Platform
Wappalyzer browser extension / core detection engine (WordPress technology detection)
Describe the bug
After a recent update, the WordPress detector now produces false positives.
The DOM selectors were previously combined into a single rule, but they have been split into multiple independent selectors:
– div[class*=‘wp-block-group’] > div[class*=‘wp-block-’]
– link[rel=stylesheet][href*=’/wp-content/’]
– link[rel=stylesheet][href*=’/wp-includes/’]
– link[href*=’.wp.com’]
Because each selector is now evaluated independently, any single weak indicator (for example a single /wp-content/ or .wp.com reference) is enough to detect WordPress.
This causes false positives when third-party scripts (such as Google Tag Manager or CDNs) inject resources that match these patterns.
This behaviour did not occur prior to the rule change.
To Reproduce
1. Visit a non-WordPress website where Google Tag Manager injects a resource containing /wp-content/, /wp-includes/ or .wp.com.
2. Open Wappalyzer.
3. WordPress is detected even though the site is not running WordPress.
Example of what gets unintentionally matched (conceptually):
[src^=’/wp-content’], meta[name=‘generator’][content^=‘WordPress ‘], link[rel=‘dns-prefetch’][href=’//s.w.org’]
Expected behavior
WordPress should only be detected when multiple strong indicators are present, such as block-editor DOM structure, the WordPress generator meta tag, or both /wp-content/ and /wp-includes/.
Third-party injected resources should not trigger detection alone.
Additional context
The regression seems to come from splitting the original combined selector into several stand-alone selectors, making the detector overly permissive.
A more robust detector would group related signals or require more than one to match before identifying WordPress.
The commit that introduced this change was 7316fe9#diff-0e44086638908c6c3d6cd9e5418f5e94ec1063b006ce13c193aa38118a2f2dab
Platform
Wappalyzer browser extension / core detection engine (WordPress technology detection)
Describe the bug
After a recent update, the WordPress detector now produces false positives.
The DOM selectors were previously combined into a single rule, but they have been split into multiple independent selectors:
– div[class*=‘wp-block-group’] > div[class*=‘wp-block-’]
– link[rel=stylesheet][href*=’/wp-content/’]
– link[rel=stylesheet][href*=’/wp-includes/’]
– link[href*=’.wp.com’]
Because each selector is now evaluated independently, any single weak indicator (for example a single /wp-content/ or .wp.com reference) is enough to detect WordPress.
This causes false positives when third-party scripts (such as Google Tag Manager or CDNs) inject resources that match these patterns.
This behaviour did not occur prior to the rule change.
To Reproduce
1. Visit a non-WordPress website where Google Tag Manager injects a resource containing /wp-content/, /wp-includes/ or .wp.com.
2. Open Wappalyzer.
3. WordPress is detected even though the site is not running WordPress.
Example of what gets unintentionally matched (conceptually):
[src^=’/wp-content’], meta[name=‘generator’][content^=‘WordPress ‘], link[rel=‘dns-prefetch’][href=’//s.w.org’]
Expected behavior
WordPress should only be detected when multiple strong indicators are present, such as block-editor DOM structure, the WordPress generator meta tag, or both /wp-content/ and /wp-includes/.
Third-party injected resources should not trigger detection alone.
Additional context
The regression seems to come from splitting the original combined selector into several stand-alone selectors, making the detector overly permissive.
A more robust detector would group related signals or require more than one to match before identifying WordPress.
The commit that introduced this change was 7316fe9#diff-0e44086638908c6c3d6cd9e5418f5e94ec1063b006ce13c193aa38118a2f2dab