A lot of us know that, “removing WordPress version number” is a fairly popular security trick. The purpose is to hide the WordPress version number embedded in the final rendered HTML code, so to reduce the risk of being targeted by hackers for known vulnerability.
Whether this trick has anything to do with security is still a myth, let’s take a look at how it works.
Removing Version Number
In the header of the webpage on a WordPress website, there is a meta tag carries version information.
<meta name="generator" content="WordPress 3.5.2" />
To remove version information, you shall add following code to function.php in current active theme, or a custom plugin written by you.
// Remove WordPress version number function mycustom_remove_version() { return ''; } add_filter('the_generator', 'mycustom_remove_version'); remove_action('wp_head', 'wp_generator');
Upload and test this trick, you will not be able to find this “generator” meta again.
But it isn’t that easy. If you search again in the same HTML source code by the version number, in this example, “3.5.2”, depend on the theme, you can actually find a lot of them. It appears in form of version parameter as “ver=3.5.2”, following after javsscript (.js) and stylesheet (.css). For example:
<link rel=’stylesheet’ id=’twentytwelve-style-css’ href=’http://mydomain.com/wp-content/themes/twentytwelve/style.css?ver=3.5.2′ type=’text/css’ media=’all’ />
You don’t have to be a genius to know what does it mean. So, this must be gone if you want to hide version number.
Remove WordPress Version Parameter
When loading JavaScript or CSS to website, the recommended way is to use function wp_enqueue_script() for JavaScript or wp_enqueue_style() for stylesheet. When does so, it automatically adds version parameter. To remove, you can add following snippet to function.php or your own custom plugin.
// Remove WordPress version parameter from any enqueued scripts function mycustom_remove_wp_ver_css_js( $src ) { if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) ) $src = remove_query_arg( 'ver', $src ); return $src; } add_filter( 'style_loader_src', 'mycustom_remove_wp_ver_css_js', 9999 ); add_filter( 'script_loader_src', 'mycustom_remove_wp_ver_css_js', 9999 );
There will be a discussion if I say this is rather a trick than security measure. There are files laying in WordPress installation telling the version number. You should read this “WordPress Security Tip: Delete ReadMe after Installation” to check it out.