doesn't affect privacy it still encourages installing extra junk on web browsers.
We started with extension as developers/designers found it especially handy for a quick look-up while working on their projects. Not to worry though - we're working on something for the web as well! ️
That is if you access from Chrome. Please head over to our 'Download' page for Firefox: https://www.whatruns.com/downloads/
We haven't publicised other extensions due to lack of demand.
Extensions show you all the technologies used on a website. It does not redirect you to this page.
However, if you click on a particular technology from the extension, you'll be taken to the respective tech's page which has a small description and list of websites using it. We hope this is useful.
I'd put an asterisk next to #4 for now. On a couple ruby/rails apps we've built you listed the backend tech as cowboy/erlang. I saw your comment above about how hard it is to be accurate with thousands of frameworks but rails? We're using jwplayer, segment, and facebook (all of which you correctly detected, woohoo!) so maybe that is confusing things?
[edit] to be fair other options I tried don't detect the backend at all. This is a single page app with rails api so I get that might be harder than a rails app with server rendering and full page reloads.
If there’s no headers or obvious tells at a framework level, it can be hard to detect server-side code. Maybe Ruby-specific serialization in session cookies, or the name of session cookies, use of HTML templates or code gen or URL patterns... but there can be tons of false positives. Client-side is much easier and a whole different story. Same with pre-built client code like CSS in WordPress templates, or standard admin login pages.
The one advantage Wappalyzer has is that it changes its icon to show the primary technology the site is using (i.e. JS framework) so I can glance over and see "Oh, this is built with React".
If Whatruns had that feature, I'd seriously consider switching. But otherwise, there's just no way I could. It's way too convenient.
Noticed that it doesn't report correctly for subdomains - one of the sites I built is at foo.megacorp.com, but the extension reports the results for megacorp.com which is a separate property.
WR currently considers subdomains as a part of the main domain.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
Because that's how they make money. They go about creating a database of what websites use what technologies. They later sell that info to sales people as leads.
I'm not sure what extra tracking they do beyond that!
You can build a database by accepting URLs submitted by users, too. It just baffles me that people willingly install these extensions that—on the tin!—say that they can "Read and change all your data on the websites you visit". INSANE
I would try it as a bookmarklet but I never install Chrome extensions that ask for all data on all websites. It's just an insane permission for what should only get URLs when I explicitly ask it to.
I wish Chrome would add a permission like this "website URL of the current page with your express permission every invocation".
Because even though they can, that's not what they're doing.
I see comments like yours on this site pretty often, and it is tiring. There are many reasons people behave the way they do, and probably the most common reason is that their behaviors haven't caused them any harm as far as they know.
The warning "Read and change all your data on the websites you visit" is perhaps scary the first time you see it, but then it becomes insignificant as time goes by and as extensions get installed without causing any visible harm.
> The warning […] is perhaps scary the first time you see it, but then it becomes insignificant as time goes by…
Which is exactly why it's dangerous. Granting access like this without a thought to the potential consequences is just asking for a bad character to take advantage of the blind trust people place in extension authors.
The core issue is the options Chrome gives extension authors. Offering the ability to grant permissions per-site and per-use would greatly reduce the threat. Even just a per-use "Are you sure?" confirmation would help.
> The warning "Read and change all your data on the websites you visit" is perhaps scary the first time you see it, but then it becomes insignificant as time goes by and as extensions get installed without causing any visible harm.
LOL, what matters is the threat itself and not your waning level of apprehension over the threat. This is really a very, very strange comment. The point is there is no need for this to be a browser extension. Putting an input element and some AJAX on the page is trivial, so I really don't buy the excuse that they haven't had time to put together a web app yet.
> It just baffles me that people willingly install these extensions that—on the tin!—say that they can "Read and change all your data on the websites you visit".
It's disappointing you can't have finer grain permissions for Chrome Extensions. What's the alternative though if you can't make it a web service though? A Electron or native app for example would have even more permissions and could read any file on your computer.
I understand your concern, but as I mentioned in my previous comments, we started with extension as developers/designers found it especially handy for a quick look-up while working on their projects.
Also, our counterparts got a majority of their traction from browser extensions which made it our obvious priority (even though it wasn't the easiest of options).
Not to worry though - we're working on something for the web as well!
Comparing with Wappalyzer and BuiltWith, here's why we think we have something different (and maybe better):
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
Heh, good luck doing this for HN. You might say "Arc," but it's been modified for a decade.
I wonder if the mods would ever be interested in being interviewed or talking about some of the tech. The last bit of Arc info we got was https://news.ycombinator.com/item?id=11240681, which was awesome.
It's pretty unique. I don't think any other large website in the world has written their own stack from top to bottom. Even Facebook uses php.
They use in-memory hash tables, which works since the whole site can be in memory.
Originally they did build their own http stack but switched to nginx for a reverse proxy. On the other hand I'm not sure how much they lean on nginx's facilities.
As mentioned in my previous comments, here's why we think we have something different (and maybe better) than our counterparts like Wappalyzer:
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
Does anyone know what they are using to detect Wordpress?
Unfortunately some sites that I am responsible for running in production are WP and we try our best to hide this fact and block all admin functionality to the public due to WP's less-than-stellar history of security vulnerabilities. This is the first tool I've seen that has detected it and now I'm stumped.
Can't really hide wordpress because any time there's a new vulnerability, scrapers spam every site on the internet attempting to use it it anyway, regardless of what tech they're built on
It could be something as simple as the class names of elements on the page. WP has some defaults that are recognizable.
Also, most WP pages will be loading scripts from from the wp-includes directory. There are probably others I'm overlooking, and some WP plugins probably also drop recognizable script tags into your pages.
Since this is the first tool that has detected it, it's very possible you've already covered all of the things I mentioned.
The WP REST API is a new way to detect if a site is running WordPress. If you hit the homepage of a WordPress site it will return a link header with a location to the REST API. They can also just hit /wp-json/, or /xmlrpc.php, or many other files that WordPress requires. Like looking for assets served from wp-content, or wp-includes.
For cyph.com/blog, we have a WordPress instance accessible only by SSH tunnel, and what gets deployed publicly is a static site generated using a plugin called Simply Static (with a little bit of additional processing).
How long does it usually take for a small site to be generated using Simply Static? I tried it once before, and wasn't very impressed by the performance (I don't think it's a problem with the plugin, but maybe PHP itself).
Simply Static itself takes about a minute, but it's actually a decent amount longer because we have to simulate a browser and run retry logic to handle failures. All in all, with post-processing included, the static blog generation is the single longest part of our deployment process.
Ultimately it isn't a huge deal for us though, since it runs concurrently with other build/deployment steps that in total (sequentially) take a similar amount of time.
You really shouldn't be relying on security by obscurity to prevent attacks to your websites. If you check your access logs you'll see countless attacks that are unconditional, they'll just try the attacks without any kind of sanity checking.
I've run it on a simple bog-standard out-of-the-box Wordpress install with no obfuscation just now and it said "No apps found". Not sure what the issue is.
One thought I had was perhaps it uses some cached batch parser and shows "No apps found" for all sites on first-run until it finishes analysing in the background? It doesn't seem to work at all on a few very obvious but small/obscure CMS sites but works fine on all well-known high-traffic sites.
Edit: About 15 minutes after posting, this seems to work fine on my site now. Sorry for the confusion!
The spinner does not stop and it gives no results for my site (https://myhikes.org) - this is with both FireFox and Chrome extensions. Seems to work great for everything else though.
Just replying in case you're looking for new edge cases to debug!
It could be because of the peak time HN and PH created yesterday.
We had to queue all new URLs so that URLs that we once processed (almost all of the top 1M websites) work fine.
There were also minor downtimes between server upgrades.
We started with extension as developers/designers found it especially handy for a quick look-up while working on their projects. Not to worry though - we're working on something for the web as well! ️
Choosing a data vendor based upon the UI seems odd. Personally I'd chose whichever provider has the most accurate up to date information, but thats just me.
Yup, if they are basically the same but this is more intuitive and easier why not? As I don't depend on this (otherwise I'd agree) and it's just a "for fun" thing, the differences between them are negligible for me.
Hi Dustin, we started with extension as developers/designers found it especially handy for a quick look-up while working on their projects. Not to worry though - we're working on something for the web as well! ️
HN is remarkably fickle; a browser extension is a perfectly reasonable user-friendly mechanism for the service given the choices out there. There are privacy concerns given the coarse level of granularity that Chrome provides, but until Google changes that ("Read and change all data on websites you visit" shouldn't be the same thing as "give the current URL to the browser extension when I click its button"), that's just what we're stuck with for user friendliness.
We are truly stunned to see us on top of HN today! :)
WhatRuns is a free browser extension that shows you what runs a website – from ad networks and developer tools to fonts and Wordpress plugins. You can also follow websites and get notified when they add or remove technologies.
We soft-launched a couple of weeks back and was lucky enough to be picked up by the Chrome team. We were featured on the Chrome Webstore, landing us 12k active users in one week. It was a huge validation and helped us tremendously in squashing bugs and making a finished product. We realise we have a long way to go, and our little team is working round the clock to make it happen. We also launched on ProductHunt today: https://www.producthunt.com/posts/whatruns
Would love to hear what you think :)
UPDATE:
Thank you for all the feedback!
Sorry about the occasional false detections. We are looking into this. This is largely because we detect a considerably large number of technologies/plugins compared to our counterparts. Lots of possibilities for false pattern recognition etc.
Rest assured our team is working round the clock to improve accuracy and add more technologies/plugins.
Also, Our servers are going a bit cranky due to the huge traffic we are experiencing today. New websites (that was not loaded on WhatRuns before) are now queued up and might experience 2-3 seconds delay. This is to ensure best experience for our active users.
Sorry you feel that way. We truly understand your frustration with detection accuracy, but when there are tens of thousands of technologies to detect, the only solution is to break things and move fast.
We were featured on Chrome Webstore a few weeks back and got a great response (12k+ active users) helped us enormously in improving the accuracy and efficiency, and I'm sure HN and PH launch will be even more helpful in improving the product.
Sorry don't meant to be rude and I understand there are tens of thousands of technologies to detect. Kind of expecting your engine to be able to detect front end JS frameworks easier than backends, at least for those popular JS frameworks. In case you not notice the site I'm pointing to is the home page of VueJS and you're showing them using a competitor tech.
I totally understand your point, but WhatRuns is not a broken extension. Google blessed us with more than 10k+ active users by featuring us on the Chrome Webstore front page :) and we have been improving the technology ever since.
However, there is a lot of manual labour involved in correcting detection inaccuracies, which our team is working full-time on. Rest assured WR will only improve from here on. Thank you for dropping by!
Around ~2000 it became common knowledge to download the latest driver from the net instead of using the supplied one on the CD for hardware you just bought.
That is the assumption of broken hardware to be shipped 17 years avant la lettre?
Things are always broken at launch; you can’t prevent all the bugs and unexpected things always happen.
IMHO it’s a very good thing we’ve "accepted things are going to broken at launch"; the "ship early, release often" model works a lot better than "wait 10 years before release so that everything is perfect but you’re 9 years late".
Copying my previous reply:
Comparing with Wappalyzer and BuiltWith, here's why we think we have something different (and maybe better):
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
WR currently considers subdomains as a part of the main domain.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
So as an example of where this is a problem - All NZ government websites are hosted underneath the govt.nz namespace, e.g. dia.govt.nz, treasury.govt.nz, ssc.govt.nz and so on.
But all of them are evaluated as one, govt.nz. But they are all quite separately hosted and operated and use differing technologies.
Looks like this works fine for other similar situations e.g. .co.uk.
This is a really cool service, thanks for making it available for use!
We frequently update our supporting TLDs to avoid this problem. It's important considering the plethora of new fancy TLDs that are popping up all the time.
Not sure if it's related to load, but whenever I try it on a long-tail site (i.e. not one you would have precached) it comes back with information about google.com instead of the domain I'm on.
Very strange. It is working fine on our side: https://cl.ly/1x150t1m0922
I'll check this with our developer and get on it right away. Thank you so much for taking time to report this!
It hangs on an old website, with the following error in the console:
TypeError: Cannot read property 'hostname' of undefined
at Object.setNoAppsFoundText (chrome-extension://cmkdbmfndkfgebldhnkbfhlneefdaaip/js/popup_final.js:153:22)
Fun. I'm getting a false positive for Rails (I'm using Passenger, but not Rails), and Elevio for documentation (never heard of it!). Other than that it guesses right.
We truly understand your frustration with detection accuracy, but when there are tens of thousands of technologies to detect, the only solution is to break things and move fast.
We were featured on Chrome Webstore a few weeks back and got a great response (12k+ active users) which helped us enormously in improving the accuracy and efficiency, and I'm sure HN and PH launch will be even more helpful in improving the product.
It is working on subdomains, but you are right that the primary domain is prioritised.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
Interesting choice of domain name. At first I thought this is WhatRunsWhere. [1] I checked a few WordPress sites that use CloudFlare, and it didn't detect WordPress. Let me know if you need the URLs.
That would be great! Please share the URLs in question so that we can take a look. We are squashing bugs one at a time ;)
Email: hello [at] whatruns.com.
Thanks!
I can’t speak for others, but I don’t like the clutter and potential security/privacy issues. I am not saying there are such issues, but it “feels” like there could be. I don’t have the time or desire to heavily vet extensions so I tend to avoid them. What they say they do and what they actually do — hard for me to quickly be able to verify them.
To address your concern with the privacy, WhatRuns do not collect or log any visitor information including IP address, location etc.
We receive anonymous website data and match with our database to display the results. Hope this clarifies.
> To address your concern with the privacy, WhatRuns do not collect or log any visitor information including IP address, location etc
That's not the whole truth - you are using Google Analytics to track visitors and you fail to disclose this in your privacy policy, despite this being mandatory under the Google Analytics T&C's.
Well done launching what looks like a very cool project, and I hope you can further improve it by informing visitors that you are using Google Analytics to track them (or even drop GA completely in favor of something privacy friendly).
We are using Google Analytics only on the website, it will not (and do not have access to) collect extension user data. However, you are right that we should've mentioned this in our privacy policy. We're on it :)
That’s nice. However, with a website, I don’t have to even worry about it as much. Basically “trust us” is a high bar to clear because the potential to gather data is still there.
Good luck with your thing. I am sure you did a ton of work; I am just naturally risk-adverse when it comes to installing extensions that that a potential to do things I might not want.
The golden rule of business: If you're onto a sweet money-maker, don't shout about it.
I'm currently working on a competitor to a site I read about that bragged about their business model, and if they'd have kept it to themselves they'd be facing one less competitor...
That article wasn't the first broad mention. I remember reading about BuiltWith being an outstanding one man project a couple of years ago, so I am in fact surprised the copycats took so long to show up.
Our servers are going a bit cranky due to the huge traffic we are experiencing today. New websites (that was not loaded on WhatRuns before) are now queued up and might experience few seconds of delay. This is to ensure best experience for our active users.
I tried it on a website of mine running on localhost using Python and it said languages "Python Node.js PHP Ruby" which seems a bit over enthusiastic as none of the non Python stuff was running.
241 comments
[ 4.6 ms ] story [ 249 ms ] threadEdit: Looks like I'm probably wrong since I see they have a tool named "Stack Scanner"
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
No, you are not.
I'll explain.
We use several signals like code snippets, filename, directory name, header info and several others to accurately identify technologies. However, there are many possibilities where this can go wrong even with few signals correct. Every time we detect a technology, we calculate a probability of its accuracy and filter out the rest. This system self-learns and improves the identification over time. Hope this helps.
You are most likely have a system that consumes content, compares that content against known hashed variants. If there is no match, you diff against known variants and check if the output matches any of the 'minimal' implementations.
If you can't match anything, you simply stage that content for a manual review.
On a serious note, I'm with you on how new start-ups go overboard with buzz words. As for WhatRuns, it was intentional that we do not use any jargons to advertise our product on the website, Product Hunt or HackerNews, so that it does not lose its charm.
For a new startup to achieve this scale in technology identification and accuracy compared to established players with more than a decade of development (and data), it is self-evident that manual labour would not yield such a result. In fact, technology breakthroughs and an excellent technical team were the reason why we decided to give this shot in the first place.
We plan to publish a comparative study on our experience with the effectiveness and superior prediction quality of deep learning vs normal pattern identification on our blog (which we will soon move to Medium). Stay tuned! :)
Your extension only works on Chrome, and it is for a feature that is not used commonly. There is no good reason to install it on a web browser.
Installing it in a browser is also a threat that the extension might do more than just scanning sites, and even if it doesn't affect privacy it still encourages installing extra junk on web browsers.
BTW WhatRuns works on all major browsers.
[edit] to be fair other options I tried don't detect the backend at all. This is a single page app with rails api so I get that might be harder than a rails app with server rendering and full page reloads.
If Whatruns had that feature, I'd seriously consider switching. But otherwise, there's just no way I could. It's way too convenient.
Vs
https://www.whatruns.com/website/whatruns.com
Noticed that it doesn't report correctly for subdomains - one of the sites I built is at foo.megacorp.com, but the extension reports the results for megacorp.com which is a separate property.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
I'm not sure what extra tracking they do beyond that!
I would try it as a bookmarklet but I never install Chrome extensions that ask for all data on all websites. It's just an insane permission for what should only get URLs when I explicitly ask it to.
I wish Chrome would add a permission like this "website URL of the current page with your express permission every invocation".
I see comments like yours on this site pretty often, and it is tiring. There are many reasons people behave the way they do, and probably the most common reason is that their behaviors haven't caused them any harm as far as they know.
The warning "Read and change all your data on the websites you visit" is perhaps scary the first time you see it, but then it becomes insignificant as time goes by and as extensions get installed without causing any visible harm.
Which is exactly why it's dangerous. Granting access like this without a thought to the potential consequences is just asking for a bad character to take advantage of the blind trust people place in extension authors.
The core issue is the options Chrome gives extension authors. Offering the ability to grant permissions per-site and per-use would greatly reduce the threat. Even just a per-use "Are you sure?" confirmation would help.
LOL, what matters is the threat itself and not your waning level of apprehension over the threat. This is really a very, very strange comment. The point is there is no need for this to be a browser extension. Putting an input element and some AJAX on the page is trivial, so I really don't buy the excuse that they haven't had time to put together a web app yet.
It's disappointing you can't have finer grain permissions for Chrome Extensions. What's the alternative though if you can't make it a web service though? A Electron or native app for example would have even more permissions and could read any file on your computer.
Also, our counterparts got a majority of their traction from browser extensions which made it our obvious priority (even though it wasn't the easiest of options).
Not to worry though - we're working on something for the web as well!
BuiltWith has been around for a while and has it's own chrome extension [0]. It correctly identified fonts.google.com as using Angular.
[0] https://chrome.google.com/webstore/detail/builtwith-technolo...
The latter is what I've been using and seems to have more users with higher ratings
[1] - https://chrome.google.com/webstore/detail/wappalyzer/gppongm...
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
I wonder if the mods would ever be interested in being interviewed or talking about some of the tech. The last bit of Arc info we got was https://news.ycombinator.com/item?id=11240681, which was awesome.
It's pretty unique. I don't think any other large website in the world has written their own stack from top to bottom. Even Facebook uses php.
Having to explicitly declare thread local access is a clever hack.
I also wonder what database they use (if any).
Did they also build their own http stack?
Originally they did build their own http stack but switched to nginx for a reverse proxy. On the other hand I'm not sure how much they lean on nginx's facilities.
[0] https://github.com/AliasIO/Wappalyzer/
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
Unfortunately some sites that I am responsible for running in production are WP and we try our best to hide this fact and block all admin functionality to the public due to WP's less-than-stellar history of security vulnerabilities. This is the first tool I've seen that has detected it and now I'm stumped.
Can't really hide wordpress because any time there's a new vulnerability, scrapers spam every site on the internet attempting to use it it anyway, regardless of what tech they're built on
Also, most WP pages will be loading scripts from from the wp-includes directory. There are probably others I'm overlooking, and some WP plugins probably also drop recognizable script tags into your pages.
Since this is the first tool that has detected it, it's very possible you've already covered all of the things I mentioned.
- Rename paths to eliminate "wp-" prefixes and recognizable folder structure (wp-content, wp-include, etc)
- Remove or rename any common plugins that inject recognizable WP-specific code into the page
- Rewrite requests to bare paths instead of e.g. index.php
I assume you'd also try to do as much handling as possible at the Apache/NGINX layer instead of letting requests hit the WP application.
Seems like a HUGE amount of effort, and I'm probably not even getting everything. Is there a more efficient way of securing/locking-down a WP site?
Ultimately it isn't a huge deal for us though, since it runs concurrently with other build/deployment steps that in total (sequentially) take a similar amount of time.
One thought I had was perhaps it uses some cached batch parser and shows "No apps found" for all sites on first-run until it finishes analysing in the background? It doesn't seem to work at all on a few very obvious but small/obscure CMS sites but works fine on all well-known high-traffic sites.
The spinner does not stop and it gives no results for my site (https://myhikes.org) - this is with both FireFox and Chrome extensions. Seems to work great for everything else though.
Just replying in case you're looking for new edge cases to debug!
Oddly enough I restarted Chrome and Firefox twice before posting the comment in hopes that it was just my machine. Thanks for the sanity check!
https://www.whatruns.com/website/reddit.com
The URL has to be publicly accessible from the Internet, right?
Addressing your question, all URLs once passed through WhatRuns will be publicly accessible. You will have to use the extension for new sites for now.
We are truly stunned to see us on top of HN today! :)
WhatRuns is a free browser extension that shows you what runs a website – from ad networks and developer tools to fonts and Wordpress plugins. You can also follow websites and get notified when they add or remove technologies.
We soft-launched a couple of weeks back and was lucky enough to be picked up by the Chrome team. We were featured on the Chrome Webstore, landing us 12k active users in one week. It was a huge validation and helped us tremendously in squashing bugs and making a finished product. We realise we have a long way to go, and our little team is working round the clock to make it happen. We also launched on ProductHunt today: https://www.producthunt.com/posts/whatruns
Would love to hear what you think :)
UPDATE:
Thank you for all the feedback!
Sorry about the occasional false detections. We are looking into this. This is largely because we detect a considerably large number of technologies/plugins compared to our counterparts. Lots of possibilities for false pattern recognition etc. Rest assured our team is working round the clock to improve accuracy and add more technologies/plugins.
Also, Our servers are going a bit cranky due to the huge traffic we are experiencing today. New websites (that was not loaded on WhatRuns before) are now queued up and might experience 2-3 seconds delay. This is to ensure best experience for our active users.
Thank you so much for such a great response!
We were featured on Chrome Webstore a few weeks back and got a great response (12k+ active users) helped us enormously in improving the accuracy and efficiency, and I'm sure HN and PH launch will be even more helpful in improving the product.
Also, Wordpress doesn't seem to be detected, either, on my other website: https://johnrockefeller.net
It's 2017 man, things are launched with kinks all the time now. Your definition of launch ready doesn't have to apply to everyone else.
However, there is a lot of manual labour involved in correcting detection inaccuracies, which our team is working full-time on. Rest assured WR will only improve from here on. Thank you for dropping by!
Try running it on www.example.com and let me know how many of those are accurate.
That is the assumption of broken hardware to be shipped 17 years avant la lettre?
IMHO it’s a very good thing we’ve "accepted things are going to broken at launch"; the "ship early, release often" model works a lot better than "wait 10 years before release so that everything is perfect but you’re 9 years late".
From another comment I understand that it shows all detecting stuff for all subdomains, so this is the case.
1. WhatRuns detects fonts, Wordpress plugins and themes (tens of thousands of them).
2. Ability to follow sites (and know what techs websites started using/ditched).
3. Very lightweight compared to our counterparts, and arguably better UI ;)
4. More accurate data. BuiltWith can be very inaccurate as you might've already noticed. Wappalyzer is fairly accurate, but limited in technologies. WhatRuns is trying to be the best of both worlds.
It seems to only look at the second-level domain, and thinks that websites with the same subdomain are the same.
They are not.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
But all of them are evaluated as one, govt.nz. But they are all quite separately hosted and operated and use differing technologies.
Looks like this works fine for other similar situations e.g. .co.uk.
This is a really cool service, thanks for making it available for use!
Thanks, and glad you liked the product!
https://www.whatruns.com/website/google.com
https://www.ideasenfoto.com/
I tried a great deal of sites using similar tech, and an infinite spin is all I get on all cases.
Please drop me a line if you're still experiencing this issue: jijo [at] whatruns.com. Thanks!
Looks like it's not picking up Django! ;)
We were featured on Chrome Webstore a few weeks back and got a great response (12k+ active users) which helped us enormously in improving the accuracy and efficiency, and I'm sure HN and PH launch will be even more helpful in improving the product.
Most users like to know the full tech stack of a website. If there is a blog at blog.company.com and if it is using Intercom, it can be a useful data. I hope this makes sense.
Anyway, we will definitely address this concern and think about adding an option for subdomain separation.
[1] https://www.whatrunswhere.com/
That's not the whole truth - you are using Google Analytics to track visitors and you fail to disclose this in your privacy policy, despite this being mandatory under the Google Analytics T&C's.
Well done launching what looks like a very cool project, and I hope you can further improve it by informing visitors that you are using Google Analytics to track them (or even drop GA completely in favor of something privacy friendly).
Good luck with your thing. I am sure you did a ton of work; I am just naturally risk-adverse when it comes to installing extensions that that a potential to do things I might not want.
The golden rule of business: If you're onto a sweet money-maker, don't shout about it.
I'm currently working on a competitor to a site I read about that bragged about their business model, and if they'd have kept it to themselves they'd be facing one less competitor...
I run jQuery, nginx have google analytics and have my ssl certificate with lets encrypt. All stuff that builtwith.com found without any issues.