How do you determine what WordPress Version a site is running on if you don’t access the CMS Backend? Of course, the most reliable way of finding a WordPress version is to log in to the “wp-admin” area and look under the ‘Updates‘! But we don’t always have that access available. There are plenty of reasons (both legitimate and nefarious) why you would like to check the WordPress version of a site: Here are some reasons.
- A new potential client has contacted you, and you want to know how well their site has been maintained by checking the WordPress version.
- You’re trying to diagnose server errors and want to see if an old WP version might be the cause.
- You’ve come across something that hasn’t been seen before and wants to know if it’s related to a new WordPress version.
- Or, nefariously, you ought to find sites with outdated WordPress versions that can be exploited.
- At WPArena, we want to know the WordPress version to include in the free WordPress site scan reports we will soon provide.
WordPress Version Stats
Some charts on the WordPress Statistics page show what systems people are running WordPress on.
Different Ways To Check WordPress Version
We’ve found five neat ways to detect the WordPress version of a site. They don’t work all the time, but none of them will rarely work. Below they are numbered, in ascending order of difficulty:
- Readme file
The quickest and easiest way to detect WordPress version is to look at the readme.html file, which is automatically installed at the root of a WordPress site, e.g., https://wparena.com/readme.html.
- Feed generator tag
If you can’t access the readme.html file (and it’s blocked by the more security-conscious hosting providers like WP Engine for that reason), your next bet is to look at the source of the site’s RSS feed – this is always found at www.wparena.com/feed/. Often, the feed’s source XML will include a
<generator>tag, which will give you the version as a ?v=x.x variable – as depicted above.
- Generator tag in HTML source
Sometimes, you can look at the HTML source of the page to find a generator tag like:
<meta name="generator" content="WordPress 4.8.1" />– but this is very much theme-specific, so you’re safer looking in the feed first.
- The version of included files in the HTML source
This method is a good one to check the WordPress version as well. Look at the HTML source of a site’s homepage, and there will nearly always be some script includes; a common one is a comment-reply file, which will look like this: Note the
?ver=4.8.1at the end of the script source. When added correctly by a theme, a version of the included file is always appended to the end of the file source URL. The current WordPress version is used by default if no version is specified. You’ll often find other version numbers, but the “comment-reply.js” is usually just the WP version.
- An MD5 hash of publically-accessible files
The easiest way to perform all these checks is to head over to the readme.html file, and hopefully, you will get a result! WPArena connects WordPress sites, themes, users, professionals, and industry benchmarks to create a unique database and network that maps the real, live world of WordPress. Some crawlers scan hundreds of thousands of WordPress sites, analyze and report on each one and then use the data connections between them to provide brand new insights into the WordPress ecosystem. Several WordPress version detection tools are also available in the market. You can find them easily by searching the terms “WordPress version checker,” “Check WordPress Version,” or “detect WordPress version” online. These WordPress version checker tools are equipped with a lot of features and offers:
- a free WordPress site scanner
- a dashboard to track and monitor your WordPress sites
- a directory of WordPress professionals
- a unique theme explorer
- and many more.
Please let us know in the comments below if you know anything better to check the WordPress version.
Thanks for pointing out method five.
I wasn’t aware of that.
I usually hide the version information, could you please share any ideas about to avoid recognition with md5 hash?
Thanks for the comment. I know that Sucuri use this method too.
I don’t think there’s an easy way to do prevent MD5 hashing – if you can download the file, you can hash it.
If you were really concerned to prevent this, you would have to change the contents of the files – one extra character will do. You could either just do this manually to commonly-used files like comment-reply.js or you could use a compiling script to take your source dev files and put them into a distributable build which automatically inserts random numbers or comments into files.
Hope that’s helpful.
I think you’re right
If you want to avoid md5 fingerprinting you need to alter the files, you could for example edit the files to add whitespace, or change their content. Even a minor change (eg add a blank comment line) will change the md5 hash completely.
You could probably even use mod_ext_filter to automate that, but just cat-ing lines containing a whitespace character to the end of every static file, like .js .css, would probably do the trick.
try to use firewall, change the directory permission
I was not aware of this one “Generator tag in HTML source”
Hi @imagemaskinguk:disqus – it’s not on all WP sites – like anything else it depends on the theme – but we’ve found it on enough sites to make it worth checking for.
Thanks for this!
It never occurred to me that you can hash files to detect the version number. But, that’s neat. Thanks for sharing.
Thanks for this useful information
Thanks for this useful information
Do you know of a md5 hash test library? that has the hashes of the main files already calculated. I have a Magento version but nothing for WordPress.
wp-includes/version.php is a pretty good and straight-forward way to find out the version.
$wp_version is defined there.
I was not able to extract the version from the readme.html page in the documt root.