WordPress Security – How To Hide WordPress Meta Generator Version Info

Posted on September 2, 2015  
NOTE / WARNING: This is not a true “security” measure and “protection” in any way, that you should rely upon! Security through obscurity is just hiding problems under the carpet, not solving them. It may buy you some time until you perform a full upgrade, but you should definitely not avoid regular security updates at any cost.

HOW TO HIDE WORDPRESS VERSION NUMBER

WordPress Security Pro Tips

WordPress Security Pro Tips

PART 1: REMOVE WORDPRESS META GENERATOR

WordPress Meta Generator

WordPress Meta Generator (CTRL+U or right-click on empty page section > View Source)

Here is a simple way how to hide WordPress info field meta name=”generatorcontent=”WordPress 4 from the page’s HTML source code. Place the below hooks & filter functions inside your theme’s functions.php file and upload it back to server via FTP or SFTP:

How to hide WordPress Meta Generator version number

How to hide WordPress Meta Generator version number

No plugin required! Afterwards, when you open your blog’s page source code view meta name=”generator” line will be gone. If you use a caching plugin for WordPress, you must clear all cache files in order for changes to take an effect.

PART 2: REMOVE WORDPRESS VERSION INFO FROM SCRIPTS

Wait! Not so Fast! Even if we remove WordPress declaration & version info from the meta tags section, we can still extract the actual number from different places. Take another look into the source code and look specifically for CSS and JS script files:

<link rel=’stylesheet’ id=’dashicons-css’ href=’http://mywebsite . com/wp-includes/css/dashicons.min.css?ver=4.5.3‘ type=’text/css’ media=’all’ />
<link rel=’stylesheet’ id=’admin-bar-css’ href=’http://mywebsite . com/wp-includes/css/admin-bar.min.css?ver=4.5.3‘ type=’text/css’ media=’all’ />

<script type=’text/javascript’ src=’http://mywebsite . com/wp-includes/js/admin-bar.min.js?ver=4.5.3‘></script>
<script type=’text/javascript’ src=’http://mywebsite . com/wp-includes/js/wp-embed.min.js?ver=4.5.3‘></script>
<script type=’text/javascript’ src=’http://mywebsite . com/wp-includes/js/jquery/jquery.js?ver=1.12.4‘></script>
<script type=’text/javascript’ src=’http://mywebsite . com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1‘></script>

As we can see above, only jQuery plugins pass their own version number info in the URL as parameter, while all other CSS styles and JS scripts pass default value of WordPress core itself!

This behavior is documented in wp_enqueue_style() and wp_enqueue_script() functions @ WordPress Codex. Take a look at the param structure of both functions:

wp_enqueue_script(
    string $handle,
    string $src = false,
    array $deps = array(),
    string|bool|null $ver = false,
    bool $in_footer = false
)

wp_enqueue_style(
    string $handle,
    string $src = false,
    array $deps = array(),
    string|bool|null $ver = false,
    string $media = 'all'
)

And, particularly, the version parameter:

$ver

(string|bool|null) (Optional)

String specifying stylesheet version number, if it has one, which is added to the URL as a query string for cache busting purposes. If version is set to false, a version number is automatically added equal to current installed WordPress version. If set to null, no version is added.

Default value: false

The default value is set to false; which means if the plugin, theme or any other code resource that calls/uses wp_enqueue_() functions does not specifically set or supply version parameter, WP core will add one by itself, equal to the current version of WordPress!

We need to add another 2 filters, one for CSS and one for JS files, to remove WordPress version number from the URL params:

How to hide WordPress Version Number From JS-CSS Scripts

How to hide WordPress Version Number From JS-CSS Scripts

No plugin required! Afterwards, when you open your blog’s page source code view, all ?ver=x.x.x numbers will be gone from both CSS and JS files, respectively. If you use a caching plugin for WordPress, you must clear all cache files in order for changes to take an effect.

COMPLETE CODE

<?php
// Remove WordPress Meta Generator
remove_action('wp_head', 'wp_generator');

// Hide WordPress Version Info
function hide_wordpress_version() {
	return '';
}
add_filter('the_generator', 'hide_wordpress_version');

// Remove WordPress Version Number In URL Parameters From JS/CSS
function hide_wordpress_version_in_script($src, $handle) {
    $src = remove_query_arg('ver', $src);
	return $src;
}
if (!is_admin()) {
add_filter( 'style_loader_src', 'hide_wordpress_version_in_script', 10, 2 );
add_filter( 'script_loader_src', 'hide_wordpress_version_in_script', 10, 2 );
}
?>

Note: We have updated above code to fix WordPress warning in Chrome DevTools in Admin side:

Resource interpreted as Stylesheet but transferred with MIME type text/html

FINAL NOTES

If your theme’s function.php file already has an opening <?php and closing ?> PHP tags, you do not need first and last line from above code. However, you have to carefully place this code after all previously existing theme’s code and before the final closing ?> tag. Remember, if you use a 3rd party theme from other authors, you will lose all changes after theme update procedure, so you’ll have to repeat / re-insert above code after each upgrade.

 

Web Development Web Security WordPress

Comments


Post A Comment

I have read and consent to Privacy Policy and Terms and Conditions