Hide WordPress version

Last Revised: October 2, 2021

The first starting point when attacking a WordPress is to know which version you are using. The WordPress version is quite available, as it is part of the site’s code, so you have to hide it in various ways in various places.

ReadMe

The main file where to find the WordPress version is not in the code, but in the readme file.html in the installation of the software itself. That is why one of the first things we must do to hide the version that appears in this file is to leave it inaccessible.

A first option, if you use a Linux server, is to remove the permissions to the file, executing:

chmod 000 readme.html

Although there is always the option to return an inaccessibility code from Apache HTTPD (inside the .htaccess file):

<Files readme.html>
  Deny from all
</Files>

And in the same way we could block it from nginx:

In nginx (within the site configuration file). In this case we are going to be more aggressive and block all the ones on the site, whether HTML or TXT.

location ~* readme.(html|txt) {
  deny all;
}

Meta-Information

In the templates we will usually find the meta-generator that includes the version you have installed. This code is located in the header of your site:

<meta name="generator" content="WordPress 1.2.3">

To remove this code (and that of other plugins that also use it) we can apply this code in the [functions.php] file of our template. Another option is through the system explained in the section of Inconvenient headers.

remove_action('wp_head', 'wp_generator');

But not only in the template this code appears, but also in other xomo XML elements, feeds, RSS, etc. For this we will also apply another filter.

add_filter('the_generator', '__return_false');

CSS and Javascript version

In the same way that we find the WordPress version in the meta-tags, we also usually find it in the CSS and JavaScript tags of the site, usually in the parameter [&ver=1.2.3]. This version that appears is the one of The WordPress, so although we eliminate the version of the meta-information, we have to hide the versions of these elements.

function wpdanger_remove_ver($src, $handle) {
  $handles = ['style','script'];
  if(strpos($src, 'ver=') && !in_array($handle, $handles, true))
    $src = remove_query_arg('ver', $src);
  return $src;
}
add_filter('style_loader_src', 'wpdanger_remove_ver', 9999, 2);
add_filter('script_loader_src', 'wpdanger_remove_ver', 9999, 2);

Step-by-step instructions

  1. Create the plugin or download it already created (unzip the ZIP file).
  2. Ftp access the [/wp-content/mu-plugins/] folder. If you don’t have this folder, create it.
  3. FTP upload the file [wpdanger-ver.php] to the folder [/wp-content/mu-plugins/].
  4. When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

An alternative method to this is to use some WordPress features of your own:

function wpdanger_remove_ver( $src ) {
  if( strpos( $src, '?ver=' ) )
  $src = remove_query_arg( 'ver', $src );
  return $src;
}
add_filter( 'style_loader_src', 'wpdanger_remove_ver', 10, 2 );
add_filter( 'script_loader_src', 'wpdanger_remove_ver', 10, 2 );

Seguir con Seguridad para WordPress


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.