plugin-icon

Version Cloak

מאת nextdoorentertainment·
Hide or decoy plugin, theme and core versions from scanners. Neutralize XML-RPC and lock down WP-Cron.
hardening
security
version
דירוגים
הוסף חוות דעת
גרסה
1.0.1
עודכן לאחרונה
Jun 25, 2026
Version Cloak

Version Cloak is a hardening plugin that reduces the information opportunistic, automated scanners can read about your site. Version-matching bots fingerprint a site, look up known issues for the detected versions, and probe the easy targets first. This plugin shrinks that fingerprint.

Important: this plugin obscures version and endpoint information. It does not patch vulnerable code. Keep your plugins, themes, and WordPress core updated — obscurity is a complement to patching, not a replacement for it.

Two version modes (per dropdown)

For WordPress core and for plugins & themes, choose one of:

  • Off — leave the real version visible.
  • Obfuscate — remove or block the version so it can't be read.
  • Decoy — report a plausible current version (auto-detected latest, or a value you set) so the site reads as up to date.

What it covers

  • The WordPress <meta name="generator"> tag, feed generators and the WLW manifest.
  • Version query strings (?ver=) on enqueued CSS/JS, and the same inside inline CSS.
  • Version classes on the <body> tag (e.g. page-builder version classes).
  • Plugin-emitted <meta name="generator"> tags.
  • Plugin version strings in HTML comments (e.g. SEO plugins).
  • Static version files served directly by the web server — readme.txt, changelog.txt, release_log.html — and version banner comments in CSS/JS assets. In Obfuscate these are blocked (Apache/LiteSpeed .htaccess, or an Nginx rule you add); in Decoy their version strings are rewritten and automatically reverted when you switch back.
  • WordPress core readme.html / license.txt, and the install.php / upgrade.php setup pages (blocked for non-logged-in visitors so admins can still run updates).

Other hardening

  • XML-RPC — disable and return 404, or keep it but remove pingback and system.multicall.
  • WP-Cron — disable the HTTP pseudo-cron and block external hits to wp-cron.php (with an optional secret token for your system cron).
  • REST user enumeration — block the anonymous /wp-json/wp/v2/users endpoint.
  • Author enumeration — block the ?author=N redirect that leaks usernames.

Reversible

Setting a mode to Off, or deactivating the plugin, restores the real version strings and removes the .htaccess rules — the site returns to its normal state.

חינםבתוכניות בתשלום
להתחיל
בביצוע ההתקנה, אנחנו מקבלים את הסכמתך לתנאי השירות של WordPress.com ולתנאים של התוסף של הצד השלישי.
נבדקו עד
WordPress 7.0
תוסף זה זמין להורדה ולשימוש דרך שברשותך.
הורדה ושמירה