Security fix guide
MEDIUM

WordPress Version in Page Source

Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.

What is this?

WordPress adds a small tag to every page it generates: `<meta name="generator" content="WordPress 6.4.2">`. Anyone who views your page source — which takes two seconds with Ctrl+U — can see your exact WordPress version. It's not hidden, encrypted, or protected in any way.

Why does it matter?

WordPress releases security updates regularly to patch discovered vulnerabilities. If you're running an older version, attackers can look up the exact CVEs that affect it and know which exploits to try — without even having to guess. The generator tag is a shortcut that hands them that information for free. Removing it takes one line of code and has no effect on how your site looks or works.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Log in to WordPress admin (your-site.com/wp-admin).

2

Go to Appearance → Theme File Editor. If you don't see it, go to Plugins → Add New and install "Code Snippets" (free) — it's safer than editing theme files directly.

3

Open functions.php (or create a new snippet in Code Snippets) and add:

remove_action('wp_head', 'wp_generator');

Note: If you edit functions.php directly in your theme, the change will be lost when the theme updates. Using a child theme or Code Snippets plugin makes it permanent.

4

Save.

For developers / SSH access
1

Navigate to your theme directory (replace 'your-theme' with your theme's folder name):

cd /var/www/html/wp-content/themes/your-theme/
2

Edit functions.php:

nano functions.php
3

Add at the bottom:

remove_action('wp_head', 'wp_generator');
4

Save (Ctrl+X, Y, Enter in nano).

How to verify the fix

View your homepage source (right-click anywhere → View Page Source, or Ctrl+U). Search for "generator" — it should return no results. Then re-run your scan.

Re-run your scan to confirm this is resolved →

Related issues

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

Vulnerable Plugins Detected

One or more WordPress plugins has known security vulnerabilities. Learn how to find and update them.

User Enumeration

WordPress is exposing your admin usernames via its REST API. Block it with one code snippet.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Medium ($89)