How to: Hide WordPress version

In order to secure your blog, is it a good thing to hide the meta version appearing within the <head> and </head> html tag of your blog. Since WP 2.5, the version is inserted automatically, and can’t be removed as easily at before. Except if you use that hack !

This hack isn’t hard to do at all. Just open the functions.php file from your theme and add the following line of code:

remove_action('wp_head', 'wp_generator');

On the above code, I just used the remove_action to remove the wp_generator() function, which prints out WP version. As that function will now not be executed, the WordPress version will not be visible from your source code, and potential hackers will never know which version you are using.

Related Posts

Related Posts

No related posts.

19 Responses

Nov 29 2008 11:46

Hm… I don’t see anything inserted automatically at my blog, I have regular meta tag in theme with version code edited out.

Nov 29 2008 16:28

This is a bad tipp, the version of WordPress stay also in all feeds. Use the Plugin Secure WordPress or use the hook: add_filter( 'the_generator', create_function('$a', "return null;") );

Nov 29 2008 18:32

Thanks for the hook, Frank. Didn’t know about it before.

Nov 29 2008 18:52

Welcome!

Dec 01 2008 19:12

Thanks.

Dec 03 2008 16:03

It’s a nice trick

Couldn’t you just remove the tag in the head of your theme’s header.php??

That always worked for me.. But I guess it never hurts to try new things.

Dec 05 2008 14:00

Another good security tweak :)

Dec 06 2008 12:05

@Brad Blogging.com
No, you can’t simply do that. The version is automatically generated. In older versions of WP, you could but not the last few versions.

Either way, I don’t really consider this very helpful in terms of the security of your site.

Dec 06 2008 13:47

@Justin Tadlock: It can be useful if you’re running a old version of WP. But instead of applying that code, you should definitely upgrade, that’s a sure thing!

Dec 12 2008 06:05

Perhaps you don’t want savvy sourcecode readers to know for-a-confirmed-fact that you use WP whatsoever. Besides, WP is NOT the true generator of your content anyway: you are. Thus another trick can be to change it, put in your header meta name=”generator” content=”bloginfo(‘name’) something like that.

Use the hack offered by Frank above, because it removes Generator=Wordpress metaname from your Feeds also!

Dec 31 2008 07:43

Yeah, I removed mine once I heard of how big of a security threat it was. Definitely recommended for all WordPress users.

Jan 10 2009 13:58

Thanks

rss feed page not hide wordPress version ?

Dec 15 2009 13:39

The hook that Frank offered removes some important codes in header anyway, like reply function. I cannot use reply link in comments until I realized that it was removed. For the safe of it, I think that we should remove one by one code we knew than all the_generator.

Do you know how to remove WP version in feeds?

Dec 15 2009 20:37

Thanks, i tried manualy delete wp version, but it doesn’t work. I don’t know for what wordpress display this in meta. I heard that some bots check wp version to find old versions of script and try hack it.

Trackbacks:

Leave a Comment

* Name, Email, Comment are Required