This entry is part 8 of 15 in the series Security September Series

Securing WordPress may sound like a topic being fairly covered across the web but, is that really the case? Here’s what I mean; I’ve scrolled through multiple articles featuring tips to secure websites but, rarely found people emphasizing on trying out solutions like removing the WordPress version number.

That, in no way, lessen the importance of other security hacks which I’ve shared so far like protecting admin area, login page, and other web components.

In this post, you are going to find out how to remove the WordPress version number from the source code of a website.

Why is WordPress Version a Security Loophole?

For the past 10 years or so, hundreds of thousands of people have relied on WordPress to power their websites. Managing a huge user base which now peaks to 26% of the global web is in itself a difficult task to do. For this purpose, websites are tracked through a footprint which appears as the version number in every WordPress driven website.

What happens is that a security breach is disclosed right after it has been patched by the core team. That’s when you get small security minor updates like the one we just got the other day WP 4.6.1. Now with each disclosure of a hack, any WP install that is not up to date becomes vulnerable.

Now, hackers after reading about the security vulnerability, start finding ways to exploit it. Once they have an exploit ready, they run automated scrapers to scrape all the WordPress based sites which are not yet up to date.

Most commonly, they do it by looking for the WordPress version of a WP site install, which by default is publicly viewable. Once the hackers have the set of sites using old versions of WP they start testing their exploits to hack these sites.

So, there you have it. Hiding WP version doesn’t mean that your site is secure, it does mean that you might save yourself from an automated scraper in case you get late in updating your WP to the latest version.

That is why instead of recommending you to remove the WP version, I’d suggest you to keep your site up to date, but if you do want to go ahead and remove that WP version, there’s no harm in doing that.

However, tools like ManageWP Orion are fantastic at updating and managing your WordPress sites.

I think removing the WP version makes sense because an essential component of site security is not giving out unnecessary information. Hiding your version may not be the ultimate safety measure to protect from potential threats. But, staying vigilant at all times leaving no weak link is a practical approach to follow.

Hiding the WordPress Version

There are multiple ways to get rid of the WordPress version number. But removing it from all parts of the website is the most important thing to do. Currently, this information can be found in following three locations i.e.

  • The <head> section
  • At the end of Scripts
  • In the readme files
  • In the RSS Feed

WP generates the version number in the header which looks something like this:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

To remove this one, you can add the following code in your functions.php file.


/**
 * Remove WP Version.
 *
 * @since 1.0.0
 */
if ( ! function_exists( 'aa_remove_wp_version' ) ) {
	// Add filter to the_generator.
	add_filter( 'the_generator', 'aa_remove_wp_version' );

	/**
	* aa_remove_wp_version function.
	*
	* Remove the WP version by returning empty string.
	*
	* @return emtpy string
	* @since  1.0.0
	*/
	function aa_remove_wp_version() {
		return '';
	}
}

You can star this public gist if you are into this kinda thing.

This would remove the WP Version from all the different areas of WP.

Here, I have created a function named ‘aa_remove_wp_version'() which completely removes the version number by returning an empty string instead of the real version.Toying around with code may not be the best deal for the beginners. You can remove the WP version via a plugin like this one, which essentially does the same thing, it adds this function.

Hide My WP

hide my wp plugin

Let me prefix what I am about to write next by saying that hiding the version or the fact that you use WordPress is not an ideal security solution. If you rely on something like this, you’re hardly safe from a number of attacks.

Anywho, in a few cases I have seen that hiding the fact that you are using plays to your advantage, or maybe it is something your clients asks/forces you to do for him. In cases like these, you can use a premium plugin called Hide My WP which is one of the best selling plugins on CodeCanyon. This plugin exclusively hides the fact that you use WordPress.

Apart from this, the plugin logs bad behavior of IP addresses with malicious intent and emails you about it. Without modifying the actual locations of your files, it hides WordPress by just changing your permalinks of files like wp-admin. It also hides the names of themes, plugins, and files that give hackers information about your WordPress installation (like readme.html or license.txt).

It automatically removes meta information from your head and feeds section. It offers protection against SQL injections by changing the query URLs. It also controls the access to your PHP files and changes the default subdirectories of folders that are at potential risk e.g. wp-content. Overall, the plugin is quite flexible and can easily be integrated with other popular security plugins. Some time back, the Hide My WP plugin got featured at WPLift. You can read its complete review here.

However, there are several prominent plugins which offer this functionality as one of their features, but you’d hardly find any renowned plugin serving this sole purpose. To name a few WP Hide & Security Enhancer and Hide My WordPress are two free plugins which hide and increase the site security by employing certain smart techniques. So, if you cannot afford the premium plugins, you can try out the free plugins.

Is This the Best Approach?

This is not the best approach towards security, I wrote this article, to clear a lot of myths about how hiding the fact that you use WP and your WP version can be an important security measure, since it’s not. You can never really hide that, and hackers can get around stuff like this pretty easily. Also, this kind of plugins can interfere and cause problems with other plugins. Use them with extreme precaution. Keep a backup of your site and rely on scanning services that I wrote about.

WP Lead Developer’s Views

Nacin is a lead WordPress developer and he has expressed his views bluntly on a trac ticket related to this issue. I’m just going ahead and quoting a part of what he said

With publicly accessible web application software, there is no way to prevent version detection. The readme and generator versions are just the fairly cheap ways to do it. My favorite is looking at publicly accessible CSS and JS files, but there are many others. Script kiddies blindly attack sites. They don’t sniff version numbers first. Even if they did, this means they’re looking for core vulnerabilities. (Of which there are few, and anything of note requires a user account these days, at a minimum.) So, you’re either running an out of date version — don’t hide the version number, *update* — or you’re running the latest (at which point, that’s on us, and no suppressing that version is going to help you).

Moreover, Konstantine (WP Dev at Automattic) wrote about Don’t Hide the Fact That You’re Using WordPress whereas his brother, Gennady (Security Consultant) wrote about The WordPress Meta “generator” Tag Paranoia. And I tend to agree with both of them on this.

Conclusion

Removing the version number with either code or plugins may protect you from bots, but there are still plenty of ways to find out what version of WordPress you’re using. If security is your ultimate goal, then I’d still recommend you updating the latest version instead of relying on hiding that you use WordPress.

What techniques do you use, have hidden the fact that you use WP ever helped you? Share in the comments below.

Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.

Series Navigation<< How to Secure and Optimize WordPress Database?WordPress Hosting Related Security Measures >>

Author:

I am a senior Full Stack WordPress Developer, WP Core Contributor, Front-end Fanatic and an accidental writer. I love to write, talk, build, and share everything about WordPress. You can reach out to me at Twitter @MrAhmadAwais.

Siteground Hosting
Does WPLift load fast for you? That’s because we use Siteground for hosting, WPLift readers can click here to get up to 60% off hosting for your site.

Disclosure: This page may contain affiliate links for which we will receive compensation if a purchase is made.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Leave Yours +

3 Comments

  1. Two things:

    1) Has it ever helped? I think that’s hard to say. So, perhaps the better question is: Does it hurt to do this stuff? That answer is: It doesn’t hurt, as long as you don’t presume this will keep you safe from all other possibilities :)

    2) Mind you, this needs to revisit / refactoring but some may find this useful.

    https://github.com/WPezClasses/class-wp-ezclasses-theme-head-cleanup-1

  2. Hello!

    I’m using this plugin to hide my wordpress : https://codecanyon.net/item/swift-security-hide-wordpress/11286482 So, i dont know if it’s very effective, but since i use it, no more Force brut attack or others!

  3. This article could answer my question about wordpress, thanks

  • Comments are Closed

Our Sponsors

SEND ME FREE STUFF!

Join our Newsletter to Receive 6 Free WordPress Themes

We will also send you our weekly Newsletter packed with the Latest WordPress Content.

We will look after your email & Never Spam!

You have Successfully Subscribed!