Security: Removing the WordPress version

Wednesday, June 3rd, 2015

I love using WordPress but something that drives me crazy is the fact that the version number of the release you’re using, or the plugin’s you’ve installed are shown in the source code.

As WordPress is open source, I consider this a security risk as it gives anyone looking to harm your site or brand a big clue as to where any vulnerabilities might be.

The Generator

The standard and now famous “5-second install” of WordPress will automatically add the following meta tag to your new website, containing the exact version of the software your site is running.

You really don’t want this to be viewable within the source code. Therefore it is important that you remove this from your theme. The easiest way to do this is to open up your functions.php file. You’ll find this within your theme folder. Then add the following lines of code.

It’s also worth noting, at the time of writing this meta tag will be present on all sites which use any of the default themes provided as part of the core WordPress code you download.

You should also be aware of some issues when you are updating the core code of your site, I’ve listed these at the bottom of this article.

The Query Strings

ARRRRRGH….. So if the generator meta tag wasn’t bad enough, more recent versions of WordPress adds a query string to any script added to the header or footer.

I’m talking about these bad boys which you’ll find on the JavaScript files like so…

on the CSS…

imported fonts…

and if that’s not enough, It even gives away the version of the plugins you’re using.

Rather than using one of the many plugins around for this you can easily do this by adding the following code to your functions.php file.

As before make sure you see the note below on updating your core code if you’re using non custom themes.


The Readme file

This file is often over looked when thinking about the security of your site. Every install of WordPress includes a readme.html file. It contains information on installing, plus of course the version number

The best way to deal with this is to block it’s access via your .htaccess file.

You could also usa a 301 redirect in the .htaccess with something like this.

If you don’t have access to the file, then you could just delete it, but you’ll need to remember to do this every time you update WordPress.

Upgrading your site

Please note that if you have automatic updates enabled and your WordPress, or you are using a default theme your changes will be overwritten so you’ll need to re-apply these fixes manually. This shouldn’t be the case if you are using a custom theme and kept everything within your functions.php file.

Any changes you made to your .htaccess file should be fine, so long as you have made the amends outside of the wordpress block which is normally found at the top of the file.

Remember your site should be always be tested after any update anyway and these fixes should be included within the test plan.