In order to secure your blog, is it a good thing to hide the meta version appearing within the <head> and </head> html tag of your blog. Since WP 2.5, the version is inserted automatically, and can’t be removed as easily at before. Except if you use that hack !
This hack isn’t hard to do at all. Just open the functions.php file from your theme and add the following line of code:
remove_action('wp_head', 'wp_generator');
On the above code, I just used the remove_action to remove the wp_generator() function, which prints out WP version. As that function will now not be executed, the WordPress version will not be visible from your source code, and potential hackers will never know which version you are using.
On Twitter : RT @chaplum In love with a cat person? This could be the perfect gift: http://bit.ly/apQwQO Save a life for valentines day!(via @Chaoskater)
19 Responses
Hm… I don’t see anything inserted automatically at my blog, I have regular meta tag in theme with version code edited out.
This is a bad tipp, the version of WordPress stay also in all feeds. Use the Plugin Secure WordPress or use the hook:
add_filter( 'the_generator', create_function('$a', "return null;") );Thanks for the hook, Frank. Didn’t know about it before.
Welcome!
Thanks.
It’s a nice trick
Couldn’t you just remove the tag in the head of your theme’s header.php??
That always worked for me.. But I guess it never hurts to try new things.
Another good security tweak
@Brad Blogging.com
No, you can’t simply do that. The version is automatically generated. In older versions of WP, you could but not the last few versions.
Either way, I don’t really consider this very helpful in terms of the security of your site.
@Justin Tadlock: It can be useful if you’re running a old version of WP. But instead of applying that code, you should definitely upgrade, that’s a sure thing!
Perhaps you don’t want savvy sourcecode readers to know for-a-confirmed-fact that you use WP whatsoever. Besides, WP is NOT the true generator of your content anyway: you are. Thus another trick can be to change it, put in your header meta name=”generator” content=”bloginfo(‘name’) something like that.
Use the hack offered by Frank above, because it removes Generator=Wordpress metaname from your Feeds also!
Yeah, I removed mine once I heard of how big of a security threat it was. Definitely recommended for all WordPress users.
Thanks
rss feed page not hide wordPress version ?
The hook that Frank offered removes some important codes in header anyway, like reply function. I cannot use reply link in comments until I realized that it was removed. For the safe of it, I think that we should remove one by one code we knew than all the_generator.
Do you know how to remove WP version in feeds?
Thanks, i tried manualy delete wp version, but it doesn’t work. I don’t know for what wordpress display this in meta. I heard that some bots check wp version to find old versions of script and try hack it.
Trackbacks: