How to Remove the WordPress Version Number

One of the most commonly seen security tips around the WordPress-o-Sphere has got to be this:

Don’t display your WordPress version number publicly
Many WordPress developers often display the WordPress version in the source code. But having this information publicly available makes it easy for attackers to exploit known vulnerabilities on a particular WordPress version.

This sort of thinking is referred to as “security through obscurity,” and may or may not be an effective way to increase the overall security of your site.

By default, WordPress executes the wp_generator() function whenever the wp_head() hook is called. Typically, this hook is located in your theme’s header.php file within the <head> section of the document markup:

[ Screenshot: wp_head() Hook ]
The wp_head() hook as seen via the header.php file

Then, after WordPress processes your web page, the wp_generator() function outputs the following code (depending on page view) to your browser:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://digwp.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://digwp.com/wp-includes/wlwmanifest.xml" />
<link rel='index' title='Digging into WordPress' href='http://digwp.com/' />
<meta name="generator" content="WordPress 2.8.1" />

Notice that last line there? There are many posts on WordPress security that point out how specifying your version number is a security risk. Whether or not this is the case is certainly debatable, but the thinking is that you should avoid revealing this sensitive information in order to prevent attacks targeting specific versions of WordPress.

Now for the fun part. Assuming that sharing your version information is bad, how to go about removing the information? Well, that depends on how savvy you are with WordPress. Here are several methods to prevent WordPress from displaying your version-specific number, ranked in order from the absolute worst way to the absolute right way. That is, until someone shows us how to do it in less than 41 characters ;)

The absolute worst way to remove the WordPress version number

I have seen recent posts where the author actually recommends deleting the wp_head() hook! Here is an example:

Study what things this function outputs for you, and just hardcode them into your theme files since these values will unlikely change.

While there are indeed valid reasons for removing this important WordPress hook, removing the version number from your source code is not one of them.

A pretty good way to remove the WordPress version number

Much better than simply deleting the wp_head() hook, this method serves us well by placing the version-removal function in the theme’s functions.php file, where it belongs. By returning an empty string for the_generator function, this function removes the version information by preventing output of its <meta> tag:

function remove_version_info() {
     return '';
}
add_filter('the_generator', 'remove_version_info');

This method has the added bonus of removing the version information from not only your blog pages, but from your feeds as well.

The right way to remove the WordPress version number

Going a step beyond the previous method, this technique gets the job done quite eloquently, with a mere 41 characters of code:

remove_action('wp_head', 'wp_generator');

Just place that single line into your theme’s functions.php and enjoy a small taste of “security through obscurity”. :)

Article Source: digwp.com

  1. using
    remove_action(‘wp_head’, ‘wp_generator’);

    is easy, but does it affect any thing else in my blog?

    Thanks

      • malarvizhik
      • August 24th, 2010

      No, it won’t affect any of the blog functionalities.

  2. Great article and information!
    Thank you for this!
    All The Best!

    • kathir
    • October 9th, 2010

    hi
    hi how to create drop down menu in wordpress?

  3. I want to express my thanks to the writer for rescuing me from such a incident.
    As a result of researching through the online world and seeing strategies which are not powerful,
    I thought my life was well over. Existing devoid of the answers to the
    issues you have solved through your main short post is a critical case, as well
    as those which might have negatively damaged my entire career
    if I had not discovered your web site. Your actual know-how and kindness
    in controlling almost everything was excellent. I don’t know what I would have done if I had not encountered such a subject like this. I can also at this moment look forward to my future. Thanks very much for this impressive and result oriented help. I won’t hesitate to endorse your web sites to anybody
    who wants and needs counselling on this issue.

  4. WordPress.com is a not a version of wordpress as much is it is a hosting service for WordPress blogs run on WordPress MU. WordPress.org is the software version of wordpress that people can download and install on their own hosting providers for their sites. That means that your wordpress.com blog requires the CSS upgrade to do what you want and your self-hosted version of wordpress is completely free to do whatever you want as it is not contrainted by anything.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: