Strip WordPress, plugin, and theme version numbers from your site’s source code with WP Ghost. By default, WordPress adds version numbers to every CSS file, JavaScript file, and the meta generator tag in your HTML. So do your plugins and themes. That means your page source contains a detailed manifest of exactly which software versions you’re running. Attackers cross-reference these version numbers against vulnerability databases to find known exploits. Two toggles remove them all.
Where WordPress Exposes Version Numbers
WordPress reveals version information in multiple places throughout your page source. Not just the core WordPress version – plugins and themes advertise their versions too. Together, they create a detailed fingerprint of your entire software stack.
The meta generator tag. WordPress adds <meta name="generator" content="WordPress 6.7.1" /> to the <head> section of every page. This one tag tells anyone your exact WordPress version. Some plugins add their own generator tags too (e.g., WooCommerce, Yoast SEO).
Version parameters on CSS and JavaScript URLs. WordPress appends ?ver= parameters to every enqueued stylesheet and script: style.css?ver=6.7.1, jquery.min.js?ver=3.7.1, woocommerce.css?ver=9.5.1. Each one reveals the exact version of the software that loaded it. A single page can contain dozens of these version parameters – for WordPress core, every active plugin, and your theme.
Plugin and theme meta tags. Some plugins and themes inject their own meta tags or HTML comments into the page source with version numbers. These are separate from the WordPress generator tag and often overlooked when people try to hide versions manually.
Why You Need to Hide Version Numbers
Version numbers are the first thing an attacker looks for after identifying WordPress as your CMS. Here’s why removing them matters for your hack prevention strategy:
Attackers match version numbers to known exploits. The WPScan vulnerability database tracks over 64,000 WordPress vulnerabilities. Each entry specifies which versions are affected. If your source code shows ?ver=9.4.2 on a plugin stylesheet, an attacker checks the database for vulnerabilities in that version. If one exists, they have a ready-made exploit. No guessing, no scanning – just a version number and a database lookup.
Outdated versions are targeted automatically. Patchstack’s 2024 report found that 43% of WordPress vulnerabilities were exploitable without authentication. Bots scan thousands of sites per hour, reading version parameters to build a list of targets running vulnerable software. If your version number matches a known vulnerability, your site gets added to the attack queue – automatically, without any human involvement.
Version numbers confirm WordPress to scanners. Even without the /wp-admin/ path or other structural fingerprints, a ?ver=6.7.1 parameter on jQuery confirms WordPress. Version parameters follow a distinctive WordPress pattern that theme detectors recognize. Removing them eliminates another CMS identification signal.
Plugin versions reveal your entire stack. It’s not just the WordPress version that matters. If your source shows woocommerce.css?ver=9.5.1, elementor.min.js?ver=3.25.0, and yoast-seo.css?ver=24.1, an attacker now knows three of your plugins and their exact versions. That’s three separate vulnerability databases to check. Hiding all version numbers removes this information completely.
How to Hide Version Numbers with WP Ghost
WP Ghost provides two features that work together: stripping version numbers from the frontend, and replacing them with a random cache-busting number to prevent browser caching issues.
Hide Version from Images, CSS, and JS
This strips the ?ver= parameter from all CSS, JavaScript, and image URLs in your frontend HTML output. It also removes the WordPress meta generator tag from the <head> section.
- Go to WP Ghost > Tweaks > Hide Options.
- Switch on Hide Version from Images, CSS, and JS.
- Click Save to apply.
After saving, style.css?ver=6.7.1 becomes simply style.css. No version parameter, no version information.
Enable Random Static Number
Removing version parameters entirely can cause a caching problem. Browsers use the ?ver= parameter to know when a file has changed. Without it, browsers may keep loading old cached versions of CSS and JavaScript files after you update a plugin or theme – resulting in broken layouts or outdated scripts.
The Random Static Number feature solves this by replacing the real version number with a random identifier (e.g., style.css?rnd=37342). The browser sees a unique parameter and fetches the latest file. But the number reveals nothing about which software version you’re running.
- Go to WP Ghost > Tweaks > Hide Options.
- Switch on Random Static Number.
- Click Save to apply.
Recommendation: Enable both features together. “Hide Version” removes the real version numbers. “Random Static Number” replaces them with a non-informative identifier that keeps browser caching working correctly. Together, they give you security without the caching side effects.
Troubleshooting
Version numbers still appear after enabling the feature
Clear all caches: your WordPress caching plugin, CDN, and server cache. Then test in a private browser window. If you use a caching plugin, make sure Change Paths in Cached Files is also enabled – cached files may still contain the old version parameters until they’re regenerated.
CSS or layout breaks after hiding versions
This happens when browsers serve cached CSS files without version parameters to trigger a refresh. Enable the Random Static Number option to solve this. The random parameter forces browsers to fetch the latest file while keeping actual version numbers hidden.
If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
Frequently Asked Questions
Does this remove the WordPress meta generator tag too?
Yes. The “Hide Version from Images, CSS, and JS” feature removes the <meta name="generator"> tag from your HTML head, along with version parameters on all enqueued stylesheets, scripts, and images. For a complete overview of all meta tags WP Ghost can remove, see the Hide IDs from META Tags tutorial.
Does this hide plugin and theme versions too?
Yes. WP Ghost strips the ?ver= parameter from all enqueued assets – not just WordPress core files. That includes every plugin stylesheet, every plugin script, and your theme’s CSS and JavaScript files. All version numbers are removed in one action.
Does hiding versions affect SEO?
No. Search engines don’t use version parameters or generator meta tags for ranking. Removing them has zero impact on indexing, crawling, or search visibility. Your content, sitemaps, and canonical URLs remain unchanged.
Does this work with WooCommerce?
Yes. WooCommerce’s CSS and JavaScript files have their version parameters stripped like all other assets. WP Ghost is fully compatible with WooCommerce.
Should I always enable Random Static Number?
Yes, unless you have a specific reason not to. Without it, browsers may cache old CSS and JavaScript files indefinitely since there’s no version parameter to signal that a file has changed. The random number replaces the version with a non-informative identifier, keeping cache-busting functional while hiding actual version information.
Does WP Ghost modify WordPress core files?
No. WP Ghost strips version parameters from the HTML output at runtime through WordPress filters. The actual CSS, JavaScript, and PHP files on disk are untouched. Disabling the features restores all original version parameters instantly.
Related Tutorials
Remove more WordPress fingerprints from your source code:
- Hide Source Map References – Remove debugging metadata that leaks file names.
- Change the Plugins Path – Hide plugin names alongside their version numbers.
- Change the Themes Path – Hide theme names alongside version parameters.
- Hide WordPress Common Paths and Files – Block access to readme, license, and other version-revealing files.
- Hide from WordPress Theme Detectors – Remove all CMS detection signals.