Why You Should Hide Your WordPress Version Number
Your WordPress version number is published in multiple places by default — and attackers use it to target you with known exploits.
Where WordPress Exposes Your Version
- HTML source — a tag in your page head:
- RSS and Atom feeds — the version appears in the generator element
- readme.html — a file in your root directory listing the exact version
- Some theme and plugin assets include version query strings: ?ver=6.x
Why This Matters
Automated scanning tools (used by attackers, penetration testers, and security researchers alike) crawl the web cataloguing WordPress versions. When a new vulnerability is announced for WordPress 6.x, attackers immediately query these databases to find all sites running that version and target them before they are patched.
Hiding your version does not make your site immune to attacks, but it removes you from automated target lists. It buys time and reduces your attack surface.
What WP 1 Click LockDown Removes
- The tag — removed via the the_generator filter.
- The version from RSS/Atom feed generators — same filter covers feeds.
For additional version hiding, consider also renaming or blocking access to readme.html and license.txt in your root via .htaccess or your host's file manager.
Does This Replace Keeping WordPress Updated?
No. Hiding your version is a defence-in-depth measure — it reduces your visibility but does not fix underlying vulnerabilities. Always keep WordPress, themes, and plugins updated as your primary security practice.
Was this article helpful?
Need more help? Contact our support team →