A website is like a virtual castle; it may appear tranquil and serene, but countless eyes are watching it at every moment. The height of its walls and the sharpness of its weapons are all subjects of scrutiny for potential invaders. In the world of WordPress, version numbers serve as subtle cracks in that castle wall. Plugins and themes that display their version numbers seem to broadcast a message, saying, “Come and check me out; I might have vulnerabilities.” To prevent this castle from revealing its weaknesses, savvy guardians often choose to discreetly hide unnecessary details. However, as a guardian, you might wonder, “What if I’m an administrator and need to debug?” This guide is here to assist you. Whether fending off non-administrator intruders or maintaining the fortress as an administrator, you can easily manage the secrets of your domain.
A Hidden Passage Just for Administrators
Concealment is for safety, but why not leave a window for yourself to peek through? When we hide version numbers, let’s ensure that administrators can still oversee every change within the castle. With a simple logical adjustment, only non-administrators will be kept out, while administrators will have a clear view. If there’s no special handling required for administrators, simply remove the conditional check in the code: if (!current_user_can('administrator')) { /* Keep only the code in the condition */ }.
Step 1: Silently Retire the WordPress Core Version Number
The WordPress core version number is like the plaque on the castle’s gate. While seemingly inconspicuous, it serves as a key for enemies seeking entry. However, we can make this plaque visible only to administrators, leaving outsiders in the dark.
// Hide WordPress core version number for non-administrators
function hide_wp_version_for_non_admin() {
if (!current_user_can('administrator')) {
remove_action('wp_head', 'wp_generator'); // Remove WordPress version number
}
}
add_action('init', 'hide_wp_version_for_non_admin');
The code above adds an illusion to the gate, making the plaque visible only to administrators.
Step 2: Version Numbers of Plugins and Themes Remain Unseen
Whenever we load a stylesheet or script file, those trailing version numbers like ver=1.0.0 leave behind a trail. Enemies can follow these breadcrumbs to determine which versions of plugins or themes you are using, leading them to potential points of entry.
// Hide static resource version numbers for non-administrator users
function remove_version_from_assets_for_non_admin($src) {
if (!current_user_can('administrator')) {
if (strpos($src, 'ver=') !== false) {
$src = remove_query_arg('ver', $src);
}
}
return $src;
}
add_filter('style_loader_src', 'remove_version_from_assets_for_non_admin', 9999);
add_filter('script_loader_src', 'remove_version_from_assets_for_non_admin', 9999);
With these changes, non-administrators will no longer see those “breadcrumbs,” keeping the core information of the website secure.
Step 3: Silence the Login Error Messages
Whenever someone attempts to log in to your backend, WordPress kindly informs them of the reason for failure. It’s akin to telling someone who mistyped their password, “The username is correct, but the password is wrong!” This is an invisible leak.
// Hide login error messages for non-administrator users
function hide_login_errors_for_non_admin() {
if (!current_user_can('administrator')) {
return 'Login error';
}
}
add_filter('login_errors', 'hide_login_errors_for_non_admin');
This line of code places a lock on the login screen, ensuring no one knows whether a username exists, while administrators can unlock it when needed.
Step 4: Hushing the Secrets of the REST API
The WordPress REST API flows like a river, carrying various information about the site. Some of this data may contain unnecessary versioning information. We can make this river silent to non-administrators.
// Disable REST API version information for non-administrator users
function disable_rest_version_for_non_admin() {
if (!current_user_can('administrator')) {
remove_action('wp_head', 'rest_output_link_wp_head');
remove_action('wp_head', 'wp_oembed_add_discovery_links');
}
}
add_action('init', 'disable_rest_version_for_non_admin');
As a result, non-administrators will only see a calm river surface, while all version information sinks below.
Step 5: The Silent Smiles of Emojis
WordPress has enabled the Emoji feature by default; every time a page loads, additional scripts and styles quietly appear, which also contain traces of version numbers. We can make these smiling emojis keep their silence.
// Disable Emoji functionality for non-administrator users
function disable_emoji_for_non_admin() {
if (!current_user_can('administrator')) {
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');
}
}
add_action('init', 'disable_emoji_for_non_admin');
This piece of code masks the emojis, rendering non-administrators unable to see the smiling version numbers.
Conclusion: Concealment is the Best Protection
These simple adjustments ensure that WordPress remains a secure fortress, with unnecessary information fading into oblivion. In the realm of non-administrators, there is only silence and safety, while as the guardian, you retain control over all secrets. This represents the cleverest form of concealment.
Never forget, security is never a single monumental victory; it’s the meticulous combination of countless small details. Are you ready to protect this castle?
