%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:xlink='http://www.w3.org/1999/xlink'%20x='0px'%20y='0px'%20viewBox='0%200%20120.17%2045.43'%20style='enable-background:new%200%200%20120.17%2045.43;'%20xml:space='preserve'%3e%3cg%3e%3cpath%20d='M32.33,0v16.13c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26c-2.21,0-4.3-0.42-6.26-1.26c-1.97-0.84-3.68-2-5.15-3.49c-1.46-1.49-2.62-3.21-3.46-5.18%20C0.42,20.42,0,18.34,0,16.13V0h6.41v16.13c0,1.34,0.25,2.62,0.76,3.82c0.5,1.2,1.2,2.24,2.09,3.13c0.89,0.89,1.92,1.58,3.1,2.09%20c1.18,0.5,2.44,0.76,3.78,0.76c1.34,0,2.62-0.25,3.82-0.76c1.2-0.5,2.24-1.2,3.13-2.09c0.89-0.89,1.58-1.93,2.09-3.13%20c0.5-1.2,0.76-2.47,0.76-3.82V0H32.33z'%20fill='%232563eb'%20/%3e%3cpath%20d='M50.4,0.14c2.26,0,4.36,0.42,6.3,1.26c1.94,0.84,3.66,1.99,5.15,3.46c1.49,1.46,2.65,3.17,3.49,5.11%20c0.84,1.94,1.26,4.04,1.26,6.3c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26h-9.72v12.96h-6.41V16.27c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,1.99-3.65,3.46-5.11%20c1.46-1.46,3.18-2.62,5.15-3.46C46.1,0.56,48.19,0.14,50.4,0.14z%20M54.22,25.31c1.2-0.5,2.24-1.2,3.13-2.09%20c0.89-0.89,1.58-1.93,2.09-3.13c0.5-1.2,0.76-2.47,0.76-3.82c0-1.34-0.25-2.6-0.76-3.78c-0.5-1.18-1.2-2.21-2.09-3.1%20c-0.89-0.89-1.93-1.58-3.13-2.09c-1.2-0.5-2.47-0.76-3.82-0.76c-1.34,0-2.6,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09%20c-0.89,0.89-1.58,1.92-2.09,3.1c-0.5,1.18-0.76,2.44-0.76,3.78v9.79h9.72C51.74,26.06,53.02,25.81,54.22,25.31z'%20fill='%232563eb'/%3e%3cpath%20d='M94.03,20.95l4.54,4.54l-2.23,2.23c-1.54,1.54-3.29,2.71-5.26,3.53c-1.97,0.82-4.03,1.22-6.19,1.22%20c-2.16,0-4.22-0.41-6.19-1.22c-1.97-0.82-3.72-1.99-5.26-3.53c-1.58-1.58-2.76-3.37-3.53-5.36c-0.77-1.99-1.15-4.02-1.15-6.08%20c0-2.06,0.38-4.08,1.15-6.05c0.77-1.97,1.94-3.74,3.53-5.33s3.37-2.77,5.36-3.56c1.99-0.79,4.02-1.19,6.08-1.19%20c2.06,0,4.09,0.4,6.08,1.19c1.99,0.79,3.78,1.98,5.36,3.56l2.23,2.23L80.64,25.06c1.82,0.91,3.75,1.21,5.8,0.9%20c2.04-0.31,3.83-1.24,5.36-2.77L94.03,20.95z%20M77.98,9.36c-1.92,1.92-2.88,4.22-2.88,6.91c0,1.49,0.33,2.9,1.01,4.25%20c0.58-0.58,1.45-1.45,2.63-2.63c1.18-1.18,2.42-2.42,3.74-3.74c1.32-1.32,2.59-2.58,3.82-3.78c1.22-1.2,2.17-2.14,2.84-2.81%20c-1.83-0.91-3.76-1.22-5.8-0.94C81.3,6.91,79.51,7.82,77.98,9.36z'%20fill='%232563eb'%20/%3e%3cpath%20d='M120.17,0v6.41h-3.24c-1.35,0-2.61,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09c-0.89,0.89-1.58,1.92-2.09,3.1%20c-0.5,1.18-0.76,2.44-0.76,3.78v16.2h-6.48v-16.2c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,2-3.65,3.49-5.11%20c1.49-1.46,3.21-2.62,5.18-3.46c1.97-0.84,4.06-1.26,6.27-1.26H120.17z'%20fill='%232563eb'/%3e%3c/g%3e%3c/svg%3e){kind=small}
A default WordPress configuration makes its version number publicly visible in your site’s source code. While this may seem like a minor detail, it is actually valuable information for potential attackers.
In this comprehensive guide, we will show you why you should hide your WordPress version, how to do it step-by-step with code or plugins, and also explain the limitations of this method.
The Main Threat: How Attackers Exploit the Version Number
Revealing your WordPress version number is asking for trouble. This operates on the principle of “security through obscurity,” which is not sufficient protection on its own but serves as an important layer of defense.
The main threat is that hackers use automated bots to scan thousands of websites for specific, outdated WordPress versions that have known security vulnerabilities.
Example of an attack: Let’s say WordPress version 5.7.1 had a critical security flaw that was fixed in version 5.7.2. An attacker could:
- Use a script to find all sites that declare version
5.7.1in their source code. - Launch an automated attack that exploits this specific vulnerability on all found sites.
By hiding your version number, your site will not appear on such a list, significantly reducing the risk of a massive, automated attack.
Where Does WordPress Reveal Its Version?
Before we get to the solutions, let’s identify where this information appears:
generatormeta tag: In the<head>section of your site, there is a line similar to this:<meta name="generator" content="WordPress 6.5.5" />.ver=x.x.xparameters: A version parameter is appended to the end of links to CSS and JavaScript files, e.g.,style.css?ver=6.5.5.- RSS Feeds: The
feedfiles can also contain information about the generator version.
Method 1: Modify the functions.php File (Recommended)
This is the cleanest and most efficient method as it does not require installing an additional plugin. It involves adding a few lines of code to your theme’s functions.php file.
Warning: Edit the functions.php File Safely!
- Use a Child Theme: Changes made directly to the main theme’s
functions.phpfile will be overwritten and lost during its update. Always work with a child theme. - Make a backup: Before making any changes, create a backup of the file.
- Errors can break your site: Even a minor syntax error (e.g., a missing semicolon) can cause the “white screen of death.”
Step-by-Step: How to Add the Code?
- Go to your WordPress admin panel.
- Select
Appearance>Theme File Editorfrom the menu. - On the right side, in the “Theme Files” section, find and click
functions.php(Theme Functions). - Scroll to the very bottom of the file and paste the code below.
- Click “Update File.”
Complete Code for functions.php
/**
* Hides the WordPress version to increase security.
*
* This collective function performs three tasks:
* 1. Removes the 'generator' meta tag from the <head> section.
* 2. Removes version information from RSS feeds.
* 3. Removes the '?ver=' parameter from script (JS) and style (CSS) URLs.
*/
function uper_remove_wordpress_version() {
// Remove generator meta tag
remove_action('wp_head', 'wp_generator');
// Remove version from RSS
add_filter('the_generator', '__return_empty_string');
// Remove version from CSS and JS
// This callback function will be used for both filters
$remove_version_callback = function($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
};
add_filter('style_loader_src', $remove_version_callback);
add_filter('script_loader_src', $remove_version_callback);
}
add_action('after_setup_theme', 'uper_remove_wordpress_version');Note that all the code has been wrapped in a single function that is triggered by the after_setup_theme hook, which is a good practice.
Method 2: Use Security Plugins (for Beginners)
If you are not comfortable editing code, you can use plugins that will do the job for you. This is also a good solution as they offer comprehensive security features.
- WP Hide & Security Enhancer: This is a plugin specialized in hiding various default WordPress paths and information.
- Wordfence Security: One of the most popular all-in-one security suites. Although its main focus is a firewall and malware scanner, the “Hardening” options often include a feature to hide the version.
- Sucuri Security: Another popular plugin that, in its “Hardening” section, allows you to disable the display of the WordPress version with a single click.
The advantage of using a comprehensive plugin is that hiding the version is just one of many protective features you get.
Limitations of the Method: What Hiding the Version Will NOT Provide
You must be aware that “security through obscurity” has its limits. A determined hacker can still try to guess your WordPress version, for example, by:
- Analyzing JavaScript files or their content that are unique to a specific version.
- Checking for changes in the HTML structure that are characteristic of specific releases.
- Analyzing the
readme.htmlfile in the root directory, if it has not been removed.
Hiding the version effectively protects against mass, automated attacks, but it is not a substitute for a solid security strategy.
Summary: Updates Are Your Absolute Priority
Hiding your WordPress version is a smart and simple step that makes life harder for amateurs and automated bots. However, remember that no hiding technique can replace the most important security rule: regular updates.
Always keep the WordPress core, plugins, and themes on the latest, stable versions. It is the updates that contain fixes for critical security vulnerabilities.
Często zadawane pytania
Will hiding the WordPress version affect the functionality of my site?
No, the methods presented are safe and should not affect your site's functionality. They only remove metadata that is not needed for the site to render correctly. In rare cases, some poorly written plugins might rely on the `ver` parameter, but this is very unlikely.
Is this enough to make my site 100% secure?
Absolutely not. This is just one of many steps in the process of securing a site (so-called "hardening"). The key elements are regular updates, using strong passwords, limiting login attempts, having a firewall, and regular malware scanning.
After adding the code, the version is still visible. Why?
The most common reason is caching. Clear your site's cache (e.g., with a plugin like WP Super Cache, W3 Total Cache), server-level cache (if any), and your browser cache. As a last resort, check if the code has not been overwritten by another plugin or if it was added correctly.
