check WordPress Version

How do you find out what WordPress Version, a site is running on, if you don’t have access to the CMS Backend? Of course, the most reliable way of finding a WordPress version is to login to the “wp-admin” area and look under the ‘Updates‘! But we don’t always have that access available. There are plenty of reasons (both legitimate and nefarious) why you would like to check the WordPress version of a site: Here are some of the reasons.

  • You’ve been contacted by a new potential client, and you want to get an idea for how well their site has been maintained by checking the WordPress version.
  • You’re trying to diagnose server errors and want to see if an old WP version might be the cause.
  • You’ve come across something that hasn’t been seen before and you want to see if it’s related to a new WordPress version.
  • Or, nefariously you ought to find sites with outdated WordPress versions that can be exploited.
  • At WPArena, we want to know the WordPress version to include in the free WordPress site scan reports we are soon going to provide.

WordPress Version Stats

Here on WordPress Statistics page, some charts showing what sorts of systems people are running WordPress on.
(You’ll need JavaScript enabled to see them.)

WordPress Version Stats
WordPress Version Stats

Different Ways To Check WordPress Version

We’ve found five neat ways to detect WordPress version of a site. They don’t work all the time, but it’s rare that none of them will work. Below they are numbered, in ascending order of difficulty:

  1. Readme file

    The quickest and easiest way to detect WordPress version is just to look at the readme.html file which is automatically installed at the root of a WordPress site, e.g. https://wparena.com/readme.html

  2. Feed generator tag

    If you can’t access the readme.html file (and it’s blocked by the more security-conscious hosting providers like WP Engine for that very reason), your next bet is to look at the source of the site’s RSS feed – this is always found at www.wparena.com/feed/. Often, the feed’s source XML will include a <generator> tag which will give you the version as a ?v=x.x variable – as depicted above.

  3. Generator tag in HTML source

    Sometimes, you can just look at the HTML source of the page to find a generator tag like: <meta name="generator" content="WordPress 4.8.1" /> – but this is very much theme-specific, so you’re safer looking in the feed first.

  4. Version of included files in HTML source

    This method is a good one to check the WordPress version as well. Look at the HTML source of a site’s homepage, and there will nearly always be some script includes, a common one is a comment-reply file, which will look like this: Note the ?ver=4.8.1 at the end of the script source. When added correctly by a theme, a version of the included file is always appended to the end of the file source URL. If no version is specified, the current WordPress version is used by default. You’ll often find other version numbers, but the “comment-reply.js” is usually just the WP version.

  5. MD5 hash of publically-accessible files

    MD5 Hash is by far the most complex tactic, but sometimes necessary. As web software, WordPress must make at least some of its files available to browsers (stylesheets, JavaScript files, etc.), for example, the comment-reply script above. As WordPress evolves, over time many of these files are updated. By performing an MD5 hash of the various publicly accessible files for different versions, it’s possible to deduce which version (or at least range of versions) a WP site is using. E.g. if one downloaded your site’s comment-reply.js file from then they can generate the MD5 hash of the file (which is a unique fingerprint of a particular file) and then compare that to a library of known hashes for various WP versions.

The easiest way to perform all of these checks is just to head over to the readme.html file and hopefully, you will get a result! WPArena connects WordPress sites, themes, users, professionals, and industry benchmarks to create a unique database and network that maps the real, live world of WordPress. Some crawlers scan hundreds of thousands of WordPress sites, analyze and report on each one and then use the data connections between them to provide brand new insights into the WordPress ecosystem. Several WordPress version detection tools are also available in the market. You can find them easily by searching the terms “WordPress version checker” or “Check WordPress Version” or “detect WordPress version” online. These WordPress version checker tools are equipped with a lot of features and offers:

  • a free WordPress site scanner
  • a dashboard to track and monitor your WordPress sites
  • a directory of WordPress professionals
  • a unique theme explorer
  • and many more…

If you know anything better to check the WordPress version, please let us know in the comments below.

Arslan Rashid

Arslan is an Electrical Engineering student who has a keen interest in the WordPress developments and upcoming technologies. He likes to share interesting knowledge with the readers.

Join the Conversation

12 Comments

  1. Thanks for pointing out method five.

    I wasn’t aware of that.

    I usually hide the version information, could you please share any ideas about to avoid recognition with md5 hash?

    1. Hi Maxi,

      Thanks for the comment. I know that Sucuri use this method too.

      I don’t think there’s an easy way to do prevent MD5 hashing – if you can download the file, you can hash it.

      If you were really concerned to prevent this, you would have to change the contents of the files – one extra character will do. You could either just do this manually to commonly-used files like comment-reply.js or you could use a compiling script to take your source dev files and put them into a distributable build which automatically inserts random numbers or comments into files.

      Hope that’s helpful.

      – David

      1. If you want to avoid md5 fingerprinting you need to alter the files, you could for example edit the files to add whitespace, or change their content. Even a minor change (eg add a blank comment line) will change the md5 hash completely.

        You could probably even use mod_ext_filter to automate that, but just cat-ing lines containing a whitespace character to the end of every static file, like .js .css, would probably do the trick.

    1. Hi @imagemaskinguk:disqus – it’s not on all WP sites – like anything else it depends on the theme – but we’ve found it on enough sites to make it worth checking for.

  2. It never occurred to me that you can hash files to detect the version number. But, that’s neat. Thanks for sharing.

  3. Do you know of a md5 hash test library? that has the hashes of the main files already calculated. I have a Magento version but nothing for WordPress.

Leave a comment

Your email address will not be published. Required fields are marked *