By default, WordPress broadcasts its version number in several locations. This information helps attackers identify sites running vulnerable versions. Hiding it is a simple, high-value security hardening step.
Where WordPress exposes its version
- Meta generator tag:
<meta name="generator" content="WordPress 6.5"> - Script and style URLs:
?ver=6.5query parameter - RSS/Atom feeds: Version in the feed generator tag
- REST API: Returned in the
/wp-json/response - readme.html:
https://yoursite.com/readme.htmlcontains version info
WPStats detects version exposure from script URLs and the meta generator tag, flagging it as a security issue.
Method 1: functions.php (recommended)
Add this code to your theme's functions.php or a custom plugin:
// Remove version from head
remove_action('wp_head', 'wp_generator');
// Remove version from RSS feeds
add_filter('the_generator', '__return_empty_string');
// Remove version from scripts and styles
function remove_wp_version_strings($src) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if (!empty($query['ver']) && $query['ver'] === $wp_version) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('script_loader_src', 'remove_wp_version_strings');
add_filter('style_loader_src', 'remove_wp_version_strings');
Method 2: Use a security plugin
All major security plugins (Wordfence, iThemes Security, Sucuri) include version hiding. Enable it in their settings panel — usually called "WordPress Tweaks" or "Security Hardening."
Method 3: Delete readme.html
The readme.html file in your WordPress root contains version information and has no functional purpose on a live site. Delete it via FTP or File Manager in cPanel. Note: it gets recreated on WordPress updates, so you'll need to re-delete it or automate the deletion with a plugin or cron job.
Verify the changes
After making changes:
- View your page source (
Ctrl+U) and search for your WP version number — it should not appear - Visit
/wp-json/and check if the version is in the response - Run WPStats on your site — the "Version hidden" check should now show green
Important: Hiding your version number is a security-through-obscurity measure — it's not a substitute for keeping WordPress updated. Always run the latest version.
Check if your WordPress version is exposed
WPStats checks version exposure and 10+ other security indicators.
Scan your site now