WordPress Security: Remove WordPress version

Version numbers, regardless whether they refer to WordPress, plugins or themes, signal which version is currently used in a given system. This number itself doesn't make your website vulnerable, but it makes it easy for bots and hackers to find out whether or not you have old code with security issues installed or not - and if you do, you're most likely in trouble.

Why should versions be removed?

Version numbers, regardless whether they refer to WordPress, plugins or themes, signal which version is implemented in a given system. While that doesn’t mean anything to 99% of people, it might be very valuable information to some in the remaining 1% – and it can be used to find websites with old versions of WordPress, plugins or themes where known security risks haven’t been fixed and are still open and therefore ready to be exploited.

It’s important to mention that removing version numbers from your site does by no means remove those security risks, so it’s still very important to make regular updates to always have the latest version installed. However, removing the version number can make it more difficult for hackers or people who want to break into your website to become aware of your website being vulnerable in the first place.

How can the WordPress version number be removed

The version number needs to be removed in 3 steps:

Meta tag

The code of WordPress websites usually contains a meta tag with the version number:

<meta name="generator" content="WordPress 4.5.3" />

To remove this tag, simply add the following code to your functions.php script:

remove_action('wp_head', 'wp_generator');

RSS

The RSS file for the blog/website also contains the version number. To remove it from there, add the following code snippet to your functions.php file:

function ws_remove_rss_wp_version(){
    return '';
}
add_filter('the_generator', 'ws_remove_rss_wp_version');

Javscript and CSS scripts

Finally, at the end of javascript and CSS scripts, the version number not just of WordPress but also of themes and plugins is shown in the format “?ver=1.2.3” as argument to the given script URL. To get rid of the version number completely, use the following code which is usually used to work around this problem:

function ws_remove_script_wp_version($ret){
    if (strpos($ret, 'ver=')){
        $ret = remove_query_arg('ver', $ret);
    }
    return $ret;
}
add_filter('style_loader_src', 'ws_remove_script_wp_version', 9999);
add_filter('script_loader_src', 'ws_remove_script_wp_version', 9999);

However, there’s problem with this code in that the parameter with version numbers at the end of the URL is actually needed to tell browsers or CDNs that a new version of this file is available. Otherwise, without the version number, the URL would be the same and old scripts that had been cached/pulled from the old version would not be replaced but rather used with the new HTML code which, understandably, can cause problems ranging from minor styling errors to a crash of the whole site.

In order to avoid that problem, here’s a code we’ve worked out, that still has a version number, but in a very different format.

function ws_remove_script_wp_version($ret){
    if (strpos($ret, 'ver=')){
        $version = substr($ret, strpos($ret, 'ver=')+4);
        $version .= '&xxx';
        if (strpos($version, '&')){
            $version = substr($version, 0, strpos($version, '&'));
        }
        $e = explode('.', $version);
        $multi = 1;
        //Change $v with a random number
        $v = 123456789;
        //Change $x with a number bigger than 20 and smaller than 100
        $x = 34;
        for ($i = count($e)-1; $i >= 0; $i--){
            if (is_numeric($e[$i])){
                $v += $e[$i] * $multi;
                $multi = $multi*$x;
            }
        }
        
        $ret = remove_query_arg('ver', $ret);
        $ret = add_query_arg('v', $v, $ret);
    }
    return $ret;
}
add_filter('style_loader_src', 'ws_remove_script_wp_version', 9999);
add_filter('script_loader_src', 'ws_remove_script_wp_version', 9999);

This code takes the existing version number and creates a unique number based on it using a multiplier $x and a base number $v (please change both once you use the code). The result is a unique URL that changes once a new version gets installed but still makes it very difficult to find out the version number of the installed WordPress version.

Plugins and themes

A quick note at the end in regards to plugins and themes. Some themes and plugins also display their version number in meta tags like shown above. It’s advisable to get rid of those as well and make sure the version number of themes and plugins isn’t visible in the code at all.

 

Share this Article

About the Author

Wolfgang GeigerHi, I'm Wolfgang, the founder, director and developer behind Wohok Solutions. Passionate about web development from an early age, I have built websites for more than half of my life. I have degrees in both, Computing and Business Management and I am fluent in German, English and Mandarin. Based in Hong Kong, I help companies in the city and around the world to improve their business through technology.

Get in Touch

Do you have any comments or questions? Get in touch, I'd love to hear from you!