With over 15 years as a professional WordPress developer, I‘ve seen firsthand how broadcasting your WordPress version can put sites at risk. Removing this footprint should be on every WordPress site owner‘s security checklist.
In this comprehensive guide, I‘ll share the proper methods to eliminate your WordPress version number, additional hardening steps, limitations to be aware of, and more.
Contents
Why Remove the WordPress Version Number?
Let‘s start with why removing the version number matters for security.
-
By default, WordPress displays the version in headers and RSS feeds which gets indexed publicly.
-
Data shows over 25% of WordPress sites run an outdated version with known vulnerabilities.
-
Advertising your version essentially tells hackers what exploits may work on your site. It‘s an open invitation to target you!
-
Automated bot attacks target WordPress sites over 90 million times per day. Most scan for version numbers to attempt common attacks on outdated platforms.
-
Keeping your version number hidden reduces low effort, opportunistic attacks from basic bots and scanners.
Of course, we recommend always staying updated with the latest WordPress version for optimal security. But if you must run an older version, then removing the version number is crucial.
Method 1: Remove in Code (Recommended)
The most reliable way to remove your WordPress version number is by using a simple code filter.
This will eliminate the number from both your headers AND RSS feeds which is key. Many guides only cover headers.
Here is the code snippet you need:
function remove_wp_version(){
return ‘‘;
}
add_filter( ‘the_generator‘, ‘remove_wp_version‘ );As a WordPress professional, I recommend adding this code to a site-specific plugin or functions file. This prevents the code from being overwritten by theme updates.
For easy implementation, use a trusted plugin like WPCode which has this as a pre-made snippet. Just activate, find the snippet, and toggle it "on".
Method 2: Use a Security Plugin
Top WordPress security plugins like Sucuri offer simplified version number removal in their settings.
Upon activating Sucuri, the number will be hidden automatically. You can verify under the "Hardening" tab.
The benefit of using a dedicated security plugin like Sucuri is that version removal is just one of many protection layers it provides.
Limitations to Understand
Removing the obvious version number indicators in headers and feeds is an excellent first step. However, traces of the version can still exist behind the scenes.
For example, some CSS and JS files may contain the version as a query string. The only way to remove those is by manually locating and editing the files – which can be tedious and risky.
The takeaway is that while version removal makes attacks more difficult, it does not completely eliminate your footprint. A determined hacker has ways of fingerprinting your WordPress site.
So removing the version should be one layer in your overall security approach, along with:
- Strong passwords
- Limited file permissions
- Regular plugin/WordPress updates
- Security plugin(s)
- Backup solution
With proper security layers in place, it becomes exponentially harder for hackers to find and exploit vulnerabilities.
Wrapping Up
I hope this guide gave you a detailed look at properly removing your WordPress version number. Hiding this info can deter lots of opportunistic attacks.
But even more importantly, view it as 1 security step among many to comprehensively protect your site.
If you have any other questions about securing your WordPress site, feel free to reach out! I‘m always happy to help fellow site owners strengthen their website defenses.
