From my experience and quick code search there are no deliberate ways WP identifies itself in headers. However there are some that seem distinct enough and not likely to be customized.
HEAD to /wp-login.php
will contain following for .org install:
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
And for .com:
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/; domain=.wordpress.com
Cookie name is customizable by defining TEST_COOKIE
constant, but WP Cookie check
string is hardcoded in core, as well as set_cookie()
call for this in the file’s source.
For locating wp-login.php
there are some URL shortcuts (implemented in wp_redirect_admin_locations()
since WP 3.4 (see ticket #19607 ):
/login
on site’s root does 302
redirect to wp-login.php
, wherever it is.
So the only scenario that cannot be reliably detected if WP is installed in and confined to subdirectory, without being used to manage site’s root at all.