Every WordPress Site on The Web Is Infected by This Security Thread

Every WordPress Site on The Web Is Infected by This Security Thread

If you own a WordPress-powered website or are considering using WordPress as your CMS, you may be concerned about potential WordPress security issues. In this post, we’ll outline a few of the most common WordPress security vulnerabilities, along with steps you can take to secure and protect your WordPress site.

wordpress security issues

In this Skytells tutorial, we take a look at a the potential security risk inherent in displaying your site’s WordPress version number to anyone or anything that happens to stop by for a visit.


WordPress Version

For anyone who has been working on securing their WP-powered website, one of the most commonly seen security tips around the WordPress-o-Sphere has got to be this:

Don’t display your WordPress version number publicly. Many WordPress developers often display the WordPress version in the source code. But having this information publicly available makes it easy for attackers to exploit known vulnerabilities on a particular version.

Where is the version number located?

You’ll need to view the page source (HTML code) of your website to find the tag.

Viewing options differ on each browser however, it is usually found in one of the drop-down or right-click menus.

eg in FireFox right-click on your page to bring up the context menu and select View Page Source, or select it from the View drop-down menu at the top, or by pressing <ctrl>+u.

The meta tags should be in the top section of the source code, before the </head> closing tag.  Perform a search looking for the keyword “generator” and you should see this line:

<meta name="generator" content="WordPress 4.8.x" />


If the above line doesn’t appear in your HTML source code then perhaps the WordPress theme that you are using has disabled it which is great.

Why It’s Considered As Security Risk?

For security – it is as simple as that.

We all know that there are bad people out there who like to break into websites and mess them up, hijack them or steal users identities to make money.

The generator meta tag advertises your website as running on the WordPress Content Management System (CMS) and this is similar to posting a sign outside your front door saying that your home is protected with “Security 3000’s Ultra Defender Model 8.3.9”.

Surely nobody in their right mind would do that?

If a burglar happened to know exactly which alarm unit was protecting your home, they could read up on it, find weaknesses, default settings, manufacturers codes etc.

The same holds true of your WordPress installation.

This sort of thinking is referred to as “security through obscurity,” and may or may not be an effective way to increase the overall security of your site.

How to Fix This Security Thread?

By default, WordPress executes the wp_generator() function whenever the wp_head() hook is called.

Typically, this hook is located in your theme’s header.php file within the <head> section of the document markup:

The wp_head() hook as seen via the header.php file

Then, after WordPress processes your web page, the wp_generator() function outputs the following code (depending on page view) to your browser:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://domain.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://domain.com/wp-includes/wlwmanifest.xml" /> 
<link rel='index' title='Digging into WordPress' href='https://domain.com/' />
<meta name="generator" content="WordPress 2.8.1" />

Notice that last line there? There are many posts on WordPress security that point out how specifying your version number is a security risk.

Whether or not this is the case is certainly debatable, but the thinking is that you should avoidrevealing this sensitive information in order to prevent attacks targeting specific versions of WordPress.

Now for the fun part. Assuming that sharing your version information is bad, how to go about removing the information? Well, that depends on how savvy you are with WordPress. Here are several methods to prevent WordPress from displaying your version-specific number, ranked in order from the absolute worst way to the absolute right way. That is, until someone shows us how to do it in less than 41 characters 😉

The absolute worst way to remove the WP version number

I have seen recent posts where the author actually recommends deleting the wp_head() hook! Here is an example:

Study what things this function outputs for you, and just hardcode them into your theme files since these values will unlikely change.

While there are indeed valid reasons for removing this important WordPress hook, removing the version number from your source code is not one of them.

A pretty good way to remove the WordPress version number

Much better than simply deleting the wp_head() hook, this method serves us well by placing the version-removal function in the theme’s functions.phpfile, where it belongs. By returning an empty string for the_generator, this function removes the version information by preventing output of its <meta> tag.

function remove_version_info() {
return '';
add_filter('the_generator', 'remove_version_info');

This method has the added bonus of removing the version information from not only your blog pages, but from your feeds as well.

The right way to remove the WordPress version number

Going a step beyond the previous method, this technique gets the job done quite eloquently, with a mere 41 characters of code:

remove_action('wp_head', 'wp_generator');

Just place that single line into your theme’s functions.php and enjoy a small taste of “security through obscurity”.  🙂


Related Posts