Get fresh WordPress Content delivered in your inbox with warpspeed!

learn wordpress wplift wordpress rocket

Securing WordPress may sound like a topic being fairly covered across the web but, is that really the case? Here’s what I mean; I've scrolled through multiple articles featuring tips to secure websites but, rarely found people emphasizing on trying out solutions like removing the WordPress version number.

That, in no way, lessen the importance of other security hacks which I've shared so far like protecting admin area, login page, and other web components.

In this post, you are going to find out how to remove the WordPress version number from the source code of a website.

Why is WordPress Version a Security Loophole?

For the past 10 years or so, hundreds of thousands of people have relied on WordPress to power their websites. Managing a huge user base which now peaks to 26% of the global web is in itself a difficult task to do. For this purpose, websites are tracked through a footprint which appears as the version number in every WordPress driven website.

What happens is that a security breach is disclosed right after it has been patched by the core team. That’s when you get small security minor updates like the one we just got the other day WP 4.6.1. Now with each disclosure of a hack, any WP install that is not up to date becomes vulnerable.

Now, hackers after reading about the security vulnerability, start finding ways to exploit it. Once they have an exploit ready, they run automated scrapers to scrape all the WordPress based sites which are not yet up to date.

Most commonly, they do it by looking for the WordPress version of a WP site install, which by default is publicly viewable. Once the hackers have the set of sites using old versions of WP they start testing their exploits to hack these sites.

So, there you have it. Hiding WP version doesn’t mean that your site is secure, it does mean that you might save yourself from an automated scraper in case you get late in updating your WP to the latest version.

That is why instead of recommending you to remove the WP version, I’d suggest you to keep your site up to date, but if you do want to go ahead and remove that WP version, there’s no harm in doing that.

However, tools like ManageWP Orion are fantastic at updating and managing your WordPress sites.

I think removing the WP version makes sense because an essential component of site security is not giving out unnecessary information. Hiding your version may not be the ultimate safety measure to protect from potential threats. But, staying vigilant at all times leaving no weak link is a practical approach to follow.

Hiding the WordPress Version

There are multiple ways to get rid of the WordPress version number. But removing it from all parts of the website is the most important thing to do. Currently, this information can be found in following three locations i.e.

  • The <head> section
  • At the end of Scripts
  • In the readme files
  • In the RSS Feed

WP generates the version number in the header which looks something like this:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

To remove this one, you can add the following code in your functions.php file.


/**
 * Remove WP Version.
 *
 * @since 1.0.0
 */
if ( ! function_exists( 'aa_remove_wp_version' ) ) {
	// Add filter to the_generator.
	add_filter( 'the_generator', 'aa_remove_wp_version' );

	/**
	* aa_remove_wp_version function.
	*
	* Remove the WP version by returning empty string.
	*
	* @return emtpy string
	* @since  1.0.0
	*/
	function aa_remove_wp_version() {
		return '';
	}
}

You can star this public gist if you are into this kinda thing.

This would remove the WP Version from all the different areas of WP.

Here, I have created a function named 'aa_remove_wp_version'() which completely removes the version number by returning an empty string instead of the real version.Toying around with code may not be the best deal for the beginners. You can remove the WP version via a plugin like this one, which essentially does the same thing, it adds this function.

Hide My WP

hide my wp plugin

Let me prefix what I am about to write next by saying that hiding the version or the fact that you use WordPress is not an ideal security solution. If you rely on something like this, you’re hardly safe from a number of attacks.

Anywho, in a few cases I have seen that hiding the fact that you are using plays to your advantage, or maybe it is something your clients asks/forces you to do for him. In cases like these, you can use a premium plugin called Hide My WP which is one of the best selling plugins on CodeCanyon. This plugin exclusively hides the fact that you use WordPress.

Apart from this, the plugin logs bad behavior of IP addresses with malicious intent and emails you about it. Without modifying the actual locations of your files, it hides WordPress by just changing your permalinks of files like wp-admin. It also hides the names of themes, plugins, and files that give hackers information about your WordPress installation (like readme.html or license.txt).

It automatically removes meta information from your head and feeds section. It offers protection against SQL injections by changing the query URLs. It also controls the access to your PHP files and changes the default subdirectories of folders that are at potential risk e.g. wp-content. Overall, the plugin is quite flexible and can easily be integrated with other popular security plugins. Some time back, the Hide My WP plugin got featured at WPLift. You can read its complete review here.

However, there are several prominent plugins which offer this functionality as one of their features, but you'd hardly find any renowned plugin serving this sole purpose. To name a few WP Hide & Security Enhancer and Hide My WordPress are two free plugins which hide and increase the site security by employing certain smart techniques. So, if you cannot afford the premium plugins, you can try out the free plugins.

Is This the Best Approach?

This is not the best approach towards security, I wrote this article, to clear a lot of myths about how hiding the fact that you use WP and your WP version can be an important security measure, since it’s not. You can never really hide that, and hackers can get around stuff like this pretty easily. Also, this kind of plugins can interfere and cause problems with other plugins. Use them with extreme precaution. Keep a backup of your site and rely on scanning services that I wrote about.

WP Lead Developer's Views

Nacin is a lead WordPress developer and he has expressed his views bluntly on a trac ticket related to this issue. I'm just going ahead and quoting a part of what he said

With publicly accessible web application software, there is no way to prevent version detection. The readme and generator versions are just the fairly cheap ways to do it. My favorite is looking at publicly accessible CSS and JS files, but there are many others. Script kiddies blindly attack sites. They don't sniff version numbers first. Even if they did, this means they're looking for core vulnerabilities. (Of which there are few, and anything of note requires a user account these days, at a minimum.) So, you're either running an out of date version — don't hide the version number, *update* — or you're running the latest (at which point, that's on us, and no suppressing that version is going to help you).

Moreover, Konstantine (WP Dev at Automattic) wrote about Don’t Hide the Fact That You’re Using WordPress whereas his brother, Gennady (Security Consultant) wrote about The WordPress Meta “generator” Tag Paranoia. And I tend to agree with both of them on this.

Conclusion

Removing the version number with either code or plugins may protect you from bots, but there are still plenty of ways to find out what version of WordPress you’re using. If security is your ultimate goal, then I'd still recommend you updating the latest version instead of relying on hiding that you use WordPress.

What techniques do you use, have hidden the fact that you use WP ever helped you? Share in the comments below.

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

3 thoughts on “Is Removing the Fact Fact That You Use WordPress Helpful?

Comments are closed.

Join 40,000 WordPress Astronauts
AND GET OUR LATEST CONTENT IN YOUR INBOX WITH WARPSPEED

We will never spam you.
close-link
siteground coupon
Get 60% Off the No. 1 WordPress Hosting!