I talked a couple of weeks ago about the importance of always upgrading your WordPress install, as old WordPress installations are often vulnerable.  One thing I don’t think people realize is that a hacker can easily find vulnerable WordPress blogs because most standard WordPress themes will actually tell them what version you are using.

If you open up the header.php file of your theme, you should notice some code that looks something like this:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats -->

In order to protect your WordPress installation, I recommend people completely remove this code from their header.php file for all of their WordPress blogs.

Now, this obviously isn’t going to make your WordPress blog hack proof, but what it will do is make it so hackers can’t easily locate your blog if it is using a vulnerable WordPress installation.

Update: Thanks to a tip from Leland, it looks like WordPress 2.5+ now generates the meta link anyway via the wp_head hook, which is something you can’t remove.  With that said, if you care about your security, you can still remove the meta generator.  It looks like Ian of ThemeShaper has provided a couple methods, including a WordPress plugin to remove the meta generator information from your WordPress blog.

Kyle Eslick is WordPress enthusiast who took his passion for WordPress to the next level in 2007 by launching WPHacks.com as a place to share hacks, tutorials, etc. Connect with Kyle on Twitter or Google+!

  1. Remkus says:

    But then again.. if someone really wanted to hackyour WordPress site, they could easily figure it out thru other investigative ways that you run a WordPress site couldn’t they.

  2. Remkus says:

    I know, but all I am saying if a real hacker wanted to, he could .. regardless. Either way, best solution to me is to still try and update asap! :)

  3. Marc says:

    The point is that they won’t know what version you are running and so they have a harder time trying out known exploits for that version.

  4. Alex says:

    I did both: Updated WP and removed the code. Thanks for the tip, I found it useful.

  5. Kevin Boss says:

    Very useful tip thank you

  6. codestyling says:

    Short separation examples:
    WP 2.3.3 and less  -> missing HTTP header field X-Pingback
    WP 2.5.x -> request files from wp-include/text directly return status 404
    WP 2.6 -> request files from wp-include/text directly return status 200
    I think, cloaking the version is useless, because those outside, who want’s to know your version, do have any time to figure out a better separation strategy as shown above. So version could be always detected somehow.

  7. Frank says:

    Usefull tip Kyle, but it doesnt look like you follow your own advice. A look at your page source shows that code is still in place. How come?

  8. Leland says:

    I believe ever since WordPress 2.5, it automatically added the code to the header via the wp_head() hook.  So you may even have the “generator” code twice if you don’t remove this code from your theme.  Some more tips I found are here.

  9. Kyle Eslick says:

    As I emphasized in the above post, this isn’t going to prevent your site from being hacked.  What it was intended to do was make it so people couldn’t easily figure out which version of WordPress you are using.  These are not hackers that target your blog, instead they search for blogs using X version of WordPress (that they know how to exploit) and then go hack them.   This is what happened on my original blog and I was lucky the attacker only did so to remind me to upgrade, rather than having a malicious intent.   Not everyone is so “lucky.”

    @ Frank – I have double checked my header.php file and the code is not there.   See Leland’s comment below yours.  It may be that WordPress now adds it anyway via the wp_head hook.    :(

    I know WordPress likes getting the information so they can see how many sites are using each version of WordPress.  I guess this enforces the important of always having an upgraded WordPress installation.

  10. Joseph Scott says:

    This suggestion is not helpful.  There are two main problems with with it: one, it assumes that there aren’t other ways to determine (or at least narrow) down which version of WordPress you are using.  Two, it assumes that folks attacking blogs actually care what version of WordPress you’re running.  The second one is the biggie, there are so many automated bots and attack scripts out there that will attempt various attacks, no matter what version of WordPress you are running. 

    Since there is virtually no cost for them to try the attack anyway they don’t bother to find out what version of WordPress you are running.  Hence your suggesting removing something that is not usually checked for anyway.

  11. Kyle Eslick says:

    @ Joseph – I appreciate your well written response, but I disagree.  I’m not sure if people are misunderstanding, and maybe that is my fault for not explaining it properly in the post. 

    If there is a vulnerability discovered in WordPress 2.3.1 (for example) to discover someones password, which is later fixed in WordPress 2.3.2+, then someone who is looking for password information can search for WordPress 2.3.1, WordPress 2.3.0, etc.  and grab these passwords. 

    Of course these hacks are not targeting someone specifically, but having this information available on your blog could be a problem, which is why I suggested people remove it.  It isn’t needed for anything so there is no harm in removing it. 

    Joseph – Both of your “problems” with my logic are based upon someone targeting a specific blog.   That was not the intent.  This post was written regarding random attacks on blogs based upon their WordPress version, where hackers only find your site because it shows up in a search as using an old version of WordPress. 

    There is no way to 100% prevent your WordPress blog from being hacked unfortunately, especially when someone is specifically targeting you instead of running across you randomly.   However, the WordPress team does a great job of minimizing these risks and fixing them right away when they are discovered.   This is why it is important for someone to always upgrade their blogs, even if that means upgrading 70+ WordPress installations, like I do each time there is a release.  :mrgreen:

  12. Abhijeet says:

    Just adding  <?php remove_action(‘wp_head’, ‘wp_generator’); ?> to your functions.php should do the trick.

  13. Kyle Eslick says:

    From what I’ve seen, attackers don’t “search for WordPress 2.3.1?, they simply attack the blog.  Doesn’t matter what the version number is. 

    Actually, this is how my first blogged was hacked.  Someone found my original blog in a search for WordPress 2.0.7 (if I remember correctly).   I believe the WordPress 2.1 branch was already out and I hadn’t upgraded yet. After hacking my blog, he contacted me and let me know that was how he found out and said simply upgrading WordPress would prevent others who had malicious intent from doing the same thing.   That is how I know it does happen.  Unfortunately, my personal experience proves it. :(

    After that happened, I researched the issue and found the fix I wrote about above. As others have mentioned above, there are other methods as well.

    @ Abhijeet – Thanks for the tip.  I think that is one of the methods mentioned in Ian’s post I linked to above. 

  14. Joseph Scott says:

    From what I’ve seen, attackers don’t “search for WordPress 2.3.1″, they simply attack the blog.  Doesn’t matter what the version number is.  I see old attacks launched against blogs running the current version of WordPress all the time.

    I do agree that the best thing to do is keep your install up to date.  I highly recommend checking it out from the Subversion repository, makes updates very easy.

  15. Lawrence Salberg says:

    I disagree. The problem with people hacking WP installs isn’t because of an obvious version number (which is more than often replicated in the footer of many free themes as well).

    The problem is people never upgrading their WP installation. Quite frankly, this is the kind of useless tip that gives homage to the enemy. If we really want to make the world safe from hackers, we ought to send messages to those running old versions of WordPress harassing them into upgrading. And while that wouldn’t do any less to keep hackers at bay than removing the version meta data as suggested here, we at least would be occasionally accomplishing something, rather than giving people the false confidence that their outdated installation is now “secure” by deleting a line of code in header.php. A few extra minutes should be devoted to upgrading.

    Having said that, the real problem is that although cPanel and other self-installing scripts push the latest version of WP pretty quickly, Automattic needs to find a way to cooperate with the major U.S. hosting services to force them to force their customers to upgrade. In other words, cPanel ought to also “lock” (flat-file) a WP-install once Automattic determines it is inherently unsafe to use anymore. Thus, their blog would still be up (as flat HTML files), but the Admin panel would be inaccessible and replaced with an admonition that an upgrade to version X.X is required to use WordPress.

    It would be in Hosts best interest to do this. Although people will scream bloody murder (because they are lazy self-absorbed idiots who think the open-source world owes them a living), they will scream a lot louder once they get hacked, particularly if they lose data, and nagging at their host to fix all their problems. Better the first option than the second – plus the first option deters and deflates the egos of script-kiddies, a plus in my book. Also, the whining anti-upgrade crowd won’t be able to blog about it, at least not until they upgrade, so the noise level will be relatively diminished.

  16. jomammy says:

    Do not remove your wp_head action!
    Yes the latest versions of wordpress do add the version to the page via the wp_head call in numerous locations but this makes it easy to remove the version. Look in wp-includes/version.php and change the version number there and it will propogate throughout the system because all calls to bloginfo(‘version’) read from this string in this file.

    I change mine to:
    /**
    * The WordPress version string
    *
    * @global string $wp_version
    */
    $wp_version = ‘(version removed for security)’;

  17. Lea says:

    Well, I’ve tried all the above methods for removing traces of my WordPress version from public viewing and none have worked.

    I used a FireFox plugin for website info which leads to http://www.wmtips.com/tools/info/ and they still have my current WordPress version listed under “generator.”

    I removed the generator/generated string from my theme header, removed WordPress from my footer, protected my version.php, tried

    adding to functions.php

    and

    @global string $wp_version
    */
    $wp_version = ‘(version removed for security)’;

    Yet the above website still displays my current WordPress version.

  18. Dick says:

    Thanks, this woke me up to the whole issue of upgrades. I am still using WP 2.0 and I wanted to add Kontera links to my WP blogs. They gave me a WP plugin I can use to populate their ads throughout all posts but not before I upgrade.

  19. Shahab khan says:

    Though i have been blogging for the past one year. But i’ve just come to know about this.

  20. ronidhbd says:

    The wordpres plugins don’t update. The server end is OK. File permission is OK. Even when i undo the taken security steps still the wp plugins don’t update. Whats the solutions? Anyone can help?
    N.B.: The host support guy says, the server configuration is OK.

Trackbacks/Pingbacks »

  1. Remove Wordpress Version? | CMSThemestore.com says:
  2. links for 2008-07-30 | ????? ?? ??"? ??? says: