Does the generator tag make WordPress less secure?

Does the generator tag make WordPress less secure?

The generator tag is used by WordPress to identify which version of the software you are running. It was added to allow stats to be generated about the number of sites using each version of WordPress. The question is whether the presence of this tag makes it easier in practice for hackers to gain access to your site.

The argument for it being a security risk

When WordPress releases a new version, any security fixes, will be listed. Although this is good for WordPress users, it also reveals information that could be useful to hackers when trying to access to WordPress sites using known vulnerabilities. So for WordPress users that do not upgrade their site regularly, this can present a real security risk.

The argument for it not being a security risk

It is common for hackers to run automated scripts which systematically go through all the known vulnerabilities and attempt to gain access. Some of the time they don’t even bother to check whether you are running WordPress. So you could argue that in the big scheme of things, it makes little difference revealing your WordPress version via the generator tag.

Checking if your site displays the generator tag

To check whether your site has the meta tag all you have to do is to view the HTML source of your website and it would appear in the HEAD area as a meta tag. Here is an example of what might be output based on the latest version of WordPress

<meta name="generator" content="WordPress 3.9.2" />

Removing the generator tag

As WordPress outputs this tag automatically, to remove generator tag, you can either install this plugin or if you prefer, you can add the following lines to your functions.php file …

remove_action('wp_head', 'wp_generator');

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>