How to Completely Remove the WordPress Version Number

Posted on

When hackers try and break into your blog, one of the first things they look for is the version of the software that you’re running. This allows them to get a handle on any known security vulnerabilities and soft spots. Each new version of WordPress patches security loopholes in the previous one. So if you’re running an older version of WordPress, you’re automatically at risk. Unfortunately, upgrading to the latest version of WordPress might not be feasible for everyone. For example, there could be a few critical plug-ins or themes that do not work with a later version. Developers don’t always maintain their code and if this is the case, you might be stuck with an insecure but perfectly functional WordPress installation.

Even in general, it’s a good idea to hide your WordPress version from all parts of your website. These are currently found in the following three locations:

  1. The WordPress “Head”;
  2. At the end of Scripts;
  3. In the RSS Feed.

Whenever WordPress loads a JavaScript code snippet or a CSS stylesheet that doesn’t specify its own version number, it appends the WordPress version number to the end of the string. This leads to a situation where every web page is peppered with your WordPress version as shown in the screenshot here:

version in scripts

Similarly, the RSS feed (presuming that you do not redirect it elsewhere) also contains the WordPress version in something known as a “generator” tag.

version in RSS

This generator tag also shows up in the “head” portions of WordPress installations. Mind you, not all themes have it. The Genesis theme for example omits the generator tag. But if you revert to the default Twentyxxx theme, you’ll find the WordPress version number very clearly displayed like this:

in head meta

So it’s not enough to simply modify the “head” section in header.php (as some sources claim). First of all, if you do so without a child theme, your changes will simply be overwritten on the next theme update. Second, this is not going to prevent the WordPress version number from showing up in other locations. What we need is a more general solution that addresses all existing version mentions as well as those that may turn up in the future.

Fixing the “Generator” Tag

The “generator” meta tag as shown earlier is created by WordPress which also gives us a convenient filter so that we can return whatever we want instead. To remove the version number from the generator, simply add the following PHP code to your functions.php file or wherever you normally place custom code:

function remove_version_generator() {
return '';
add_filter('the_generator', 'remove_version_generator');

As you can see, we hook into the filter called “the_generator” and then simply return nothing from our custom function. As expected, this eliminates all mention of the WordPress version number from our RSS feeds as you can see here:

version gone from RSS

It’ll also take out the generator tag from the “head” element of WordPress. But this isn’t enough. Scripts and stylesheets will continue to display the WordPress version number at the end.

Removing the Version Number from Scripts and CSS

For this, we need to modify the URLs by hooking into the style and script loaders. Use the following code in your functions.php to achieve this:

// Pick out the version number from scripts and styles
function remove_version_from_style_js( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
        $src = remove_query_arg( 'ver', $src );
    return $src;
add_filter( 'style_loader_src', 'remove_version_from_style_js');
add_filter( 'script_loader_src', 'remove_version_from_style_js');

What this piece of code does is use the “style_loader_src” and “script_loader_src” filters to redirect to a custom function which searches for the current version of WordPress in the URL query string and when it finds it, simply removes that argument via the “remove_query_arg” PHP function and returns the modified URL.

The one drawback of this method is that it will also remove query strings from scripts and stylesheets that happen to have the same version number as WordPress, but that should be a relatively rare occurrence. You can see in the screenshot below that the version number has completely disappeared from the source code of my website once the above two pieces of code have been added:

no more version in scripts

This serves to completely eliminate all mention of the WordPress version number from our websites. Not just for and not just for the current set up, but for the future as well. Even if you don’t have an outdated version of WordPress, it still a great idea to hide the version number for additional protection against hackers.

Leave a Reply

Your email address will not be published. Required fields are marked *