Ways to Detect the version of WordPress

How do you find out what version of WordPress a site is running if you don’t have access to the CMS? Of course  the most reliable way of finding the version of a WordPress site is to log into the CMS and look under ‘Updates’! But we don’t always have that luxury. There are plenty of reasons (both legitimate and nefarious) why you would want to do this:

  • You’ve been contacted by a new potential client and you want to get an idea for how well their site has been maintained
  • You’re trying to diagnose server errors and want to see if an old WP version might be the cause
  • You’ve come across something you haven’t seen before and want to see if it’s related to a new WP version
  • Or, nefariously you might want to find sites with out of date WP installations that can be exploited
  • At wp.io, we want to find out the version to include in the free WordPress site scan reports we provide (e.g. http://wp.io/site-report/www-pragmatic-web-co-uk-5-22/)

Here are on WordPress Statistics page some charts showing what sorts of systems people are running WordPress on.
(You’ll need JavaScript enabled to see them.)

WordPress Version Stats
WordPress Version Stats

We’ve found five neat ways of determining the version of a site. They don’t all work all the time but it’s rare that none will work. Here they are, in ascending order of difficulty:

  1. Readme file

    The quickest and easiest way is just to look at the readme.html file which is automatically installed at the root of a WordPress site, e.g. http://wp.io/readme.html

  2. Feed generator tag

    If you can’t access the readme file (and it’s blocked by the more security-conscious hosting providers like WP Engine for that very reason), your next bet is to look at the source of the site’s RSS feed – this is always found at www.yoursite.com/feed/ – e.g. www.pragmatic-web.co.uk/feed/. Often, the feed’s source XML will include a <generator> tag which will give you the version as a ?v=x.x variable – as depicted above.

  3. Generator tag in HTML source

    Sometimes, you can just look at the HTML source of the page to find a generator tag like: <meta name="generator" content="WordPress 4.3" /> – but this is very much theme-specific so you’re safer looking in the feed first.

  4. Version of included files in HTML source

    This is a good one too. Look in the HTML source of a site’s homepage and there will nearly always be some script includes, a common one is the comment-reply file, which will look like this: Note the ?ver=3.5 on the end of the script source. When included correctly by a theme, a version of the included file is always appended to the end of the file source URL. If no version is specified, the current WordPress version is used by default. You’ll often find other version numbers ARE included, but the comment-reply is usually just the WP version.

  5. MD5 hash of publically-accessible files

    This is by far the most complex tactic, but sometimes necessary. As web software, WordPress must make at least some of its files available to browsers (stylesheets, JavaScript files, etc), for example the comment-reply script above. As WordPress evolves, over time many of these files are updated. By performing a MD5 hash of the various publicly accessible files for different versions, it’s possible to deduce which version (or at least range of versions) a WP site is using. E.g. if one downloaded your site’s comment-reply.js file from http://www.yoursite.com/wp-includes/js/comment-reply.min.jsthen they can generate the MD5 hash of the file (which is a unique fingerprint of a particular file) and then compare that to a library of known hashes for various WP versions.

The easiest way to perform all of these checks is just to head over to wp.io and run a free site report on any WordPress site you’re interested in! wp.io connects WordPress sites, themes, users, professionals and industry benchmarks to create a unique database and network that maps the real, live world of WordPress. wp.io’s crawlers scan hundreds of thousands of WordPress sites, analyse and report on each one and then use the data connections between them to provide brand new insights into the WordPress ecosystem. wp.io offers:

  • a free WordPress site scanner
  • a dashboard to track and monitor your WordPress sites
  • a directory of WordPress professionals
  • a unique theme explorer

You may want to read more:


5 out of 5 stars based on 208 rating(s).
  • Arslan Rashid

    ArslanH. is an Electrical Engineering student who has a keen interest in the latest gadgets and upcoming technologies. He likes to share interesting knowledge with the readers. He also blogs at technonymous.net

  • Maxi

    Thanks for pointing out method five.

    I wasn’t aware of that.

    I usually hide the version information, could you please share any ideas about to avoid recognition with md5 hash?

    • http://freelancewp.com/ David Lockie

      Hi Maxi,

      Thanks for the comment. I know that http://sucuri.net/ use this method too.

      I don’t think there’s an easy way to do prevent MD5 hashing – if you can download the file, you can hash it.

      If you were really concerned to prevent this, you would have to change the contents of the files – one extra character will do. You could either just do this manually to commonly-used files like comment-reply.js or you could use a compiling script to take your source dev files and put them into a distributable build which automatically inserts random numbers or comments into files.

      Hope that’s helpful.

      – David

      • Maxi

        I think you’re right

    • http://wparena.com/ Wordpress Arena

      try to use firewall, change the directory permission

  • http://www.clippingpathindia.com/image-masking.html J.Shumi

    I was not aware of this one “Generator tag in HTML source”

    • http://freelancewp.com/ David Lockie

      Hi @imagemaskinguk:disqus – it’s not on all WP sites – like anything else it depends on the theme – but we’ve found it on enough sites to make it worth checking for.

      • http://www.outsourceexpertsbd.com/ Anila

        Thanks for this!