You may have noticed if you view the page source code for your WordPress website you will find something like:
<meta name=”generator” content=”WordPress 3.2.1″ />
Which basically says the blog is using WordPress 3.2.1. Some people say showing the version can be a security risk which hackers can take advantage of.
Depending on your WordPress theme and/or framework you might be able to simply remove it from header.php. If it is in your header.php file it might look something like this:
<meta content=”WordPress <?php bloginfo(‘version’); ? />” name=”generator” />
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> <!-– leave this for stats please –>
Some WordPress framework and themes allow you to simply hide this information by simply ticking a box and saving the changes. I know the Woo Theme Framework includes this feature.
There are also some plugins available that will specifically remove the WordPress Generator tag code. Some plugins happen to come with it as a secondary feature.
If you can remove it either by manually removing the code from the header.php file, or if your framework or theme has a built in feature to remove then great. Go for it.
However, I wouldn’t go out and hunt down a bunch of plugins that you are not sure if you need just to find one that has this feature.
I do not see it as a big security issue or threat as much as other sites suggest. If you have other plugins installed chances are you are giving away your current WordPress version anyway. Whether you know it or not it is still very easy to determine which WordPress version a site is using by simply viewing the page source even if you have removed the WordPress Generator Tag code.
Here are a few examples of sites that have removed the WordPress Generator Tag Code, and how easy it is to determine the WordPress version they happen to be using.
This site has Google Cards plugin installed the page source tells me in the header:
The same site also has CommentLuv Premium code in the header:
And the Sharebar code in the header:
Google Plus code in the header:
Facebook code in the header:
Twitter code in the header:
Anything after the ? tells you the WordPress version. For example ?ver=3.2.1
This particular site is using WordPress 3.2.1
Another site that has the WordPress Generator Tag Code removed:
Google Cards code in the header:
CommentLuv free version code in the header:
Again there it is ?ver=3.1.3. This site uses WordPress 3.1.3
One more site:
Greet Box Plugin code in the header:
What do you know ?ver=3.2.1. This one is also using WordPress 3.2.1
I could go on and on, but I think you get the idea. Simply viewing the page source and scanning the code between <head> and </head> is all anyone needs to do.
Now before you go on and say: You shouldn’t post that. You are telling the bad guys what to look for.
I guarantee you that the bad guys are well aware of this. It is nothing new that they haven’t known about for a very long time. I am just pointing it out for those of you that use WordPress and think removing your WordPress Generator code is going to help hide your WordPress version.
So the bottom line is removing the Generator code generally doesn’t help that much. If you can do so fast and easy, then by all means do it. Just don’t spend a lot of time trying to remove it because it really doesn’t help much.
The more WordPress plugins you have installed the more likely you are to give away the version you are using in the page header. So just keep that in mind.