WordPress displays its version number in the HTML source code by default. While this alone is not a critical vulnerability, it gives attackers useful information to target known exploits for your specific WordPress version.
Where WordPress Exposes Its Version
- The
<meta name="generator">tag in the HTML head - The
?ver=parameter on enqueued CSS and JS files - RSS feed generator tags
- The
readme.htmlfile in the WordPress root
Remove All Version References
Add this to your theme's functions.php:
// Remove generator meta tag
remove_action('wp_head', 'wp_generator');
// Remove version from RSS feeds
add_filter('the_generator', '__return_empty_string');
// Remove version from scripts and styles
function remove_wp_version_from_assets($src) {
if (strpos($src, 'ver=' . get_bloginfo('version'))) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'remove_wp_version_from_assets', 9999);
add_filter('script_loader_src', 'remove_wp_version_from_assets', 9999);Delete readme.html
The file readme.html in your WordPress root directory contains the version number. Delete it:
rm /path/to/wordpress/readme.htmlNote: This file may reappear after WordPress updates, so you should remove it after each update or use a plugin that does this automatically.
Verify with InspectWP
After implementing these changes, run a new InspectWP scan. The WordPress section should no longer detect the WordPress version in your HTML source code.