Austin WordPress Meetup – 5/9/11 – Security FAQs
How do I hide the WordPress version in the Header Tag?
In his WordPress Security Demo Nick stressed locking down your WordPress site by hiding the version in the header tag. It is important to remember that even if you’ve deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.
Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
<?php remove_action('wp_head', 'wp_generator'); ?>
It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those hackers from targeting your blog.
New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.
Nick recommends the plugin Better WP Security for the #WPATX beginners as it is easy to use and configure, and does many of the security functions for you. He reminded everyone that it is always a Best WordPress Security Practice to keep your versions of WordPress up-to-date at all times as the incremental upgrades are usually security patches. WordPress security is a moving target and you must stay up to date.
Mark Kelnar says
What about removing the readme.html file from your WordPress install directory? Like http://wpaustin.com/readme.html . It’s got the version number in there too.