Hide WordPress Version in the Header Tag

Hide WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.

Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)

1 <?php remove_action(‘wp_head’, ‘wp_generator’); ?>

It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog


Protect WordPress Administration Files

WordPress administration files reside in wp-admin directory of your WordPress installation, except wp-config.php. The latter contains basic WordPress configuration that can not be modified through the Dashboard.

You may use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option.

Note that you may also allow access from a range of IPs. Refer to Apache’s documentation on mod_access for complete instruction on how to set this up.


You need to put a .htaccess file in wp-admin.


1 2 3 Order Deny,Allow Allow from ww.xx.yy.zz Deny from all

Protecting wp-admin directory with user and password combination also adds another level of security. Apache has complete information on authentication, authorization and access control.


1 2 3 4 AuthType Basic AuthName “WordPress Dashboard” AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd Require user adminuser

and then generate the encrypted password using the htpasswd command.

1 $ htpasswd -cm .htpasswd adminuser

cPanel has a feature called Web Protect which allows you to accomplish the same thing.

If you implement all of those above, you should be accessing the wp-admin directory from the allowed IP address, authenticate with adminuser and then login normally to your WordPress Dashboard with your WordPress admin account (myadm).

No Directories Should be Available for Browsing

By default in most hosting, index of directories are shown in web browsers. This has a purpose but it also means that you reveal the content of any directory that has no index.html or index.php.

Modifying this behavior is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).

Use Secure Login via Encrypted Channel

WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won’t have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting FORCE_SSL_ADMIN variable in wp-config.php to true.

Copy and paste the following into your wp-config.php file.

1 define(‘FORCE_SSL_ADMIN’, true);


Restrict File Access to wp-content Directory

The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn’t access the PHP files in the plugins and themes directories via HTTP. The only requests from web browsers are for image files, javascripts, and CSS.

For that reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.

Include the following lines in .htaccess within wp-content:

Order Allow,Deny

Deny from all

<files  ?\.(jpg|gif|png|js|css)$ ? ~>

Allow from all


For More Detail Hide WordPress Version in the Header Tag


No related content found.


There are no revisions for this post.

Tags: , , ,

No comments yet.

Leave a Reply