Ways-Detect-version-WordPress
Ways to Detect the version of WordPress

Ways to Detect the version of WordPress

davidlockie . Posted in WP Security 1349 Views

How do you find out what version of WordPress a site is running if you don’t have access to the CMS? Of course  the most reliable way of finding the version of a WordPress site is to log into the CMS and look under ‘Updates’! But we don’t always have that luxury. There are plenty of reasons (both legitimate and nefarious) why you would want to do this:

  • You’ve been contacted by a new potential client and you want to  get an idea for how well their site has been maintained
  • You’re trying to diagnose server errors and want to see if an old WP version might be the cause
  • You’ve come across something you haven’t seen before and want to see if it’s related to a new WP version
  • Or, nefariously you might want to find sites with out of date WP installations that can be exploited
  • At wp.io, we want to find out the version to include in the free WordPress site scan reports we provide (e.g. http://wp.io/site-report/www-pragmatic-web-co-uk-5-22/)

Here are on  WordPress Statistics page some charts showing what sorts of systems people are running WordPress on.
(You’ll need Javascript enabled to see them.)

WordPress-Version-Stats

We’ve found five neat ways of determining the version of a site. They don’t all work all the time but it’s rare that none will work. Here they are, in ascending order of difficulty:

  1. Readme file

    The quickest and easiest way is just to look at the readme.html file which is automatically installedat the root of a WordPress site, e.g. http://wp.io/readme.html

  2. Feed generator tag

    WordPress feed generator

    WordPress feed generator

    If you can’t access the readme file (and it’s blocked by the more security-conscious hosting providers like WP Engine for that very reason), your next bet is to look at the source of the site’s RSS feed – this is always found at www.yoursite.com/feed/ - e.g. www.pragmatic-web.co.uk/feed/. Often, the feed’s source XML will include a <generator> tag which will give you the version as a ?v=x.x variable – as depicted above.

  3. Generator tag in HTML source

    Sometimes, you can just look at the HTML source of the page to find a generator tag like: <meta name="generator" content="WordPress 3.5" /> - but this is very much theme-specific so you’re safer looking in the feed first.

  4. Version of included files in HTML source

    This is a good one too. Look in the HTML source of a site’s homepage and there will nearly always be some script includes, a common one is the comment-reply file, which will look like this: <script type='text/javascript' src='http://www.yoursite.com/wp-includes/js/comment-reply.min.js?ver=3.5'></script>. Note the ?ver=3.5 on the end of the script source. When included correctly by a theme, a version of the included file is always appended to the end of the file source URL. If no version is specified, the current WordPress version is used by default. You’ll often find other version numbers ARE included, but the comment-reply is usually just the WP version.

  5. MD5 hash of publically-accessible files

    This is by far the most complex tactic, but sometimes necessary. As web software, WordPress must make at least some of its files available to browsers (stylesheets, JavaScript files, etc), for example the comment-reply script above. As WordPress evolves, over time many of these files are updated. By performing a MD5 hash of the various publicly-accessible files for different versions, it’s possible to deduce which version (or at least range of versions) a WP site is using. E.g. if one downloaded your site’s comment-reply.js file from http://www.yoursite.com/wp-includes/js/comment-reply.min.jsthen they can generate the MD5 hash of the file (which is a unique fingerprint of a particular file) and then compare that to a library of known hashes for various WP versions.

The easiest way to perform all of these checks is just to head over to wp.io and run a free site report on any WordPress site you’re interested in! wp.io connects WordPress sites, themes, users, professionals and industry benchmarks to create a unique database and network that maps the real, live world of WordPress. wp.io’s crawlers scan hundreds of thousands of WordPress sites, analyse and report on each one and then use the data connections between them to provide brand new insights into the WordPress ecosystem. wp.io offers:

  • a free WordPress site scanner
  • a dashboard to track and monitor your WordPress sites
  • a directory of WordPress professionals
  • a unique theme explorer

How to remove WordPress version
WordPress sites hacked, again!
Slow adoption rate of new WordPress versions
How to increase visitors and convert to customers
Check Your WordPress Version Without Logging In To Your Admin Section
How to Detect Mobile Devices using CSS3?
How to detect iPhone browser natively in WordPress

davidlockie

Tree-hugging, technology-loving, WordPress-developing, music lover, husband, step dad, amateur photographer and tennis player.
  • Maxi

    Thanks for pointing out method five.

    I wasn’t aware of that.

    I usually hide the version information, could you please share any ideas about to avoid recognition with md5 hash?

  • http://wparena.com/ Wordpress Arena

    try to use firewall

  • http://www.clippingpathindia.com/image-masking.html Image Masking

    I was not aware of this one “Generator tag in HTML source”

  • wpio

    Hi @imagemaskinguk:disqus – it’s not on all WP sites – like anything else it depends on the theme – but we’ve found it on enough sites to make it worth checking for.

  • Maxi

    I think you’re right
    Thanks

  • http://www.outsourceexpertsbd.com Clipping Path

    Thanks for this!

Free & Professional WordPress Security Service Free & Professional WordPress Security Service

We Love WordPress. WordPress Arena is a place for WordPress Developers and Designers, providing Tips, tricks, tools and resources to build a website or blog on WordPress. We also present The WordPress Showcase for all kind of WordPress Powered Websites.

Recent Comments

Anderson

|

Dont work with post_type? ‘post_type=property&numberposts=1′