WordPress adds a generator meta tag to the head element of every page that includes the version of WordPress you are using. Many people have debated the need for this and recommend removing it especially if you haven’t been upgrading WordPress regularly. A crawler can easily scan this info and look for sites that are running an older version of WordPress with a known exploit. You can add the following code to your theme’s function.php file or in a plugin.
Tweak the WordPress Generator Meta Tag
The following code will remove the version number from the meta tag:
function devmnd_tweak_generator( $generator ) {
return str_replace( ' ' . get_bloginfo( 'version' ), '', $generator );
}
add_filter( 'the_generator', 'devmnd_tweak_generator' );
Before: <meta name="generator" content="WordPress 3.0-RC1-15112" />
After: <meta name="generator" content="WordPress" />
You can even add your own custom version number in the generator meta tag:
return str_replace( get_bloginfo( 'version' ), '4.0', $generator );
Remove the WordPress Generator Meta Tag:
if ( function_exists( 'wp_generator' ) ) {
remove_action( 'wp_head', 'wp_generator' );
}
There are also a number of other places where the generator is used such as feeds. The following lines will remove the generator line from all of those places as well:
remove_action( ‘rss2_head’, ‘the_generator’ );
remove_action( ‘commentsrss2_head’, ‘the_generator’ );
remove_action( ‘rss_head’, ‘the_generator’ );
remove_action( ‘rdf_header’, ‘the_generator’ );
remove_action( ‘atom_head’, ‘the_generator’ );
remove_action( ‘comments_atom_head’, ‘the_generator’ );
remove_action( ‘opml_head’, ‘the_generator’ );
remove_action( ‘app_head’, ‘the_generator’ );
Take note that this only works in WordPress 3.0 as that is when the actions were added instead of it being hard coded in those places.
If you’re not running the latest and greatest, about the only thing you’re preventing by removing generator tags is embarrassment when people look at your source. I certainly understand reasons for hiding it, but at the very least, the crawler/exploit angle is a bit dubious, as reasoned in this ticket. And if you’re looking to identify the specific version of WordPress a specific site is running, there are other ways of doing so.
I completely agree with your response and that is why I never went into the merits of it. I simply gave people a way to tweak it to their liking.
I bet this is a frequent request from clients who have heard bad press about WP sites being hacked
You hit the nail on the head… There are a lot of blog posts out there that scare people and recommend removing the meta tag.
Sounds about right. I knew why you didn’t get into the merits; I just thought that would be a good anti-FUD link to share as well.
Agreed… I have another blog post about my thoughts on it in the works. I may get to it on my flight back from Chicago.