How to remove the WordPress Generator Meta Tag

The WordPress generator meta tag displays your website’s WordPress version for anyone to see.

This can be a security risk for your website but it is easy to remove.

Where is the version number located?

You’ll need to view the page source (HTML code) of your website to find the tag.

Viewing options differ on each browser however, it is usually found in one of the drop-down or right-click menus.

eg in FireFox right-click on your page to bring up the context menu and select View Page Source, or select it from the View drop-down menu at the top, or by pressing <ctrl>+u.

The meta tags should be in the top section of the source code, before the </head> closing tag.  Perform a search looking for the keyword “generator” and you should see this line:

<meta name="generator" content="WordPress 3.1.3" />

If the above line doesn’t appear in your HTML source code then perhaps the WordPress theme that you are using has disabled it which is great.

Read on though and find out why it has been removed or just skip the and go straight to the fix.

Why remove the WordPress Generator meta tag?

For security – it is as simple as that.

We all know that there are bad people out there who like to break into websites and mess them up, hijack them or steal users identities to make money.

The generator meta tag advertises your website as running on the WordPress Content Management System (CMS) and this is similar to posting a sign outside your front door saying that your home is protected with “Security 3000’s Ultra Defender Model 8.3.9”.

Surely nobody in their right mind would do that?

If a burglar happened to know exactly which alarm unit was protecting your home, they could read up on it, find weaknesses, default settings, manufacturers codes etc.

The same holds true of your WordPress installation.

Just knowing a website is running WordPress means that an on-line burglar (intruder) knows how to get to your login screen by appending “/wp-admin” onto the end of the website URL.

They could have guessed and tried that anyway but the point here is that they already knew your site was running on WordPress, because you told them!

Older versions of WordPress, pre v3.x, used a default username of “Admin” during setup for the administration user account and most website owners don’t remove that account.

An intruder, looking at the WordPress version number in the generator meta tag could now attempt to guess the password to an “admin” user account.

If you have been running WordPress as your CMS of choice for a while then you’ll know that every so often they release security updates.  That usually implies that there’s a security hole that needs to be patched in a prior version.

It’s easy to look at the site and find a list of security vulnerabilities for each version and an intruder could use this to gain access to your website.

And all this because of a single line.

Removing the WordPress Generator meta tag

OK -on to the fix.  Let’s get rid of that pesky generator tag once and for all.

You’ll need to edit a file called “functions.php” in your current WordPress theme’s folder and add the following lines to it, before the closing ?> tag:

// Remove the WordPress Generator Meta Tag
function remove_generator_filter() { return ''; }

if (function_exists('add_filter')) {
 $types = array('html', 'xhtml', 'atom', 'rss2', /*'rdf',*/ 'comment', 'export');

 foreach ($types as $type)
 add_filter('get_the_generator_'.$type, 'remove_generator_filter');

Let’s explain what the above code does.

Line 1 is a simple comment for readability.

Line 2 creates a function that returns an empty string.

Lines 4-9 run through different methods that WordPress uses to display your Website content, looking for the generator tag and replacing it with an empty string using the function on line 2.

Some other fixes you find on the Internet only remove the generator tag from the pages and posts of a website using the following line of code in the functions.php file:

remove_action('wp_head', 'wp_generator');

This is great for a simple fix, but WordPress allows your website content to be displayed in many ways different ways such as RSS feeds, exports, comments etc and all these methods may also include the generator tag which the above line would not work on.

No functions.php file

If there isn’t such a file, which is unlikely but can happen, you’ll have to create one in your theme’s folder making sure that the format is correct and that you have the opening and ending PHP tags.

A complete new functions.php file for this fix is included below for those who need to create a new one:

// Remove the WordPress Generator Meta Tag
function remove_generator_filter() { return ''; }

if (function_exists('add_filter')) {
 $types = array('html', 'xhtml', 'atom', 'rss2', /*'rdf',*/ 'comment', 'export');

 foreach ($types as $type)
 add_filter('get_the_generator_'.$type, 'remove_generator_filter');

Please do not overwrite any existing functions.php file with the one above.

If you already have a functions.php file, edit it and add the code in the previous Removing the WordPress Generator Tag section.

Let’s make our WordPress websites safer.

Hop over to our Facebook page and like us for more of these types of tips.

Was this article helpful?

Keep In Touch


Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

1 thought on “How to remove the WordPress Generator Meta Tag”

Comments are closed.