You can disable the robots.txt
file by putting this code in an mu-plugin:
remove_action( 'do_robots', 'do_robots' );
However, I don’t recommend that. It will make it harder for search engines to index your content, and it won’t really do anything to hide the fact that you’re using WordPress.
There are a dozen ways that someone can tell you’re using WP, and many of them are impractical to hide. For example, viewing the source code of a page will show lots of things that are obviously WP:
<script src="https://wp-develop.test/wp-includes/js/jquery/jquery.js?ver=3.7.0" id='jquery-core-js'></script>
<script src="https://wp-develop.test/wp-includes/js/jquery/jquery-migrate.js?ver=3.4.1" id='jquery-migrate-js'></script>
<link rel="https://api.w.org/" href="https://wp-develop.test/wp-json/" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://wp-develop.test/xmlrpc.php?rsd" />
<meta name="generator" content="WordPress 6.4-alpha-56267-src" />
...
<a class="skip-link screen-reader-text" href="#content">
Skip to content </a>
...
<article id="post-1241" class="post-1241 post type-post status-publish format-standard sticky hentry category-sticky">
...
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:15%"></div>
They could also visit wp-login.php
, xmlrpc.php
, /wp-json/
, and a bunch of other things. There are some plugins that try to mask some of those, with varying degrees of success, but someone with a little familiarity with WP will almost always be able to tell. Even WP themes tend to have a “look” to them that is sometimes distinguishable.
Hiding the fact that you’re running WP is basically “security through obscurity” and “security theater”; it won’t really make your site more secure. There are much more important things you should do instead, like enabling two-factor authentication, requiring strong passwords, making sure you’re only using reputable plugins/themes/hosting, etc. You can learn more in the Hardening WordPress article.