Back to Learn
explainer

CMS Version Exposure: Why Your WordPress Version Shouldn't Be Public

Many school websites broadcast their WordPress, Drupal, or Joomla version number in the page source. Attackers use this to target known vulnerabilities. Here's where it leaks and how to hide it.

5 min readWordPress, CMS, version disclosure

What Is CMS Version Exposure?

Content Management Systems like WordPress, Drupal, and Joomla publish their version number in multiple places by default — HTML meta tags, RSS feeds, script file paths, and response headers. This is called CMS version exposure.

```html

<!-- WordPress exposes version in the HTML head by default -->

<meta name="generator" content="WordPress 6.4.1" />

<!-- Also in RSS feed -->

<generator>https://wordpress.org/?v=6.4.1</generator>

<!-- And in script/style URLs with version query strings -->

<script src="/wp-includes/js/jquery.min.js?ver=6.4.1"></script>

```

When a school's site announces "we are running WordPress 6.4.1," any attacker — human or automated scanner — can immediately check: *"What CVEs affect WordPress 6.4.1?"*

Why This Matters More Than It Seems

Most school sites are not kept up to date

Cybersecurity incidents tracked on SchoolBreach.org consistently involve outdated CMS installations. A school may install WordPress in 2020 and leave it running for years without updates. In that time, dozens of vulnerabilities accumulate.

Version exposure tells an attacker exactly how far behind you are.

Automated scanners do this at scale

Attackers don't manually check school websites one by one. They run automated tools that scan thousands of sites, identify CMS versions, and flag all sites running versions with known exploits. Your school site gets added to a list and targeted automatically.

Plugins expose their versions too

WordPress plugins add their own version numbers to script and style URLs:

```html

<link rel="stylesheet" href="/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.7.5" />

```

Plugin vulnerabilities are even more common than core WordPress vulnerabilities, and version exposure applies equally.

Where CMS Versions Leak

| Location | What It Shows |

|----------|--------------|

| HTML <meta name="generator"> | CMS name and version |

| RSS/Atom feed <generator> tag | WordPress version |

| Script/style URL ?ver= parameters | Core and plugin versions |

| /wp-admin/ login page source | WordPress branding |

| /readme.html | WordPress version (if not deleted) |

| /CHANGELOG.txt | Drupal version history |

| HTTP X-Generator header | CMS name and version |

| /wp-json/ REST API | WordPress version in JSON response |

How to Hide the CMS Version

WordPress: Remove meta generator tag

Add to your theme's functions.php:

```php

remove_action('wp_head', 'wp_generator');

add_filter('the_generator', '__return_empty_string');

```

WordPress: Remove version from script/style URLs

```php

function remove_version_from_scripts($src) {

if (strpos($src, 'ver=')) {

$src = remove_query_arg('ver', $src);

}

return $src;

}

add_filter('style_loader_src', 'remove_version_from_scripts');

add_filter('script_loader_src', 'remove_version_from_scripts');

```

WordPress: Delete readme.html and license.txt

These files in the WordPress root reveal the version. Delete them after every WordPress update (or automate this in your deployment process).

```bash

rm /var/www/yourschool/public_html/readme.html

rm /var/www/yourschool/public_html/license.txt

```

WordPress: Block /wp-json/ version exposure

Add to functions.php:

```php

add_filter('json_index_request', function($response) {

$response->remove_link('https://api.w.org/');

unset($response->data['namespaces']);

return $response;

});

```

WordPress: Use a security plugin

Wordfence, iThemes Security, or WP Hardening plugins handle most of these in a single settings panel without custom code.

Drupal

```php

// In settings.php:

$conf['drupal_http_request_fails'] = TRUE;

// Also: delete CHANGELOG.txt, INSTALL.txt, README.txt from web root

```

The Most Important Fix: Keep Your CMS Updated

Hiding the version number reduces your attack surface but does not eliminate vulnerabilities. The real fix is:

  1. 1Keep WordPress core updated — enable automatic background updates
  2. 2Keep plugins updated — enable auto-updates for plugins too
  3. 3Remove unused plugins — deactivated plugins still pose risks if their files exist
  4. 4Use a managed WordPress host — many handle updates and security automatically

A school running the latest WordPress version with the version hidden is far safer than one running an old version with the version hidden.

Check Your Site

The Site Scanner checks your school's site for CMS and plugin version exposure.

Related Resources

More ArticlesTry Free Tools