WordPress Security: Remove WordPress version

Version numbers, regardless whether they refer to WordPress, plugins or themes, signal which version is currently used in a given system. This number itself doesn't make your website vulnerable, but it makes it easy for bots and hackers to find out whether or not you have old code with security issues installed or not - and if you do, you're most likely in trouble.

Why should versions be removed?

Version numbers, regardless whether they refer to WordPress, plugins or themes, signal which version is implemented in a given system. While that doesn’t mean anything to 99% of people, it might be very valuable information to some in the remaining 1% – and it can be used to find websites with old versions of WordPress, plugins or themes where known security risks haven’t been fixed and are still open and therefore ready to be exploited.

It’s important to mention that removing version numbers from your site does by no means remove those security risks, so it’s still very important to make regular updates to always have the latest version installed. However, removing the version number can make it more difficult for hackers or people who want to break into your website to become aware of your website being vulnerable in the first place.

How can the WordPress version number be removed

The version number needs to be removed in 3 steps:

Meta tag

The code of WordPress websites usually contains a meta tag with the version number:

<meta name="generator" content="WordPress 4.5.3" />

To remove this tag, simply add the following code to your functions.php script:

remove_action('wp_head', 'wp_generator');

RSS

The RSS file for the blog/website also contains the version number. To remove it from there, add the following code snippet to your functions.php file:

function ws_remove_rss_wp_version(){
    return '';
}
add_filter('the_generator', 'ws_remove_rss_wp_version');

Javscript and CSS scripts

Finally, at the end of javascript and CSS scripts, the version number not just of WordPress but also of themes and plugins is shown in the format “?ver=1.2.3” as argument to the given script URL. To get rid of the version number completely, use the following code which is usually used to work around this problem:

function ws_remove_script_wp_version($ret){
    if (strpos($ret, 'ver=')){
        $ret = remove_query_arg('ver', $ret);
    }
    return $ret;
}
add_filter('style_loader_src', 'ws_remove_script_wp_version', 9999);
add_filter('script_loader_src', 'ws_remove_script_wp_version', 9999);

However, there’s problem with this code in that the parameter with version numbers at the end of the URL is actually needed to tell browsers or CDNs that a new version of this file is available. Otherwise, without the version number, the URL would be the same and old scripts that had been cached/pulled from the old version would not be replaced but rather used with the new HTML code which, understandably, can cause problems ranging from minor styling errors to a crash of the whole site.

In order to avoid that problem, here’s a code we’ve worked out, that still has a version number, but in a very different format.

function ws_remove_script_wp_version($ret){
    if (strpos($ret, 'ver=')){
        $version = substr($ret, strpos($ret, 'ver=')+4);
        $version .= '&xxx';
        if (strpos($version, '&')){
            $version = substr($version, 0, strpos($version, '&'));
        }
        $e = explode('.', $version);
        $multi = 1;
        //Change $v with a random number
        $v = 123456789;
        //Change $x with a number bigger than 20 and smaller than 100
        $x = 34;
        for ($i = count($e)-1; $i >= 0; $i--){
            if (is_numeric($e[$i])){
                $v += $e[$i] * $multi;
                $multi = $multi*$x;
            }
        }
        
        $ret = remove_query_arg('ver', $ret);
        $ret = add_query_arg('v', $v, $ret);
    }
    return $ret;
}
add_filter('style_loader_src', 'ws_remove_script_wp_version', 9999);
add_filter('script_loader_src', 'ws_remove_script_wp_version', 9999);

This code takes the existing version number and creates a unique number based on it using a multiplier $x and a base number $v (please change both once you use the code). The result is a unique URL that changes once a new version gets installed but still makes it very difficult to find out the version number of the installed WordPress version.

Plugins and themes

A quick note at the end in regards to plugins and themes. Some themes and plugins also display their version number in meta tags like shown above. It’s advisable to get rid of those as well and make sure the version number of themes and plugins isn’t visible in the code at all.

 

Share this Article

About the Author

Wolfgang GeigerWolfgang Geiger is founder, director and lead developer of Wohok Solutions. Passionate about website development from an early age, Wolfgang has built websites for more than half of his life. He has degrees in both, Computing and Business Management and is fluent in German, English and Mandarin. In Hong Kong he enjoys the mix of East and West, the energy in the city and the fabulous local food.

Get in Touch

Do you have any comments or questions? Get in touch, we'd love to hear from you!

Name

Email Adress

Company

Message