Hacks Hub
How To Properly Hide The WordPress Version Number
January 19, 2011 09:42 PM

While developing Skatter Tech 3.0, I came across many tutorials which offered simple snippets of code to make WordPress safer by hiding the version number. Unfortunately, most of these articles failed to go beyond hiding the version number in the public HTML. For instance, it is fairly easy to find the version number of a WordPress install by viewing the source of an RSS feed. While many developers claim that “security through obscurity” is not a great idea, you should at least obscure the information correctly if you decide to use this method.

The first line below stops WordPress from automatically adding a generator meta tag to the <head> of each page. The foreach loop removes the version number from each feed WordPress creates. Simply add the following code to your theme’s functions.php:

remove_action('wp_head', 'wp_generator');
foreach(array('rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head') as $action)

That’s not all, there is actually one more thing that most WordPress users often forget to delete: readme.html. It may seem harmless, but it contains the version number in fairly large text at the top. It is easy to remove, but the file comes back after each automatic upgrade. The best way to prevent letting others from viewing this file is to add the following code to your .htaccess file.

<Files readme.html>
	order allow,deny
	deny from all

I also want to leave everyone with this warning: this by no means guarantees that your WordPress install will remain safe. I am not a security expert and the code above is something I put together after reading various tutorials over the past few months. Obscuring the WordPress version number may turn away some bots, but it will not stop someone who knows what they are doing from tampering with your website. Even checking the wp-includes folder reveals the versions of javascript files that ship with WordPress which can also make it easy to identify the same information.

Using strong passwords, SSL encryption, and backing up on a regular basis is also key. Picking a reliable and secure hosting provider also helps a lot. If you have had prior run-ins with WordPress disasters, you may also want to consider Automattic’s VaultPress service which offers security monitoring and backups in a single package.

Links: Hardening WordPress

Related Stories
The Comments (2)