- 1
Remove the generator tag
Strip the version from the page head and feeds in functions.php:
remove_action( 'wp_head', 'wp_generator' ); add_filter( 'the_generator', '__return_empty_string' ); - 2
Block readme.html
readme.html shows the exact version. Deny it in .htaccess:
<Files readme.html> Require all denied </Files> - 3
Keep WordPress updated (the real fix)
Hiding the version slows automated scanners but won't stop a determined attacker. Enable automatic updates for minor releases and update core promptly.
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
How to Fix Cross-Site Scripting (XSS) in WordPress
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
How to Fix SQL Injection in WordPress
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
How to Disable XML-RPC in WordPress
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
How to Add Security Headers to WordPress
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.