How To Remove WordPress Generator Meta Tag & Does It Matter?

A common feature found in most security plugins is the ability to remove the WordPress Generator Meta Tag. This looks like the following:

<meta name=”generatorcontent=”WordPress 4.9.1” />

The above tag offers no value in terms of search engine optimization (SEO). The tag tells you what content management system (CMS) the website was built with. This is a very common practice with many platforms, including Drupal (another popular CMS). The tag is used to tell other developers what technology the website was built with. However, there are many other useful ways to determine if a website is using WordPress.

  • HTML Tags,
  • CSS Rules
  • File Structure
  • Style.CSS and much much more.

WordPress websites can usually be identified by looking at them. Due to this, the generator tag does not serve much purpose. This is because it is usually obvious that the website was built with WordPress.

Does Removing the WordPress Generator Meta Tag Provide Any Benefit?

This is an iffy question. Many security plugins seem to swear by it and it makes sense if you are looking to stop automated bots. For example, if a bot was scanning websites looking for an outdated version of WordPress, they can find this with an outdated form of the generator tag. This happens with older forms of the tags from let’s say WordPress 4.1. The bots can expose vulnerabilities in these outdated forms of WordPress and then potentially hack your website.

Other Ways to Find Out What WordPress Version A Website Is

However, there are other ways to tell the WordPress version of a website just by looking at it. For example, to find out what version of WordPress a website is using, look at the query strings. The query string is the bolded part in the following script.

CSS and JS files often change depending upon which version of WordPress a website is using. I have provided an example of a JS emoji script that changes when I update WordPress.

<script type=”text/javascript”> window._wpemojiSettings = {“baseUrl”:”https:\/\/\/images\/core\/emoji\/2.3\/72×72\/”,”ext”:”.png”,”svgUrl”:”https:\/\/\/images\/core\/emoji\/2.3\/svg\/”,”svgExt”:”.svg”,”source”:{“concatemoji”:”http:\/\/\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.1“}}; !function(a,b,c){function d(a,b){var c=String.fromCharCode;l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,a),0,0);var d=k.toDataURL();l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,b),0,0);var e=k.toDataURL();return d===e}function e(a){var b;if(!l||!l.fillText)return!1;switch(l.textBaseline=”top”,l.font=”600 32px Arial”,a){case”flag”:return!(b=d([55356,56826,55356,56819],[55356,56826,8203,55356,56819]))&&(b=d([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]),!b);case”emoji”:return b=d([55358,56794,8205,9794,65039],[55358,56794,8203,9794,65039]),!b}return!1}function f(a){var c=b.createElement(“script”);c.src=a,c.defer=c.type=”text/javascript”,b.getElementsByTagName(“head”)[0].appendChild(c)}var g,h,i,j,k=b.createElement(“canvas”),l=k.getContext&&k.getContext(“2d”);for(j=Array(“flag”,”emoji”),c.supports={everything:!0,everythingExceptFlag:!0},i=0;i<j.length;i++)c.supports[j[i]]=e(j[i]),c.supports.everything=c.supports.everything&&c.supports[j[i]],”flag”!==j[i]&&(c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&c.supports[j[i]]);c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&!c.supports.flag,c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.everything||(h=function(){c.readyCallback()},b.addEventListener?(b.addEventListener(“DOMContentLoaded”,h,!1),a.addEventListener(“load”,h,!1)):(a.attachEvent(“onload”,h),b.attachEvent(“onreadystatechange”,function(){“complete”===b.readyState&&c.readyCallback()})),g=c.source||{},g.concatemoji?f(g.concatemoji):g.wpemoji&&g.twemoji&&(f(g.twemoji),f(g.wpemoji)))}(window,document,window._wpemojiSettings); </script>

I went ahead and bolded the version number of the script.  This is a bad versioning method. This is because it implies those files are only updated with a WordPress update. (But for many WordPress plugins, that is not the case.)

Does Removing The WordPress Generator Meta Tag Make Your Site More Secure?

No, unless you are working against a very unsophisticated bot that is just crawling through the web. To keep your website secure, you should focus on keeping your website up to date and locked down through other techniques. Other techniques can be consulted on through the codex or by contacting a WordPress developer, such as myself.

How to Remove the Tag?

The process to remove the tag is simple. Simply add the following piece of code to your functions.php file (of a child theme) or a site-specific plugin and this will remove the tag completely.

remove_action(‘wp_head’, ‘wp_generator’);


scott hartley

About the author

Scott is a web performance geek, lover of all things coffee, and avid video game player. His WordPress work delves into web performance, web security, and SEO.

Leave a Comment