If you are worried malicious visitors will see the WordPress version number and want to abuse it, you should remove it. Right off the bat, we’ll say this is a common concern and something that might tighten up your security a bit but isn’t truly a full-fledged measure. You should employ security plugins for WordPress for full protection. Moreover, we published guides on removing backdoors, avoiding the use of nulled plugins and themes, limiting user role permissions, and assigning those roles carefully. If it makes you feel safer as a website owner, we’ll show you how to remove the WordPress version number nonetheless. Let’s dive straight in.
Risks and benefits of keeping the WordPress version number hidden
Hazards of hiding the version from view are few and far in-between. Anyone that needs to know it, such as an administrator or editor, or a technical support representative from your web hosting, can do so from the WordPress Admin section, cPanel, or FTP client. In contrast, the benefits outweigh the cons, as you can hide this bit of information from people with nefarious intentions. To clarify, knowing the version, especially if it’s outdated, would let such people zero in on exploits and vulnerabilities that might be exclusive.
This makes their job vastly easier and gives them more time to plot and carry out an attack, often successfully. The reality is that people often sign up for a 3-year web hosting plan to get a low price, and don’t update WordPress, themes, or plugins. Others rarely create backups and don’t protect their website files from intrusion. Thus, while it isn’t a security measure per se, it’s a valuable precaution that may dissuade such individuals from trying or, at least, slow them down.
How can hackers see my WordPress website version number?
This is a typical question because lots of website owners remain convinced this information is limited to backend access i.e., files accessed via FTP or through WordPress Admin. This is false, and here are several examples of places where malicious individuals may view your currently installed WordPress version:
- Inspecting page source — Anyone can visit your website, right-click anywhere, and select View page source. Unfortunately for you, the WordPress function, wp_generator(), after being called by the wp_head() hook, reveals the version this way:
<meta name=”generator” content=”WordPress 5.9.3″ />
- Opening an unprotected readme file — Unless website owners forbid access to files, hackers can type
https://www.website-name.com/readme.html
and review information, this bit included. - RSS feed — While there are tons of benefits of having an RSS feed, it can also leak your version. For example, after opening the
https://www.website-name.com/feed
link (orfeed-rss
) the generator tag can reveal it like this:<generator>https>//wordpress.org?v=5.9.3</generator>
1. Disable WordPress version visibility with a WordPress plugin
Now that you understand the reasoning, let’s demonstrate solutions. We usually begin with manual methods. However, because there’s a chance it only requires two to three clicks, we’ll analyze how third parties can help first.
Use a feature in a WordPress security plugin
Are you already using any security WordPress plugins? If so, there’s a high chance they let you do this within settings. Though we aren’t affiliated, here are two common examples with a straightforward option:
- Sucuri Security — This one should conceal the version by default. If it hasn’t, the setting wasn’t applied or was turned off. Expand the left sidebar of WordPress admin and go to Sucuri Security → Settings. Now, click on Settings in the top right corner, switch to the “Hardening” tab, and toggle Remove WordPress Version to on.
- WP-Hardening by Astra Security — Head to WP Harden, then the Security Fixers tab in the left sidebar of the WordPress Admin section. Now toggle the key in front of “Hide version number” so it turns green.
Employ a simple, dedicated plugin
Several dedicated plugins only hide your version and nothing else. These are straightforward and lightweight solutions and may include extra options security plugins don’t do. For instance, we’ve seen a handful of plugins that conceal this information in CSS (Cascading StyleSheets) and JS (JavaScript) files throughout your website. We don’t endorse any particular one, so do a quick search for “remove version number” in the WordPress repository and take your pick.
2. Manually remove the version number from a WordPress website
If you don’t want plugins slowing your website down, don’t fret. There are several codes you can add manually to solve the issue. We suggest creating a backup of your website first, and either creating a site-specific WordPress plugin, using a code snippet plugin, or carefully copying the code below to the functions.php file inside your active theme (root/wp-content/themes/theme-name/). The simplest will erase the version from the generator meta tag we mentioned above:
remove_action('wp_head', 'wp_generator');
The following one removes the data from the <generator> tag from RSS feeds:
function erase_wp_version_rss() {
return'';
}
add_filter('the_generator','erase_wp_version_rss');
For best results, you should add both.
Optional. Advanced users that must also remove the WordPress version from styles and scripts can also employ this code:
function wp_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'wp_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'wp_remove_version_scripts_styles', 9999);
The one above will prevent the version from remaining visible in the source code. Also, we’ve seen a recommendation floating around the internet, but this is something you shouldn’t do. Some users suggest removing this portion from your header.php file, so refrain from doing that:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Can I erase all traces of version history from public view?
You can theoretically wipe all public sources of version history. However, this is tedious and intricate, and you’ll possibly never know when that is true. A new WordPress update might foil your plans, too. You should nonetheless do your best to slow down or stop attacks. However, don’t forget to protect your website in other ways. That way, even if individuals with ill intentions discover the version number, your security measure may render their attacks useless.