HN Gopher Feed (2017-08-25) - page 1 of 10 ___________________________________________________________________
Whatruns: Identify technologies used on any website
293 points by mcone
https://www.whatruns.com/___________________________________________________________________
maxekman - 9 hours ago
Awesome tool! I have often wondered about which tech sites uses but
almost never bother with checking the source etc.
jijosunny - 1 hours ago
Awesome. Thank you so much for your kind words!
skratlo - 5 hours ago
Please do make the extension open source, as it has access to all
website data, mind the privacy, show us the code.
Chirael - 5 hours ago
Not likely, unfortunately: "Our proprietary pattern recognition
algorithm efficiently detects even the latest web technologies
and plugins used on websites." (https://www.whatruns.com/about)
anotherbrownguy - 4 hours ago
Very unlikely that it does this client side. I presume the
extension basically makes an API call with the url of the
current site.
icebraining - 2 hours ago
You don't need their permission to look at the code, just use
something like http://crxextractor.com/ to fetch the CRX from the
Chrome Web Store, then rename to .zip and extract.
Doctor_Fegg - 8 hours ago
Fun. I'm getting a false positive for Rails (I'm using Passenger,
but not Rails), and Elevio for documentation (never heard of it!).
Other than that it guesses right.
floriferous - 8 hours ago
It hangs on an old website, with the following error in the
console: TypeError: Cannot read property 'hostname' of undefined
at Object.setNoAppsFoundText (chrome-extension://cmkdbmfndkfgebldhn
kbfhlneefdaaip/js/popup_final.js:153:22)
ishitatsuyuki - 8 hours ago
Really inaccurate. Just tried and it reported React for
Vue/Nuxt.js, CloudFlare and nginx for Zeit now.sh.
jijosunny - 1 hours ago
We truly understand your frustration with detection accuracy, but
when there are tens of thousands of technologies to detect, the
only solution is to break things and move fast.We were featured
on Chrome Webstore a few weeks back and got a great response
(12k+ active users) which helped us enormously in improving the
accuracy and efficiency, and I'm sure HN and PH launch will be
even more helpful in improving the product.
bognition - 9 hours ago
Looks to be very similar to https://builtwith.com/
jo909 - 7 hours ago
https://builtwith.com/Whatruns.comVshttps://www.whatruns.com/webs
ite/whatruns.com
myth_drannon - 9 hours ago
or https://stackshare.io/
nmbr213 - 9 hours ago
or https://wappalyzer.com/
mkagenius - 8 hours ago
or for android apps :
https://android.fallible.co/builtwith/zendesk/1
michaelmior - 7 hours ago
My understanding is that StackShare doesn't detect the
technologies that are used but simply displays information that
has been manually recorded.Edit: Looks like I'm probably wrong
since I see they have a tool named "Stack Scanner"
jijosunny - 8 hours ago
True. Comparing with Wappalyzer and BuiltWith, here's why we
think we have something different (and maybe better):1. WhatRuns
detects fonts, Wordpress plugins and themes (tens of thousands of
them).2. Ability to follow sites (and know what techs websites
started using/ditched).3. Very lightweight compared to our
counterparts, and arguably better UI ;)4. More accurate data.
BuiltWith can be very inaccurate as you might've already noticed.
Wappalyzer is fairly accurate, but limited in technologies.
WhatRuns is trying to be the best of both worlds.
takeda - 6 hours ago
At least they do it properly; as a site.Your extension only
works on Chrome, and it is for a feature that is not used
commonly. There is no good reason to install it on a web
browser.Installing it in a browser is also a threat that the
extension might do more than just scanning sites, and even if
it doesn't affect privacy it still encourages installing extra
junk on web browsers.
jijosunny - 6 hours ago
We started with extension as developers/designers found it
especially handy for a quick look-up while working on their
projects. Not to worry though - we're working on something
for the web as well! ?BTW WhatRuns works on all major
browsers.
dbrgn - 4 hours ago
The extension does not seem to work on Firefox for Android,
even though it's installable.
takeda - 6 hours ago
I only see Chrome buttons on the site.
jijosunny - 5 hours ago
That is if you access from Chrome. Please head over to
our 'Download' page for Firefox:
https://www.whatruns.com/downloads/ We haven't publicised
other extensions due to lack of demand.
takeda - 4 hours ago
I'm on firefox and just checked it sends proper user
agent (for firefox 55)
iiv - 6 hours ago
Their's also works as a site. For example
https://www.whatruns.com/website/minecraft.net. But as far as
I know you would have to write that manually, without a web-
interface.
takeda - 6 hours ago
Which make things look even worse. If all the extension
does is just redirect to that page, why is it even needed?
jijosunny - 5 hours ago
Extensions show you all the technologies used on a
website. It does not redirect you to this page. However,
if you click on a particular technology from the
extension, you'll be taken to the respective tech's page
which has a small description and list of websites using
it. We hope this is useful.
eagsalazar2 - 5 hours ago
I'd put an asterisk next to #4 for now. On a couple ruby/rails
apps we've built you listed the backend tech as cowboy/erlang.
I saw your comment above about how hard it is to be accurate
with thousands of frameworks but rails? We're using jwplayer,
segment, and facebook (all of which you correctly detected,
woohoo!) so maybe that is confusing things?[edit] to be fair
other options I tried don't detect the backend at all. This is
a single page app with rails api so I get that might be harder
than a rails app with server rendering and full page reloads.
lstamour - 5 hours ago
If there?s no headers or obvious tells at a framework level,
it can be hard to detect server-side code. Maybe Ruby-
specific serialization in session cookies, or the name of
session cookies, use of HTML templates or code gen or URL
patterns... but there can be tons of false positives. Client-
side is much easier and a whole different story. Same with
pre-built client code like CSS in WordPress templates, or
standard admin login pages.
trjordan - 7 hours ago
How is WhatRuns more accurate? Are you doing something
different to get your information?
jijosunny - 6 hours ago
We are using a deep learning algorithm to improve the
detection. We also have a built-in module that automatically
detects new web patterns ? which we then manually curate to
ensure accuracy.
[deleted]
korzun - 5 hours ago
> We are using a deep learning algorithm to improve the
detection.No, you are not.
jijosunny - 5 hours ago
@korzunI'll explain.We use several signals like code
snippets, filename, directory name, header info and
several others to accurately identify technologies.
However, there are many possibilities where this can go
wrong even with few signals correct. Every time we detect
a technology, we calculate a probability of its accuracy
and filter out the rest. This system self-learns and
improves the identification over time. Hope this helps.
apocalyptic0n3 - 8 hours ago
Doesn't seem to work on subdomains, unfortunately. Just does the
main domain instead
jijosunny - 1 hours ago
It is working on subdomains, but you are right that the primary
domain is prioritised.Most users like to know the full tech stack
of a website. If there is a blog at blog.company.com and if it is
using Intercom, it can be a useful data. I hope this makes
sense.Anyway, we will definitely address this concern and think
about adding an option for subdomain separation.
dsr_ - 9 hours ago
+1 for having a privacy policy linked from their home page that
addresses both their browser extension and their website.
jijosunny - 1 hours ago
Thank you, first thing we did before the launch!
jasonrhaas - 7 hours ago
I'm leery of Chrome Extensions. They are basically just a plot to
collect your usage data and sell it to marketing companies. I have
disabled almost all Chrome extensions and locked down my browser.
I got tired of the super targeted, annoying advertisements that
were being thrown at me.Check out the privacy policy before
installing any Chrome Extension.https://www.whatruns.com/privacy
jijosunny - 6 hours ago
To address your concern with the privacy, WhatRuns do not collect
or log any visitor information including IP address, location
etc. We receive anonymous website data and match with our
database to display the results. Hope this clarifies.
sweep4r - 9 hours ago
No need to install anything, just follow this
url:https://www.whatruns.com/website/reddit.com
joekrill - 9 hours ago
Why no input on the page itself for something like that?
jijosunny - 2 hours ago
We started with extension as developers/designers found it
especially handy for a quick look-up while working on their
projects. Not to worry though - we're working on something for
the web as well! ?
jaden - 8 hours ago
Thanks for sharing that link. Here's a bookmarklet (as opposed to
the Chrome extension) to launch this on whatever site you're on:
javascript:void(window.open('https://www.whatruns.com/website/'+w
indow.location.hostname));
charlieegan3 - 6 hours ago
This doesn't seem to work for all sites, for example my site
https://charlieegan3.com doesn't work:
https://www.whatruns.com/website/charlieegan3.com
max23_ - 6 hours ago
I think the link is just returning cached result that was
already identified with the extension.
thekonqueror - 8 hours ago
Interesting choice of domain name. At first I thought this is
WhatRunsWhere. [1] I checked a few WordPress sites that use
CloudFlare, and it didn't detect WordPress. Let me know if you need
the URLs.[1] https://www.whatrunswhere.com/
jijosunny - 1 hours ago
That would be great! Please share the URLs in question so that we
can take a look. We are squashing bugs one at a time ;) Email:
hello [at] whatruns.com. Thanks!
fokinsean - 8 hours ago
From these comments, I didn't realize how much dislike there is for
chrome extensions.
briandear - 8 hours ago
I can?t speak for others, but I don?t like the clutter and
potential security/privacy issues. I am not saying there are such
issues, but it ?feels? like there could be. I don?t have the time
or desire to heavily vet extensions so I tend to avoid them. What
they say they do and what they actually do ? hard for me to
quickly be able to verify them.
jijosunny - 8 hours ago
To address your concern with the privacy, WhatRuns do not
collect or log any visitor information including IP address,
location etc. We receive anonymous website data and match with
our database to display the results. Hope this clarifies.
tombrossman - 6 hours ago
> To address your concern with the privacy, WhatRuns do not
collect or log any visitor information including IP address,
location etcThat's not the whole truth - you are using Google
Analytics to track visitors and you fail to disclose this in
your privacy policy, despite this being mandatory under the
Google Analytics T&C's.Well done launching what looks like a
very cool project, and I hope you can further improve it by
informing visitors that you are using Google Analytics to
track them (or even drop GA completely in favor of something
privacy friendly).
jijosunny - 6 hours ago
We are using Google Analytics only on the website, it will
not (and do not have access to) collect extension user
data. However, you are right that we should've mentioned
this in our privacy policy. We're on it :)
briandear - 4 hours ago
That?s nice. However, with a website, I don?t have to even
worry about it as much. Basically ?trust us? is a high bar to
clear because the potential to gather data is still
there.Good luck with your thing. I am sure you did a ton of
work; I am just naturally risk-adverse when it comes to
installing extensions that that a potential to do things I
might not want.
ipunchghosts - 4 hours ago
Nobody mentioned netcraft!
franciscop - 9 hours ago
This is beautiful! While there are similar alternatives, I love the
looks of Whatruns so I'll stick with it.The URL has to be publicly
accessible from the Internet, right?
bognition - 8 hours ago
Choosing a data vendor based upon the UI seems odd. Personally
I'd chose whichever provider has the most accurate up to date
information, but thats just me.
franciscop - 5 hours ago
Yup, if they are basically the same but this is more intuitive
and easier why not? As I don't depend on this (otherwise I'd
agree) and it's just a "for fun" thing, the differences between
them are negligible for me.
jijosunny - 1 hours ago
Thank you so much! I'll share this comment with our designer
;)Addressing your question, all URLs once passed through WhatRuns
will be publicly accessible. You will have to use the extension
for new sites for now.
cosinetau - 6 hours ago
Off topic, but, has anyone else been able to identify software
frameworks by the behavior the application presents before?I find
myself getting slightly better at this as I spend more time in web
development.
garethsprice - 9 hours ago
Useful, thanks!Noticed that it doesn't report correctly for
subdomains - one of the sites I built is at foo.megacorp.com, but
the extension reports the results for megacorp.com which is a
separate property.
jijosunny - 1 hours ago
WR currently considers subdomains as a part of the main
domain.Most users like to know the full tech stack of a website.
If there is a blog at blog.company.com and if it is using
Intercom, it can be a useful data. I hope this makes
sense.Anyway, we will definitely address this concern and think
about adding an option for subdomain separation.
[deleted]
uyoakaoma - 9 hours ago
Looks similar to stackshare
hk__2 - 3 hours ago
If you prefer the command-line, whatweb has been around for a while
(first public release in 2009):
https://github.com/urbanadventurer/WhatWeb
joshdance - 2 hours ago
Love the design. Nice work guys. Are you going to be selling leads
based on tech info as well?
jijosunny - 2 hours ago
Thanks! I'll share this comment with our designer :)Our business
model will be similar to that of BuiltWith's, i.e selling list of
websites using a particular technology. For eg., list of websites
using Drift chat (https://www.whatruns.com/technology/drift) will
be a super-useful competitive intelligence for other live-chat
start-ups.Also, we are planning to introduce a predictive sales
system which will suggest clients based on their technology
adoption. For eg., if a company migrates to Magento, they are a
potential client to Magento extension developers.
justinph - 9 hours ago
Why does this need to be a browser extension? No, thanks.
deepakkarki - 9 hours ago
Because that's how they make money. They go about creating a
database of what websites use what technologies. They later sell
that info to sales people as leads.I'm not sure what extra
tracking they do beyond that!
tillinghast - 9 hours ago
You can build a database by accepting URLs submitted by users,
too. It just baffles me that people willingly install these
extensions that?on the tin!?say that they can "Read and change
all your data on the websites you visit". INSANE
seanwilson - 8 hours ago
> It just baffles me that people willingly install these
extensions that?on the tin!?say that they can "Read and
change all your data on the websites you visit".It's
disappointing you can't have finer grain permissions for
Chrome Extensions. What's the alternative though if you can't
make it a web service though? A Electron or native app for
example would have even more permissions and could read any
file on your computer.
tedmiston - 8 hours ago
Yeah that.I would try it as a bookmarklet but I never install
Chrome extensions that ask for all data on all websites.
It's just an insane permission for what should only get URLs
when I explicitly ask it to.I wish Chrome would add a
permission like this "website URL of the current page with
your express permission every invocation".
BartSaM - 3 hours ago
They do not need to worry about websites and CDN's that would
mark their spiders as such. They get free scrapers thanks to
that.
deburo - 8 hours ago
Because even though they can, that's not what they're doing.I
see comments like yours on this site pretty often, and it is
tiring. There are many reasons people behave the way they do,
and probably the most common reason is that their behaviors
haven't caused them any harm as far as they know.The warning
"Read and change all your data on the websites you visit" is
perhaps scary the first time you see it, but then it becomes
insignificant as time goes by and as extensions get installed
without causing any visible harm.
tillinghast - 8 hours ago
> The warning [?] is perhaps scary the first time you see
it, but then it becomes insignificant as time goes by?Which
is exactly why it's dangerous. Granting access like this
without a thought to the potential consequences is just
asking for a bad character to take advantage of the blind
trust people place in extension authors.The core issue is
the options Chrome gives extension authors. Offering the
ability to grant permissions per-site and per-use would
greatly reduce the threat. Even just a per-use "Are you
sure?" confirmation would help.
jijosunny - 1 hours ago
I understand your concern, but as I mentioned in my previous
comments, we started with extension as developers/designers found
it especially handy for a quick look-up while working on their
projects.Also, our counterparts got a majority of their traction
from browser extensions which made it our obvious priority (even
though it wasn't the easiest of options).Not to worry though -
we're working on something for the web as well!
dustinmoris - 8 hours ago
Ehm sorry.. but I refuse to clutter my browser with silly
extensions which could and really should entirely live on a website
as a service.
jijosunny - 8 hours ago
Hi Dustin, we started with extension as developers/designers
found it especially handy for a quick look-up while working on
their projects. Not to worry though - we're working on something
for the web as well! ?
fragmede - 7 hours ago
HN is remarkably fickle; a browser extension is a perfectly
reasonable user-friendly mechanism for the service given the
choices out there. There are privacy concerns given the coarse
level of granularity that Chrome provides, but until Google
changes that ("Read and change all data on websites you visit"
shouldn't be the same thing as "give the current URL to the
browser extension when I click its button"), that's just what
we're stuck with for user friendliness.
mshenfield - 9 hours ago
Neat, but still some kinks. I'm not seeing Angular for
https://fonts.google.com/, but can quickly find the tell-tale ng-
attributes in the HTML.BuiltWith has been around for a while and
has it's own chrome extension [0]. It correctly identified
fonts.google.com as using Angular.[0]
https://chrome.google.com/webstore/detail/builtwith-technolo...
jijosunny - 2 hours ago
Noted! :) We'll look into this right away.
cheapsteak - 9 hours ago
Has anyone used both this and Wappalyzer [1]?The latter is what
I've been using and seems to have more users with higher
ratings[1] -
https://chrome.google.com/webstore/detail/wappalyzer/gppongm...
jijosunny - 2 hours ago
Comparing with Wappalyzer and BuiltWith, here's why we think we
have something different (and maybe better):1. WhatRuns detects
fonts, Wordpress plugins and themes (tens of thousands of
them).2. Ability to follow sites (and know what techs websites
started using/ditched).3. Very lightweight compared to our
counterparts, and arguably better UI ;)4. More accurate data.
BuiltWith can be very inaccurate as you might've already
noticed. Wappalyzer is fairly accurate, but limited in
technologies. WhatRuns is trying to be the best of both worlds.
semiquaver - 3 hours ago
I can't comment on the detection accuracy because this extension
makes an important mistake -- it ignores the actual URL you are on
and always performs detection on the root domain. So if I point
the extension to a webapp at app.mycompany.com I get results for
our marketing site at mycompany.com, which uses completely
different (and more boring) tech.
jijosunny - 3 hours ago
Yes, WR currently considers subdomains as a part of the main
domain.Most users like to know the full tech stack of a website.
If there is a blog at blog.company.com and if it is using
Intercom, it can be a useful data. I hope this makes
sense.Anyway, we will definitely address this concern and think
about adding an option for subdomain separation.
brango - 8 hours ago
I wondered how long it'd take for the BuiltWith competitors to
appear after the article a few months ago
(https://news.ycombinator.com/item?id=10316060).The golden rule of
business: If you're onto a sweet money-maker, don't shout about
it.I'm currently working on a competitor to a site I read about
that bragged about their business model, and if they'd have kept it
to themselves they'd be facing one less competitor...
alnitak - 5 hours ago
That article wasn't the first broad mention. I remember reading
about BuiltWith being an outstanding one man project a couple of
years ago, so I am in fact surprised the copycats took so long to
show up.
maxaf - 8 hours ago
They do say that imitation is the sincerest form of flattery,
which holds up almost as well as the "imitate then innovate"
mantra.
tomc1985 - 3 hours ago
Why is this a company? It's one Chrome addon.Seriously people.
staticelf - 8 hours ago
I ran it on my site and it didn't find anything.I run jQuery, nginx
have google analytics and have my ssl certificate with lets
encrypt. All stuff that builtwith.com found without any issues.
jijosunny - 8 hours ago
Our servers are going a bit cranky due to the huge traffic we are
experiencing today. New websites (that was not loaded on WhatRuns
before) are now queued up and might experience few seconds of
delay. This is to ensure best experience for our active users.
vijaybritto - 7 hours ago
How are they detecting other technologies apart from javascript? By
requesting the companies to share the tech stack manually?
quakeguy - 4 hours ago
I can't add this to Opera it seems, though there is a button that
shows me i could. All extensions disabled, latest version. Chrome
works fine.
jijosunny - 1 hours ago
Sorry about this. We have only publicized Chrome and Firefox for
now considering the demand. We will release the rest within a
weeks time. Thanks for dropping by!
quakeguy - 1 hours ago
All cool, thx for your effort! Good Luck!
KirinDave - 4 hours ago
I would find use for products like this but I'm emphatically not
enabling a chrome extension unless I've built up significant trust
with the company providing it.
joshdance - 2 hours ago
I think your level of skepticism is good but most people will
just hit that install button and not think twice.
cbr - 4 hours ago
You can get a web version by editing urls:
https://www.whatruns.com/website/google.com
jijosunny - 2 hours ago
Nice find! :) However, WR only publicizes websites that were
once loaded through extension. If you have a new website and if
it wasn't opened on WhatRuns before, this lookup won't do the
trick.
Shorel - 2 hours ago
This should be the top comment.
tonymet - 4 hours ago
I keep a separate chrome user profile for testing extensions.
You are right that chrome extensions can read all browser
data.Here is how to set up a separate user
profilehttps://support.google.com/chrome/answer/2364824
jijosunny - 4 hours ago
How about 15k happy users, featured by Google Chrome, transparent
extension and top of HN and PH? ;)On a serious note, I understand
your point and realise how new extensions can be dangerous.
However, we have a very good team and is trying to solve all the
concerns we had with our counterparts.I hope you'll give us the
benefit of doubt! :)
geekamongus - 3 hours ago
Yes, but do you enable two-factor auth on your developer
account(s)?https://chrispederick.com/blog/web-developer-for-
chrome-comp...
bhnmmhmd - 54 minutes ago
Thanks for introducing PH! That site is so great!
dmitrygr - 4 hours ago
But why do you need to run on my PC?Just add a "insert url
here" box and do it on your server.I implicitly distrust anyone
who insists on running code on my PC that they could run
elsewhere.Especially.. code they can remotely update
jijosunny - 4 hours ago
We started with extension as developers/designers found it
especially handy for a quick look-up while working on their
projects. Not to worry though - we're working on something
for the web as well!Also, our counterparts got a majority of
their traction from browser extensions which made it our
obvious priority (even though it wasn't the easiest of
options).
randomerr - 4 hours ago
15k is nothing and you can buy 'featured' status. Let me know
when it gets closer to 500,000.
jijosunny - 4 hours ago
Chrome team handpick their featured products; I don't think
we can buy the status.We know 15k is not a lot (comment was
pun intended), but it looks like a good start :)
samblr - 3 hours ago
Permission required for this means extension can read all
website and change it.I dont know much about extension
development - can a finer permission like - reading browser
url is not sufficient to achieve functionality ? or better
- a button in extension options to read only current url
?How do you defend yourself of not selling users data
?Having said above - compared to extension wappalyzer
(which I had) this gives so much more information!! Really
cool.
jijosunny - 3 hours ago
@samblr First off, thank you so much for your kind words.
Glad you liked the info we're providing.To address your
concern with the privacy, WhatRuns do not collect or log
any visitor information ? including IP address, location
etc. We receive anonymous website data and match with our
database to display the results. Hope this clarifies.
TekMol - 53 minutes ago
It says ycombinator.com uses React, jQuery, "Vis JS", a Facebook
tracking pixel, CloudFlare and Cloudfront
...https://www.whatruns.com/website/ycombinator.comThat sounds
strange. Can these claims be backed up somehow? I cannot see
anything in the source that would confirm these.It also says
Facebook uses Google Analytics \o/
grawlinson - 16 minutes ago
Have you checked the headers that these site(s) are
sending/receiving? There's usually a couple of indicators in them
that point towards whatever tech stack is running.
sillysaurus3 - 9 hours ago
Heh, good luck doing this for HN. You might say "Arc," but it's
been modified for a decade.I wonder if the mods would ever be
interested in being interviewed or talking about some of the tech.
The last bit of Arc info we got was
https://news.ycombinator.com/item?id=11240681, which was
awesome.It's pretty unique. I don't think any other large website
in the world has written their own stack from top to bottom. Even
Facebook uses php.
statictype - 8 hours ago
That link was pretty interesting.Having to explicitly declare
thread local access is a clever hack.I also wonder what database
they use (if any).Did they also build their own http stack?
sillysaurus3 - 8 hours ago
They use in-memory hash tables, which works since the whole
site can be in memory.Originally they did build their own http
stack but switched to nginx for a reverse proxy. On the other
hand I'm not sure how much they lean on nginx's facilities.
rubyfan - 9 hours ago
The Chrome extension is a nonstarter for me.
dgorges - 9 hours ago
Wappalyzer [0] might be a good open source alternative.[0]
https://github.com/AliasIO/Wappalyzer/
jijosunny - 1 hours ago
As mentioned in my previous comments, here's why we think we have
something different (and maybe better) than our counterparts like
Wappalyzer:1. WhatRuns detects fonts, Wordpress plugins and
themes (tens of thousands of them).2. Ability to follow sites
(and know what techs websites started using/ditched).3. Very
lightweight compared to our counterparts, and arguably better UI
;)4. More accurate data. BuiltWith can be very inaccurate as you
might've already noticed. Wappalyzer is fairly accurate, but
limited in technologies. WhatRuns is trying to be the best of
both worlds.
tim333 - 8 hours ago
I tried it on a website of mine running on localhost using Python
and it said languages "Python Node.js PHP Ruby" which seems a bit
over enthusiastic as none of the non Python stuff was running.
jijosunny - 1 hours ago
WhatRuns is currently not working on localhost. It is on our
roadmap and we will definitely give it more weight! :)
y0y - 9 hours ago
Does anyone know what they are using to detect
Wordpress?Unfortunately some sites that I am responsible for
running in production are WP and we try our best to hide this fact
and block all admin functionality to the public due to WP's less-
than-stellar history of security vulnerabilities. This is the first
tool I've seen that has detected it and now I'm stumped.
adventureadmin - 9 hours ago
Well, you'll certainly be interested in wpscan.
octalmage - 9 hours ago
The WP REST API is a new way to detect if a site is running
WordPress. If you hit the homepage of a WordPress site it will
return a link header with a location to the REST API. They can
also just hit /wp-json/, or /xmlrpc.php, or many other files that
WordPress requires. Like looking for assets served from wp-
content, or wp-includes.
Rjevski - 9 hours ago
The best way to hide WP is to stop using that pile of garbage.
didgeoridoo - 9 hours ago
I'm curious what efforts you've made to "hide" WordPress. Can you
share any of your techniques? I assume it's stuff like:- Rename
paths to eliminate "wp-" prefixes and recognizable folder
structure (wp-content, wp-include, etc)- Remove or rename any
common plugins that inject recognizable WP-specific code into the
page- Rewrite requests to bare paths instead of e.g. index.phpI
assume you'd also try to do as much handling as possible at the
Apache/NGINX layer instead of letting requests hit the WP
application.Seems like a HUGE amount of effort, and I'm probably
not even getting everything. Is there a more efficient way of
securing/locking-down a WP site?
buu700 - 7 hours ago
For cyph.com/blog, we have a WordPress instance accessible only
by SSH tunnel, and what gets deployed publicly is a static site
generated using a plugin called Simply Static (with a little
bit of additional processing).
ValentineC - 5 hours ago
How long does it usually take for a small site to be
generated using Simply Static? I tried it once before, and
wasn't very impressed by the performance (I don't think it's
a problem with the plugin, but maybe PHP itself).
lucideer - 8 hours ago
I've run it on a simple bog-standard out-of-the-box Wordpress
install with no obfuscation just now and it said "No apps found".
Not sure what the issue is.One thought I had was perhaps it uses
some cached batch parser and shows "No apps found" for all sites
on first-run until it finishes analysing in the background? It
doesn't seem to work at all on a few very obvious but
small/obscure CMS sites but works fine on all well-known high-
traffic sites.
ryan-c - 4 hours ago
I don't know what they're using, but Wappalizer uses regular
expressions over the HTML. You can intentionally mislead the
scanner without much effort.
bpicolo - 9 hours ago
> we try our best to hide this factCan't really hide wordpress
because any time there's a new vulnerability, scrapers spam every
site on the internet attempting to use it it anyway, regardless
of what tech they're built on
rosswilson - 8 hours ago
You really shouldn't be relying on security by obscurity to
prevent attacks to your websites. If you check your access logs
you'll see countless attacks that are unconditional, they'll just
try the attacks without any kind of sanity checking.
nso - 9 hours ago
Could it be as simple as checking if certain .php files respond
to web requests?
rpeden - 9 hours ago
It could be something as simple as the class names of elements on
the page. WP has some defaults that are recognizable.Also, most
WP pages will be loading scripts from from the wp-includes
directory. There are probably others I'm overlooking, and some WP
plugins probably also drop recognizable script tags into your
pages.Since this is the first tool that has detected it, it's
very possible you've already covered all of the things I
mentioned.
gedrap - 9 hours ago
Yes, `wp-contents`, `wp-includes` and basically anything else
prefixed with `wp-` is a very clear signed that WordPress is
behind the site.
chrisallenlane - 8 hours ago
FWIW, none of the static media (images, css, js) seems to be
loading for me - I'm just getting a bunch of 404s. This is
happening in all browsers on my system, including when plugins are
disabled.Might be network weirdness on my end, I dunno. (Or a HN
"hug of death"?) Anyway, wanted to let you know.Congrats on the
project :)
halotrope - 8 hours ago
Same here
jijosunny - 8 hours ago
Thank you so much! Yes, HN 'hug of death' seems to be the
culprit here :) We're experiencing occasional downtimes. We're on
it.New websites (that was not loaded on WhatRuns before) are now
queued up and might experience 2-3 seconds delay.
patkai - 8 hours ago
Btw, how much traffic does HN's "hug of death" mean
approximately?
jijosunny - 7 hours ago
Not sure. I'll make sure to update it here after :)
[deleted]
chrisallenlane - 5 hours ago
Glad to help :)
[deleted]
feritkan - 8 hours ago
What runs whatruns? - since it does not work at the moment
jijosunny - 1 hours ago
Sorry, we experienced occasional downtimes earlier today, which
could be the reason why. Can you try again now?If you're still
facing the issue, please drop us a line with the URL in question
so that we can take a look: hello [at] whatruns.com. Thanks!
EnderMB - 7 hours ago
I mainly use Wappalyser, after finding it to be more reliable than
BuiltWith, but I've given this a quick go on some of the sites I
work on, and I have the following feedback:1. All in all, this
looks really tidy, so nice work!2. Sadly, it looks a bit limited on
detecting anything .NET/Windows. I pointed it at a few Umbraco
sites running on Azure, and none of it was picked up.3. It doesn't
look like it works for subdomains.4. Wappalyser does a good job of
detecting Angular 2, whereas this seems to struggle.These issues
aside, I'll probably keep it running at work, and if these things
can be resolved I can see this being my preferred choice.
jijosunny - 3 hours ago
Awesome. Thank you so much for your kind words.Addressing your
concerns,1. Thank you ;)2. Devs are looking into this. Neglecting
.Net/Windows wasn't intentional. We will work on this.3. Yes, WR
currently considers subdomains as a part of the main domain. Most
users like to know the full tech stack of a website. If there is
a blog at blog.company.com and if it is using Intercom, it can be
a useful data. I hope this makes sense.Anyway, we will definitely
address this concern and think about adding an option for
subdomain separation.4. Noted!
alxeder - 7 hours ago
I would greatly appreciate to test your technology on a given site
on your website before installing your extension
jaib8 - 5 hours ago
as mentioned in the earlier comments, you can test on their url
https://www.whatruns.com/website/
dharness - 6 hours ago
I agree.. tbh, I'm not sure why I'd want this as an extension.
Seems like I'd use it too sporadically to justify keeping it in
chrome.
jijosunny - 2 hours ago
We totally understand your point. We started with extension as
developers/designers found it especially handy for a quick look-
up while working on their projects. Not to worry though - we're
working on something for the web as well!
jijosunny - 8 hours ago
Hi, Hacker News!We are truly stunned to see us on top of HN today!
:)WhatRuns is a free browser extension that shows you what runs a
website ? from ad networks and developer tools to fonts and
Wordpress plugins. You can also follow websites and get notified
when they add or remove technologies.We soft-launched a couple of
weeks back and was lucky enough to be picked up by the Chrome team.
We were featured on the Chrome Webstore, landing us 12k active
users in one week. It was a huge validation and helped us
tremendously in squashing bugs and making a finished product. We
realise we have a long way to go, and our little team is working
round the clock to make it happen. We also launched on ProductHunt
today: https://www.producthunt.com/posts/whatrunsWould love to hear
what you think :)UPDATE:Thank you for all the feedback!Sorry about
the occasional false detections. We are looking into this. This is
largely because we detect a considerably large number of
technologies/plugins compared to our counterparts. Lots of
possibilities for false pattern recognition etc. Rest assured our
team is working round the clock to improve accuracy and add more
technologies/plugins.Also, Our servers are going a bit cranky due
to the huge traffic we are experiencing today. New websites (that
was not loaded on WhatRuns before) are now queued up and might
experience 2-3 seconds delay. This is to ensure best experience for
our active users.Thank you so much for such a great response!
EGreg - 3 hours ago
How does this differ from BuiltWith?
jijosunny - 2 hours ago
Copying my previous reply: Comparing with Wappalyzer and
BuiltWith, here's why we think we have something different (and
maybe better):1. WhatRuns detects fonts, Wordpress plugins and
themes (tens of thousands of them).2. Ability to follow sites
(and know what techs websites started using/ditched).3. Very
lightweight compared to our counterparts, and arguably better
UI ;)4. More accurate data. BuiltWith can be very inaccurate as
you might've already noticed. Wappalyzer is fairly accurate,
but limited in technologies. WhatRuns is trying to be the best
of both worlds.
marksomnian - 3 hours ago
SUPER ANNOYING BUG.It seems to only look at the second-level
domain, and thinks that websites with the same subdomain are the
same.They are not.
jijosunny - 3 hours ago
WR currently considers subdomains as a part of the main
domain.Most users like to know the full tech stack of a
website. If there is a blog at blog.company.com and if it is
using Intercom, it can be a useful data. I hope this makes
sense.Anyway, we will definitely address this concern and think
about adding an option for subdomain separation.
portman - 2 hours ago
Not sure if it's related to load, but whenever I try it on a
long-tail site (i.e. not one you would have precached) it comes
back with information about google.com instead of the domain I'm
on.
jijosunny - 2 hours ago
We just tried to replicate this issue but failed. It's working
fine on our end. Can you share the URL in question so that we
can take a look? Thanks!
jaxondu - 8 hours ago
Just check https://www.whatruns.com/website/vuejs.org and you're
showing the site as using EmberJS. Looks like you're not launch
ready.
0xfeba - 7 hours ago
> Looks like you're not launch ready.It's 2017 man, things are
launched with kinks all the time now. Your definition of launch
ready doesn't have to apply to everyone else.
celim307 - 7 hours ago
Its kinda ridiculous that we've just accepted things are
going to broken at launch.
hk__2 - 3 hours ago
Things are always broken at launch; you can?t prevent all
the bugs and unexpected things always happen.IMHO it?s a
very good thing we?ve "accepted things are going to broken
at launch"; the "ship early, release often" model works a
lot better than "wait 10 years before release so that
everything is perfect but you?re 9 years late".
jijosunny - 6 hours ago
I totally understand your point, but WhatRuns is not a
broken extension. Google blessed us with more than 10k+
active users by featuring us on the Chrome Webstore front
page :) and we have been improving the technology ever
since.However, there is a lot of manual labour involved in
correcting detection inaccuracies, which our team is
working full-time on. Rest assured WR will only improve
from here on. Thank you for dropping by!
throwaway613834 - 6 hours ago
> WhatRuns is not a broken extensionTry running it on
www.example.com and let me know how many of those are
accurate.
the-dude - 6 hours ago
Around ~2000 it became common knowledge to download the
latest driver from the net instead of using the supplied
one on the CD for hardware you just bought.That is the
assumption of broken hardware to be shipped 17 years avant
la lettre?
moosingin3space - 4 hours ago
They discovered Discourse, which uses Ember.js.
jijosunny - 7 hours ago
Sorry you feel that way. We truly understand your frustration
with detection accuracy, but when there are tens of thousands
of technologies to detect, the only solution is to break things
and move fast.We were featured on Chrome Webstore a few weeks
back and got a great response (12k+ active users) helped us
enormously in improving the accuracy and efficiency, and I'm
sure HN and PH launch will be even more helpful in improving
the product.
jaxondu - 7 hours ago
Sorry don't meant to be rude and I understand there are tens
of thousands of technologies to detect. Kind of expecting
your engine to be able to detect front end JS frameworks
easier than backends, at least for those popular JS
frameworks. In case you not notice the site I'm pointing to
is the home page of VueJS and you're showing them using a
competitor tech.
jijosunny - 6 hours ago
We're on it. Thank you so much for bringing this to our
attention.
rjbwork - 5 hours ago
Well, at least you've got the business-speak down and can
fix your bugs quickly. That'll get you far, I think.
rocky1138 - 5 hours ago
You will probably want to add GNU Social. I pointed it at my
site https://kwat.chat and it came up with nothing.Also,
Wordpress doesn't seem to be detected, either, on my other
website: https://johnrockefeller.net
sus_007 - 8 hours ago
How good is this over Wappalyzer ?
jijosunny - 3 hours ago
Comparing with Wappalyzer and BuiltWith, here's why we think we
have something different (and maybe better):1. WhatRuns detects
fonts, Wordpress plugins and themes (tens of thousands of
them).2. Ability to follow sites (and know what techs websites
started using/ditched).3. Very lightweight compared to our
counterparts, and arguably better UI ;)4. More accurate data.
BuiltWith can be very inaccurate as you might've already noticed.
Wappalyzer is fairly accurate, but limited in
technologies.WhatRuns is trying to be the best of both worlds. :)
charlieegan3 - 6 hours ago
Testing this against a number of websites I know the stack for this
seems to not only be missing information but regularly reports
things never used on that site.
jijosunny - 1 hours ago
Copying the comment I previously posted:We truly understand your
frustration with detection accuracy, but when there are tens of
thousands of technologies to detect, the only solution is to
break things and move fast.We were featured on Chrome Webstore a
few weeks back and got a great response (12k+ active users)
helped us enormously in improving the accuracy and efficiency,
and I'm sure HN and PH launch will be even more helpful in
improving the product.
fevangelou - 3 hours ago
Congrats, WhatRuns looks very accurate to my tests so far and
indeed better in UI terms.I only have one extra UI recommendation
that I think Wappalyzer got right, which you could enable as an
option.When a popular CMS/language/server OS is detected,
Wappalyzer will use its icon in place of Wappalyzer's plugin icon.
E.g. if Joomla is detected, Wappalyzer's icon on the plugins'
toolbar will switch to Joomla's logo.There's a specific order to
this preference that looks to go from the CMS used (e.g. Joomla,
WordPress etc.) down to the framework (e.g. Laravel), programming
language (e.g. PHP), webserver (e.g. Nginx) and finally the server
OS. In other Words, if Joomla is detected, it will be displayed
first, not PHP.The above is extremely helpful for anyone developing
for the CMS communities (like myself).Of course, to maintain your
identity as a plugin, you could use a double logo (a mashup of your
own and the dominant/higher-level technology detected).* UPDATE:
You should also consider providing a way for anyone to easily
suggest new frameworks, apps, CMS extensions/plugins etc. to be
detected, by providing a name, icon, description and the way to be
detected (e.g. HTTP header, pattern in the HTML output or even HTML
comment, linked source etc.).
jijosunny - 2 hours ago
Thanks @fevangelou! Appreciate you taking time to drop your
suggestions.Dynamic icon - I agree with you that it can be quite
convenient to display the top technology (preferably the CMS). We
will think about this as an option in the future
updates!Technology submission - That's a great idea. We are
adding this to our roadmap. Thank you so much.
jazoom - 1 hours ago
As a counter point, I really don't like that Wapalyzer does
this. It always takes me a couple of seconds to find the
correct extension to click because its icon always changes.If
you keep your icon the same I will switch from Wapalyzer.
djmill - 9 hours ago
Edit: About 15 minutes after posting, this seems to work fine on my
site now. Sorry for the confusion!The spinner does not stop and it
gives no results for my site (https://myhikes.org) - this is with
both FireFox and Chrome extensions. Seems to work great for
everything else though.Just replying in case you're looking for new
edge cases to debug!
cknight - 9 hours ago
Works for me on your site! (Chrome)
djmill - 8 hours ago
Very weird, now it works after reading this and re-
checking.Oddly enough I restarted Chrome and Firefox twice
before posting the comment in hopes that it was just my
machine. Thanks for the sanity check!
thinbeige - 6 hours ago
Noob question: Looking at your competitors' traffic with
SimilarWeb: They have all ok to low traffic, none of them really
growing. So it might be a hard business to grow since a lot is SEO
driven/organic.However, Builtwith is selling some plans which also
include SEO related features like keyword reports. I understand
that some might pay for latter but there is even more competition
in that space.What I don't get: Who should pay for your stuff? It's
of course interesting to see other stacks but honestly it's not a
crucial thing. My CTOs and I know what they are doing and of course
we like to get inspired but yeah, at the end of the day tons of
research, years of experience, debate and the individual use case
decide our stack and not what some random website does. Same for
design-relates stuff, btw to find a font-face is just a Command-
Option-I away.So no offense, but I am just wondering why you start
a business which is already there, which is hard to scale and which
is hard to get paid for.Guess I missed something and happy to hear
your view.
jijosunny - 5 hours ago
Our business model will be similar to that of BuiltWith's, i.e
selling list of websites using a particular technology. For eg.,
list of websites using Drift chat
(https://www.whatruns.com/technology/drift) will be a super-
useful competitive intelligence for other live-chat
startups.Also, we are planning to introduce a predictive sales
system which will suggest clients based on their technology
adoption. For eg., if a company migrates to Magento, they are a
potential client to Magento extension developers.
thinbeige - 5 hours ago
Ok thanks and this makes sense, a leadgen tool for BTB sales.
jayfk - 5 hours ago
People are paying for services like this because it's a valuable
tool for lead generation.If you are selling a Wordpress plugin,
you don't want to contact website owners that run on e.g Joomla.
overcast - 7 hours ago
Doesn't seem to handle my simple little kid quotes project. Just
spins, and spins with no result. ?\_(?)_/?https://kidisms.com/
jijosunny - 1 hours ago
Sorry, we experienced a minor downtime earlier today, which could
be the reason why. Can you try again now?If you're still facing
the issue, please drop us a line with the URL in question so that
we can take a look: hello [at] whatruns.com. Thanks!