Join Jeff Starr for an in-depth discussion in this video Remove version numbers, part of WordPress: Developing Secure Sites .
This information seems harmless, but it may enable attackers to target security holes in specific versions of WordPress. Sure, there are other ways of getting your version information, but why make it easy? In this video, we'll see how to better protect your site by preventing from WordPress advertising its version number. Let's peek behind the scenes at the HTML that is generated for our demo site's home page. Notice here in the head section, WordPress is broadcasting its version number.
Of course, if you're always running the latest, most up-to-date version of WordPress, there's no reason not to display this version number. But, if something happens and you can't upgrade right away, it's best to play it safe and just disable the version information altogether. It's really not needed for anything. To stop WordPress from displaying its version number, open your FTP/file editor and navigate to your active theme. For this demo site, we're using the 2016 theme which is included with WordPress.
Here we want to open our theme's functions.php file. If your theme does not have a functions file, you can add the one that's included with the exercise file for this tutorial. Once you've got functions.php in place, copy the WordPress code snippet that's included with the exercise files and then paste the code at the end of the functions file. So here we scroll to the end of the file and add the code. Now, let's save the file and upload it to the server.
Now, let's verify that the code is working by returning to our demo site. Let's refresh the page. Now we can check the results via the source code. The easiest way to check that the version number is not displayed is to do a quick search. Looks good. No trace of the version number anywhere in the source code. But that's not the only place that WordPress displays the version. We also want to check our site's feeds. So let's check the site's main RSS feed and look for the version number.
And, sure enough, zero results. There's no trace of the WordPress version, which is great. We've now verified that our custom function is now working, as expected, to stop WordPress from displaying its version. In this video, a simple code snippet in the functions.php file, stops WordPress from displaying sensitive information in feeds, posts, pages, and everywhere else. By disabling this functionality, we add yet another layer of security to our WordPress-powered site.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security