Strip all HTML comments from your WordPress page source with one toggle in WP Ghost. WordPress core, themes, and plugins inject HTML comments throughout your page source – revealing plugin names, theme names, version numbers, and even configuration details. Visitors never see them, but anyone who views your page source or uses a scanner can read them all. These comments are pure information leakage. They serve no frontend purpose. Remove them entirely.
View the source of a typical WordPress page and you’ll find comments like these:
<!-- This site is optimized with the Yoast SEO plugin v24.1 -->
<!-- WooCommerce 9.5.1 -->
<!-- Theme: flavor-starter v2.3.0 -->
<!-- / flavor starter theme -->
<!-- end #main-content -->
<!-- Performance optimized by W3 Total Cache -->Each comment is a data point. The Yoast comment reveals the SEO plugin and its version. The WooCommerce comment confirms e-commerce. The theme comment gives the exact theme name and version. The W3 Total Cache comment identifies the caching plugin. An attacker doesn’t need to run a scanner – they just read the source.
HTML comments are one of the most overlooked information leaks in WordPress. Here’s why removing them matters for your hack prevention strategy:
They name your plugins with exact versions. Many popular plugins announce themselves in HTML comments: Yoast SEO, WooCommerce, W3 Total Cache, Elementor, and dozens more. The comment typically includes the plugin name and version number – everything an attacker needs to check the vulnerability database. You’ve changed your plugin paths, hidden element IDs, and stripped version parameters. But if Yoast still writes <!-- This site is optimized with the Yoast SEO plugin v24.1 -->, all that work is undermined by a single comment.
They reveal your theme name. Themes commonly inject comments to mark sections of the layout: <!-- / flavor starter theme -->, <!-- end header -->, <!-- theme footer -->. Even without the <link> tags pointing to the theme stylesheet, these comments give away the theme name. Theme detectors parse comments specifically for this reason.
They make your source code unnecessarily verbose. HTML comments add bytes to every page without any visitor-facing benefit. Removing them produces cleaner, more compact HTML – a minor performance improvement and a more professional-looking source code.
They confirm WordPress to scanners. WordPress core itself adds structural comments. Combined with plugin and theme comments, they create a distinctive pattern that automated tools recognize as WordPress-generated HTML. Strip them all, and the source looks like hand-coded or custom-CMS output.
After saving, open your site in a private browser window and view the page source. Search for <!-- – you should find far fewer (or zero) HTML comments. The plugin attributions, theme markers, and version announcements are gone.
It removes comments from the frontend HTML output generated by WordPress, plugins, and themes. Conditional comments used by older Internet Explorer versions (like <!--[if IE]>) are typically left intact since they serve a functional purpose. The goal is to strip identifying and decorative comments, not break compatibility.
In the vast majority of cases, no. HTML comments are ignored by browsers during rendering – removing them changes nothing visually. A rare exception is if a plugin or theme uses JavaScript that parses HTML comments for configuration (extremely uncommon). If you notice an issue after enabling, disable and test to confirm the cause.
Yes. If you use a caching plugin, clear the cache so WP Ghost can process the fresh HTML output. Also make sure Change Paths in Cached Files is enabled so cached pages also have comments removed.
No. Search engines ignore HTML comments during crawling and indexing. Removing them has zero impact on rankings. Your content, structured data, and meta tags are untouched.
No. WP Ghost strips HTML comments from the output at runtime through WordPress filters. The actual theme files, plugin files, and WordPress core remain unchanged. Disabling the feature restores all comments instantly.
Remove every identifying element from your page source:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…