The RIGHT Way to Remove the WordPress Version Number (2024 Guide)

Hey there, WordPress site owner! Tomas here. As someone who‘s been developing with WordPress for over a decade, I‘ve seen the devastating impact that hacks and data breaches can have on businesses.

Navi.

One of the simplest yet most effective ways to harden your site‘s security is to hide the WordPress version number. In this guide, I‘ll walk you through exactly why and how to do it the RIGHT way.

Why Hiding Your WordPress Version Is a Security Must

Imagine you‘re a burglar scoping out two houses. One has a big sign that says "No alarm system!" and the other has no obvious vulnerabilities. Which one are you more likely to target?

Displaying your WordPress version is like putting out a welcome mat for hackers. It tells them exactly what known security holes might exist in your site‘s software.

In fact, a recent study found that 74% of hacked WordPress sites were running an outdated version at the time of infection. The lesson? Attackers actively seek out and exploit sites with older, vulnerable versions.

Just look at some of the dangerous flaws discovered in past WordPress releases:

WordPress Version	Vulnerability
5.8.2 and earlier	Stored XSS in post slugs
5.7.1 and earlier	XXE in media library
5.2.4 and earlier	SQL injection in comment content
4.9.14 and earlier	Remote code execution in legacy admin editor

By hiding your version number, you make it harder for bad actors to determine if your site is a good target. They‘ll have to dig deeper or try more generic attacks that are easier to detect and block.

Of course, version hiding is not a silver bullet. It‘s just one piece of the WordPress security puzzle. But combined with other hardening measures, it can deter attacks and keep your site safer.

All the Places WordPress Displays the Version (and How to Remove Them)

WordPress isn‘t shy about shouting its version number from the rooftops. Out of the box, you can find it in:

The <meta name="generator"> tag in your site‘s header HTML
Your RSS feed‘s XML markup
The query string on script and stylesheet URLs (e.g. https://example.com/wp-includes/css/dashicons.css?ver=5.7.2)
The readme.html file in your site‘s root directory
Server response headers like X-Powered-By or Link
Source code comments in core WordPress files
The EXIF metadata of media uploads

That‘s a lot of exposure! Thankfully, we can eliminate the most obvious instances with a few lines of code.

There are a few different ways to remove the WordPress version, each with pros and cons:

Method 1: Edit Theme Files (Not Recommended)

The quickest and dirtiest way is to crack open your theme‘s header.php file and delete the <meta name="generator"> tag. You could also remove wp_generator() from the wp_head action hook.

Pros:

Takes 30 seconds max
Doesn‘t require installing a plugin

Cons:

Hides version from header only, not RSS feed
Changes are overwritten when the theme is updated
Not easy to replicate on many sites

While this can work in a pinch, I don‘t advise it for most users. You‘ll have to remember to make the edit again every time you switch themes or install an update. And it doesn‘t address the RSS issue.

Method 2: Remove wp_generator Action (Better, But Incomplete)

A step up is unhooking the wp_generator action that WordPress uses to insert the generator meta tag. You can stick this line in your theme‘s functions.php file or a custom plugin:

remove_action(‘wp_head‘, ‘wp_generator‘);

Pros:

Single line of code does the trick
Works for any theme without editing core files

Cons:

Only removes version from HTML header, not RSS feed
Need to use a child theme or plugin to avoid overwriting

This is better than editing your header file directly. But it‘s still not a complete solution since the version remains exposed in your RSS feed.

Method 3: Filter the_generator Output (Recommended)

For more comprehensive coverage, you can use the the_generator filter to modify the generator meta tag value. This lets you hide the version from both the site header and RSS feed no matter what theme you‘re using.

Here‘s the code to add to your child theme‘s functions.php file, a custom plugin, or a code snippets plugin:

function wpb_remove_version() {
  return ‘‘;
}
add_filter(‘the_generator‘, ‘wpb_remove_version‘);

Pros:

Hides version from HTML header and RSS feed
Modifies generator tag without removing it completely (which some plugins look for)
Works for any theme
Can be bundled into a site-specific plugin for easy deployment

Cons:

Requires creating a custom function
Not a 100% foolproof method (version may still be exposed in other places)

This is my preferred approach for most WordPress sites. It‘s relatively simple to implement, covers the two most important areas, and is portable between themes.

You can streamline the process even more by using a dedicated code snippets plugin like WPCode. It comes with a handy library of common snippets, including one for hiding the WordPress version. Activating it is as easy as point and click!

Method 4: Use a Security Plugin (Convenient, But Not Flawless)

Many popular WordPress security plugins include an option to hide the version number automatically. For example:

Sucuri Security has a setting under "Hardening" to remove the generator meta tag.
All In One WP Security & Firewall can disable the version display under "WP Version Info" settings.
iThemes Security Pro has a "Hide Backend" module that removes version info and other clues.

Pros:

Set it and forget it
Usually removes version from header and RSS feed
Includes other valuable hardening features

Cons:

Version data may still be exposed elsewhere
Introduces bloat/overhead if you only need version masking
May not be allowed on some managed WordPress hosts

If you‘re already using a security plugin, by all means take advantage of its version hiding feature. It‘s better than nothing. But I still prefer pairing it with the the_generator filter method for good measure.

Putting WordPress Version Hiding Into Practice (Step-by-Step)

Now that we‘ve weighed the different options, let‘s walk through implementing the the_generator filter on your WordPress site.

First, make sure you have a child theme set up or a suitable plugin installed. If you modify your main theme files directly, your changes will be overwritten on the next update.
Open up your child theme‘s functions.php file or create a new file for your custom plugin.
Paste in the following code:

function wpb_remove_version() {
  return ‘‘;
}
add_filter(‘the_generator‘, ‘wpb_remove_version‘);

Save the file and upload it to your WordPress site if necessary. If you‘re using a code snippets plugin, paste the code into a new snippet and activate it.
To verify that it‘s working, view the HTML source of your site‘s homepage. Look for the <meta name="generator"> tag. It should either be empty or not present at all.
Next, check your site‘s RSS feed (usually /feed/ on your domain). Again, you shouldn‘t see a <generator> tag with the WordPress version.

That‘s it! Your WordPress version is now hidden from prying eyes. But don‘t stop there…

Locking Down WordPress (After Hiding the Version)

With the version number obscured, it‘s time to button up other common vulnerabilities. No single hardening tweak makes your site invincible, but combining multiple methods significantly reduces your risk.

Here are some of the most important steps I recommend:

Keep WordPress core and all themes/plugins updated to patch known security holes. Set up auto-updates if your host allows it.
Use strong passwords and two-factor authentication (2FA) for all admin users. Consider a password manager.
Install a malware scanner and firewall like Sucuri Security, Wordfence, or MalCare.
Limit login attempts to block brute force attacks. The Limit Login Attempts Reloaded plugin works well.
Change your login page URL from the default /wp-admin/ and /wp-login.php to throw off bots.
Implement SSL/HTTPS across your entire site, not just the login page and admin area.
Regularly back up your WordPress files and database so you can restore if something goes wrong.

I could fill an entire article on WordPress hardening techniques (hmm, idea for a future post!). But these are the non-negotiable basics every site owner should have in place.

Wrapping Up

Whew, that was a lot of info! We covered why hiding your WordPress version is important, all the ways it‘s exposed by default, the different methods to remove it, and a step-by-step implementation guide. Hopefully you have a solid understanding of the process now.

Just remember that version hiding shouldn‘t be your only line of defense. It‘s a valuable hardening trick, but not a cure-all. The most secure WordPress sites employ multiple techniques to reduce the risk and impact of attacks.

So take a few minutes to add the the_generator filter to your site. Then move on to implementing other security best practices like strong passwords, auto-updates, 2FA, security monitoring, and regular backups.

The time and effort to harden your site is nothing compared to the headache of dealing with a hack. Trust me, I‘ve been there! Learn from my mistakes and make your site a tougher target than the next guy‘s.

Have questions about WordPress version hiding or security? Drop me a comment below. I‘m happy to share what I‘ve picked up over the years so you can protect your online home.

Stay safe out there!

Tomas

WordPress security aficionado