Knowing your WordPress version number I can list all the known vulnerabilities in it. So can a hacker. It goes without saying that, it becomes very easy for a hacker to hack you if he knows what you are vulnerable to.

Further, lists of the WordPress version number against the known vulnerability in it are too easily available online. Hence, WordPress security best practices always include hiding the WordPress version number. And, so should you. You will be surprised to know how small precautions like hiding the WordPress version number can enhance your WordPress security.

In this post, we will provide practical solutions that you can easily apply to hide the WordPress version number. But before that let’s find out how displaying your WordPress version number leaves your site vulnerable.

The Risk in Displaying the WordPress Version Number

All security experts advise against revealing sensitive information to the public. But, does the WordPress version number count as sensitive information? Well, it does. WordPress version number might not be as sensitive as user details or your login credentials. But it still stores enough information to render your website vulnerable.

Displaying WordPress version number publicly could make you an easy victim of version-targeted-attacks. If you diligently update your website, showing the version number brings no consequence for you. However, if you are using an outdated WordPress version then displaying it might not be a very prudent idea. Hackers exploit known vulnerabilities in specific versions to enter your website.

How does a Hacker Lookup Your Version Number?

If you have not yet hidden your version number, anyone can fetch it via RSS feed, WordPress readme file, page source, etc. I have discussed more about them here.

By viewing your site’ page source

You may not know this, but anyone can look up your WordPress version number by viewing your site’s page source. Here’s how it looks like:

By default, WordPress executes the wp_generator() function whenever the wp_head() hook is called. After processing your page, the wp_generator() function discloses the version like this:

<meta name=”generator” content=”WordPress 2.8.1″ />

By fetching your RSS feed

Another way through which a hacker can see your version number is by fetching your RSS feed. Anyone can run a search with https://www.yourwebsite.com/feed/ and get the result as the following picture depicts,

By searching your readme file

Hackers can also scan your WordPress readme.html file to get to the WordPress version number. Fetching the details of the readme file is somewhat similar to the one we discussed above. Run a search with https://www.yourwebsite.com/readme.html, and the browser will return the request if the site is vulnerable.

Hiding WordPress Version Number with a Click

The WP-Hardening plugin simplifies hiding WordPress version number to another level. You can hide your version number with a click with WP-Hardening.

Here’s how it works:

  1. Install the WP-Hardening plugin.
  2. Activate it.
  3. Now, navigate to the ‘Security Fixers‘ tab.
  4. And just toggle the key next to “Hide version number” and you are done.

In addition to hiding the version number, you can harden several other WordPress security areas with the toggle of a button. It provides a hassle-free method to enhance your WordPress security.

How to Hide WordPress Version Number Manually?

We use the “secure by obscure” mechanism to remove the potential vulnerability. You can hide your WordPress version number through the following ways:

By editing Generator Meta Tag

If you are confident of your coding skills, you can remove the WordPress number manually from the generator meta tag:

  1. Go to the WordPress themes directory. It can be found in /wp-content/themes/
  2. Add the following line of code at the bottom of the activated WordPress theme’s file functions.php.
    remove_action('wp_head', 'wp_generator')

By using version removal function

  1. Go to the WordPress themes directory. It can be found in /wp-content/themes/
  2. Add the below code at the bottom of the activated WordPress theme’s file function.php.
    function remove_version_info() {
    return '';
    }
    add_filter('the_generator', 'remove_version_info');

Note: Do not make any changes in any if you are not completely sure about its function and utility.

If you have questions regarding this, let us know in the comment box, we’ll be happy to answer.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

Aakanchha is a tech & cybersecurity enthusiast. She is an active reader and writer of the cybersecurity genre.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close