TL;DR
Yes, a hacker can often determine your WordPress and PHP versions if you don’t take steps to hide this information. This guide explains how they do it and what you can do to protect yourself.
How Hackers Find Your Versions
Hackers look for known vulnerabilities in specific versions of software. Knowing your WordPress and PHP versions allows them to target attacks effectively. Here’s how they find out:
- Website Headers: The most common method. Website headers contain information about the server software, including PHP version and often clues about WordPress.
- WordPress Files: Specific files like
readme.htmlinclude the WordPress version number. - Version Generators: Some themes or plugins might expose version numbers in their code.
- Online Scanners: Many online tools automatically scan websites for this information.
Protecting Your Site – Step-by-Step
- Hide WordPress Version Number from Headers
- Edit
functions.php: Add the following code to your theme’sfunctions.phpfile (be careful when editing this file – a mistake can break your site! Consider using a child theme).
add_filter( 'update_footer', '__return_empty_string' ); remove_action('wp_head', 'generator'); - Edit
- Remove WordPress Version from Source Code
- Edit
functions.php: Add this code to your theme’sfunctions.phpfile.add_filter('the_generator', '__return_empty_string');
- Edit
- Protect the
readme.htmlFile- Use .htaccess: Add this line to your
.htaccessfile (located in your WordPress root directory). This prevents direct access to the file.<Files readme.html> Order allow,deny Deny from all
- Use .htaccess: Add this line to your
- Keep WordPress Core Updated
- Regular Updates: Always update to the latest version of WordPress as soon as a new release is available. This patches security vulnerabilities.
Go to Dashboard > Updates in your WordPress admin area.
- Regular Updates: Always update to the latest version of WordPress as soon as a new release is available. This patches security vulnerabilities.
- Keep Themes and Plugins Updated
- Plugin/Theme Updates: Regularly update all themes and plugins. Outdated plugins are a common entry point for hackers.
Go to Dashboard > Updates in your WordPress admin area.
- Plugin/Theme Updates: Regularly update all themes and plugins. Outdated plugins are a common entry point for hackers.
- Use a Security Plugin
- Security Features: Plugins like Wordfence, Sucuri Security, or iThemes Security offer features that help hide version numbers and protect against attacks.
These plugins often have options specifically for hiding WordPress and PHP versions.
- Security Features: Plugins like Wordfence, Sucuri Security, or iThemes Security offer features that help hide version numbers and protect against attacks.
- Check Your PHP Version Regularly
- PHP Updates: Ensure you are running a supported and up-to-date version of PHP. Check with your hosting provider on how to update this.
You can often find the PHP version in your hosting control panel (cPanel, Plesk, etc.).
- PHP Updates: Ensure you are running a supported and up-to-date version of PHP. Check with your hosting provider on how to update this.
Verifying Your Changes
After making these changes, you should verify that your WordPress and PHP versions are no longer easily detectable.
- Online Version Checkers: Use online tools like WhatWeb or SecurityHeaders.io to check if your version information is still exposed in the headers.
- View Page Source: Inspect the source code of your website (right-click > View Page Source) and look for any references to WordPress or PHP versions.