Version Cloak is a hardening plugin that reduces the information opportunistic, automated scanners can read about your site. Version-matching bots fingerprint a site, look up known issues for the detected versions, and probe the easy targets first. This plugin shrinks that fingerprint.
Important: this plugin obscures version and endpoint information. It does not patch vulnerable code. Keep your plugins, themes, and WordPress core updated — obscurity is a complement to patching, not a replacement for it.
Two version modes (per dropdown)
For WordPress core and for plugins & themes, choose one of:
- Off — leave the real version visible.
- Obfuscate — remove or block the version so it can’t be read.
- Decoy — report a plausible current version (auto-detected latest, or a value you set) so the site reads as up to date.
What it covers
- The WordPress
<meta name="generator">tag, feed generators and the WLW manifest. - Version query strings (
?ver=) on enqueued CSS/JS, and the same inside inline CSS. - Version classes on the
<body>tag (e.g. page-builder version classes). - Plugin-emitted
<meta name="generator">tags. - Plugin version strings in HTML comments (e.g. SEO plugins).
- Static version files served directly by the web server —
readme.txt,changelog.txt,release_log.html— and version banner comments in CSS/JS assets. In Obfuscate these are blocked (Apache/LiteSpeed.htaccess, or an Nginx rule you add); in Decoy their version strings are rewritten and automatically reverted when you switch back. - WordPress core
readme.html/license.txt, and theinstall.php/upgrade.phpsetup pages (blocked for non-logged-in visitors so admins can still run updates).
Other hardening
- XML-RPC — disable and return 404, or keep it but remove pingback and
system.multicall. - WP-Cron — disable the HTTP pseudo-cron and block external hits to
wp-cron.php(with an optional secret token for your system cron). - REST user enumeration — block the anonymous
/wp-json/wp/v2/usersendpoint. - Author enumeration — block the
?author=Nredirect that leaks usernames.
Reversible
Setting a mode to Off, or deactivating the plugin, restores the real version strings and removes the .htaccess rules — the site returns to its normal state.