Removing the WordPress Version Generator Tag

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedIn

WordpressYou may have noticed if you view the page source code for your WordPress website you will find something like:
<meta name=”generator” content=”WordPress 3.2.1″ />

Which basically says the blog is using WordPress 3.2.1. Some people say showing the version can be a security risk which hackers can take advantage of.
Depending on your WordPress theme and/or framework you might be able to simply remove it from header.php. If it is in your header.php file it might look something like this:
<meta content=”WordPress &lt;?php bloginfo(‘version’); ? /&gt;” name=”generator” />
or
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> <!-– leave this for stats please –>

Some WordPress framework and themes allow you to simply hide this information by simply ticking a box and saving the changes.

Woo Theme Remove Generator

 

There are also some plugins available that will specifically remove the WordPress Generator tag code. Some plugins happen to come with it as a secondary feature.

If you can remove it either by manually removing the code from the header.php file, or if your framework or theme has a built in feature to remove then great. Go for it.

However, I wouldn’t go out and hunt down a bunch of plugins that you are not sure if you need just to find one that has this feature.

I do not see it as a big security issue or threat as much as other sites suggest. If you have other plugins installed chances are you are giving away your current WordPress version anyway. Whether you know it or not it is still very easy to determine which WordPress version a site is using by simply viewing the page source even if you have removed the WordPress Generator Tag code.

Here are a few examples of sites that have removed the WordPress Generator Tag Code, and how easy it is to determine the WordPress version they happen to be using.

This site has Google Cards plugin installed the page source tells me in the header:

  • http://www.somesite.com/wp-content/plugins/googlecards/css/googleCards.css?ver=3.2.1
  • http://www.somesite.com/wp-content/plugins/googlecards/js/googleCards.min.js?ver=3.2.1

The same site also has CommentLuv Premium code in the header:

  • http://www.somesite.com/wp-content/plugins/commentluv-premium/style/commentluv-premium.css?ver=3.2.1

And the Sharebar code in the header:

  • http://www.somesite.com/wp-content/plugins/sharebar/js/sharebar.js?ver=3.2.1

Google Plus code in the header:

  • https://apis.google.com/js/plusone.js?ver=3.2.1

Facebook code in the header:

  • http://connect.facebook.net/en_US/all.js?ver=3.2.1#xfbml=1

Twitter code in the header:

  • http://platform.twitter.com/widgets.js?ver=3.2.1

Anything after the ? tells you the WordPress version. For example ?ver=3.2.1

This particular site is using WordPress 3.2.1

 

Another site that has the WordPress Generator Tag Code removed:
Google Cards code in the header:

  • http://somesite.com/wp-content/plugins/googlecards/css/googleCards.css?ver=3.1.3
  • http://somesite.com/wp-content/plugins/googlecards/js/googleCards.min.js?ver=3.1.3

CommentLuv free version code in the header:

  • http://somesite.com/wp-content/plugins/commentluv/css/commentluv.css?ver=3.1.3

Again there it is ?ver=3.1.3. This site uses WordPress 3.1.3

 

One more site:
Greet Box Plugin code in the header:

  • http://somesite.com/wp-content/plugins/wp-greet-box/css/style.css?ver=3.2.1
  • http://somesite.com/wp-content/plugins/wp-greet-box/js/functions.js?ver=3.2.1
  • http://somesite.com/wp-content/plugins/wp-greet-box/js/js-mode.js?ver=3.2.1

What do you know ?ver=3.2.1. This one is also using WordPress 3.2.1
I could go on and on, but I think you get the idea. Simply viewing the page source and scanning the code between <head> and </head> is all anyone needs to do.

Now before you go on and say: You shouldn’t post that. You are telling the bad guys what to look for.

I guarantee you that the bad guys are well aware of this. It is nothing new that they haven’t known about for a very long time. I am just pointing it out for those of you that use WordPress and think removing your WordPress Generator code is going to help hide your WordPress version.

So the bottom line is removing the Generator code generally doesn’t help that much. If you can do so fast and easy, then by all means do it. Just don’t spend a lot of time trying to remove it because it really doesn’t help much.

The more WordPress plugins you have installed the more likely you are to give away the version you are using in the page header. So just keep that in mind.

 

About: Jeremy LeSarge - AKA: Ray (209 Posts)

I am the site owner and administrator of DialMe.com. I provide help and tips for Boonex Dolphin on the main part of this website where you will also find an assortment of other resources. Here, on the blog I write about a variety of topics surrounding WordPress, technology, social media/networking, SEO, and webmaster resources.




9 Comments

  1. Roger Jignesh Parekh

    Reply

    I didn’t know plugins can offer such information to others. Can you also recommend a security plugin?

    • Reply

      I know there are some security plugins for wordpress. Some are more difficult than others to configure. There was one that I used to hear about I forget the name right offhand something like wp firewall security or something. I have been using login lock down plugin on the login page. If someone tries to login 5 times with the wrong user password combo it is supposed to ban the ip address. You can set the number of login fails and how long they are banned for. I also have some .htaccess modifications. There are a lot of customizations you can do to WordPress if you do some searching.

  2. Brenneth

    Reply

    Thanks for this very useful information. We should protect our plugins. There’s also a security for online contents.

    • Reply

      No idea what the security status is of WordPress 3.5.0 / 3.5.1. I did read about how someone had a security issue with 3.5.0 though. One of the drawbacks of WordPress being so popular is that people are constantly trying to find an exploit.

Leave Comment

Your email address will not be published. Required fields are marked *

CommentLuv badge