New Feature: Playlist Center! Pick a topic and let our playlists guide the way.

Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Removing version numbers

From: WordPress 3: Developing Secure Sites

Video: Removing version numbers

A big part of good security is keeping sensitive information away from the bad guys. WordPress has one particular weakness in this department: it likes to display its version number in the source code of your web pages and feeds. The WordPress version number is displayed in the source code of your web pages, and it looks like this here. The version number is also displayed in your RSS feeds, and the version number is also displayed elsewhere and in other feeds. This information seems harmless but may enable attackers to target security holes in specific versions of WordPress.

Removing version numbers

A big part of good security is keeping sensitive information away from the bad guys. WordPress has one particular weakness in this department: it likes to display its version number in the source code of your web pages and feeds. The WordPress version number is displayed in the source code of your web pages, and it looks like this here. The version number is also displayed in your RSS feeds, and the version number is also displayed elsewhere and in other feeds. This information seems harmless but may enable attackers to target security holes in specific versions of WordPress.

In this screencast, we'll see how to better protect your site by preventing WordPress from announcing its version number. Let's peek behind the scenes at the HTML markup for the homepage of this WordPress demo site. Notice here in the head section that WordPress is providing the version number of this installation right here. This information is used by hackers and automated scripts to attack specific versions of the software. We can also see it in the source code of the various feeds that WordPress generates.

Returning to the homepage, click on the RSS link, and we see right here the version number of WordPress, displayed in the source code. Of course, if you're always running the latest most up-to-date version of WordPress, there is no reason not to show this information, but people can't always upgrade the minute a new version of WordPress is available. So it's smart to play it safe and just prevent the information from being displayed on any occasion. Let's return to the FTP editor.

So to stop WordPress from displaying its version number, let's navigate to our active theme, which for the demo site is the default TwentyTen theme. Then we open our theme's functions.php file, as we have done here. We want to add the following lines of code to the bottom of this file. Included with the screencast is this code here, which you may copy and then paste after all other code in the functions.php file.

Now let's save the file and upload it to the server. Here in the source code, we can see that the version number is no longer available, not being displayed, and that's a good thing, but that's not the only place, as we have seen. So let's check the RSS feed. As we can see, our code snippet in the functions.php file has prevented WordPress from displaying its version number in the RSS feed as well. In fact, with that code in place, WordPress will not display the version number anywhere that is easily accessible by hackers and people who want to exploit your site.

In this screencast a simple code snippet in the functions.php file stops WordPress from displaying sensitive information in feeds, posts, pages, and everywhere else. By simply disabling the version generator, we add yet another layer of security to our WordPress-powered site.

Show transcript

This video is part of

Image for WordPress 3: Developing Secure Sites
WordPress 3: Developing Secure Sites

36 video lessons · 11191 viewers

Jeff Starr
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold

Are you sure you want to delete this note?

No

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.