WordPress Version Exposure Checker

Last updated:

Find out whether your WordPress version is leaking. We check the generator tag, RSS feed, readme.html, and asset query strings, then tell you exactly where the version is exposed and how to hide it.

Enter a WordPress site URL:

How the Checker Works

  1. Detect WordPress, core paths and signatures confirm the platform.
  2. Read leak sources, the generator tag, feed, and readme are checked.
  3. Extract the version, any exposed version number is captured.
  4. Recommend a fix, you get clear steps to hide the version.

Why It Matters

  • Reduce targeting, hidden versions are harder for bots to match to exploits.
  • Slow down attackers, less information means more work for intruders.
  • Better hygiene, version hiding signals an actively maintained site.
  • Layered defence, it complements updates and a firewall.

Where WordPress Leaks Its Version (and How to Hide It)

WordPress prints its exact version in several places by default. Each one lets a scanner map your site to known vulnerabilities for that release. Here is every common leak source, what to look for, and how to remove it. Hiding the version is a small hardening step, not a substitute for keeping core, plugins, and themes updated.

Leak source What to look for How to remove
Generator meta tag A <meta name="generator" content="WordPress 6.x"> line in the page <head>. Add remove_action('wp_head', 'wp_generator'); in functions.php or use a hardening plugin.
RSS / Atom feed generator A <generator>https://wordpress.org/?v=6.x</generator> element in /feed/. Filter it out with add_filter('the_generator', '__return_empty_string');.
readme.html The exact version stated near the top of /readme.html in the site root. Delete it after updates or, more reliably, return 403/404 for /readme.html at the server.
?ver= asset query strings Core CSS/JS enqueued as wp-includes/...css?ver=6.x matching the version. Strip or mask the core version in filters on style_loader_src and script_loader_src.

Keeping every leak source closed and your core patched is ongoing work. Our WordPress website maintenance services harden the version footprint and apply security updates so an exposed release never maps to an unpatched hole.

Next steps

WordPress Version Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

WordPress Version Checker: FAQ

Which sources does the version checker inspect?
It checks the homepage generator meta tag and WordPress asset query strings, then requests /feed/ for its generator element and /readme.html for public version text. These are public disclosure signals, not authenticated installation records.
How is the detected version selected?
A version in the homepage generator tag is preferred. If that is absent, the tool uses a version from the feed generator and then readme.html; asset query-string findings are listed separately and do not become the primary detected version.
Can an asset's ?ver value be mistaken for the WordPress core version?
Yes. A query value on a wp-content or wp-includes asset can describe a theme, plugin, build, or cached file rather than core. Confirm it through trusted administrative or command-line access before acting on it.
Does No version exposed mean the installation is current and secure?
No. It means the checked public sources did not reveal a recognizable version. The tool does not log in, inspect files, compare against the latest release, or audit plugins, themes, PHP, configuration, and vulnerabilities.
Is exposing the WordPress version itself a vulnerability?
Usually it is information disclosure rather than the underlying flaw. Removing version clues can reduce easy targeting, but installing security updates promptly is far more important than hiding an outdated release.
What should I change when a version is exposed?
After confirming the finding, update WordPress and backups first. You can then remove the generator tag, restrict readme.html, and review asset version strings, while making sure cache busting and update workflows still work.
Why can the checker miss a WordPress site or return no result?
The three public requests use limited response sizes and nine-second timeouts. Firewalls, redirects, authentication, custom feeds, removed markers, headless setups, and regional bot handling can hide the expected signals.
Is the site URL or downloaded content stored?
The URL is sent to WebAloha's server for the homepage, feed, and readme checks. This endpoint does not save the submitted URL, response samples, findings, or detected version to a database or result cache.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Want a Hardened, Fast WordPress Site?

We secure, speed up, and maintain WordPress sites so they stay safe and rank well.