How to hide your WordPress version number…completely
Did you know that your WordPress version number is visible to everyone?
As Matt Mullenweg rightly pointed out several years ago, simply hiding your WordPress version number is not enough by itself to stay protected from potential threats (you should always be keeping your WordPress installation up-to-date).
But perhaps you have a client who has specifically requested its removal or maybe you just like keeping things on the safe side, either way there are a lot of tutorials out there on how to remove it from various areas but none that I’ve found showing how to remove it from every area at the same time.
The WordPress version number appears in three areas:
1. Generator Meta Tag in the Header
<meta name="generator" content="WordPress 3.3.2" />
2. Generator Tag in RSS Feeds
<generator>http://wordpress.org/?v=3.3.2</generator>
3. Query Strings on Scripts & Styles
If a script or style does not specify a version number when enqueued, the current version of WordPress is used.
foo.js?ver=3.3.2
One Block of Code to Rule Them All
Just enter this into your functions.php file and your WordPress version will be safely hidden from the public.
However, there is one small caveat to be aware of when using this method: This function will check to see if the ver query string matches the WordPress version number, so if the version of the enqueued script happens to be the exact same as the WordPress version then its version string will be removed as well.
This will occur rarely (if ever), especially when the current WordPress version is a point release, such as 3.3.2.
ReTox, 
Weston Ruter 11:23 pm on May 10, 2012 Permalink |
Good call on scrubbing the dependency versions. Here is an alternate filter which I think would be more robust:
/* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */ function fjarrett_remove_wp_version_strings( $src ) { global $wp_version; parse_str(parse_url($src, PHP_URL_QUERY), $query); if ( !empty($query['ver']) && $query['ver'] === $wp_version ) { $src = remove_query_arg('ver', $src); } return $src; } add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' ); add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );Frankie Jarrett 11:29 pm on May 10, 2012 Permalink |
Very nice, Weston! I’ve never seen
PHP_URL_QUERYbefore. I’ll have to remember that one.Dean Stewart 1:59 pm on May 31, 2012 Permalink |
Hi
Just a quick note to say thanks for the script.
Been working on a WP website and some of the older alternatives simply did not work but this did straight away
Thanks
JNPerez 8:37 pm on October 9, 2012 Permalink |
Here’s another alternative…
function hide_wp_version($src) { global $wp_version; return str_replace("?ver=$wp_version", "", $src); } add_filter('script_loader_src', 'hide_wp_version'); add_filter('style_loader_src', 'hide_wp_version');ReTox 4:23 pm on January 15, 2013 Permalink |
Won’t work if you have another ‘?’ in the url (google web font, for example). ‘?’ will be encoded.