For anyone who has upgraded to WordPress 2.5 and above and likes to keep the WordPress version number out of the source code of your site when the source is viewed in a browser you could be in for a surprise. It might be back even though you eliminated the line of code in your theme’s “header.php” that generated the version number in the first place.
I know I was surprised to find “2.5.1” happily displayed when I viewed the source code for my main page in Firefox last night and for the life of me I couldn’t find anything in my theme’s “header.php” I might have missed. At first I thought I had forgotten to comment the line out when I upgraded the theme to the latest version but apparently not.
I finally decided to contact the author of my theme, Scott Wallick of PlainText.org (home of the famous “Sandbox” theme) about this. I have to admit that I was more than a bit surprised when he sent me the explanation especially when I had followed the development of 2.5 so closely:
If you’re using WordPress 2.5, then you’re in for a treat. Because as of this version, WordPress hooks the function wp_head() to insert (automatically) the generator meta link.
See the following announcement:
And to top this all off, Scott worked up a tiny plugin that disabled that very function, attached it to his message and it worked like a charm. I can’t say enough about this guy. I use another of his themes called Blog.txt and through 3 updates to the theme since I first installed it he’s answered all my questions, taken care of submitted bugs and even incorporated one of my suggestions about Gravatar resizing using the theme’s “Options” page in the Admin.
So I decided to host his plugin for those of you who wish to use it. Installation is simple. Extract, upload, activate and you’re done. Your version of WordPress shown in the source of your blog should now be gone unless your “header.php” has the hard coded “generator” still coded into it.
Note: This plugin is only for use with WordPress 2.5 and higher.
Edit 08-14-2010: It’s been rather a long time since WordPress 2.5 hit the streets and even though Scott’s plugin still works fine, securing your WordPress powered site these days requires a bit more than just removing the version number from your site’s generated source code. That being said, I would highly recommend Secure WordPress which offers quite a bit of security in an easy to configure plugin. I use it myself. And although no security measures are fool proof, Secure WordPress goes a long way towards keeping your WordPress powered site secure.
Make sure you remove the original “rgl” plugin before activating Secure WordPress and if you happen to use Windows Live Writer then make sure you do not check the box that removes that particular function (The check box is marked “Windows Live Writer“.).