How to remove WordPress version parameter from JS and CSS files

How to remove WordPress version parameter from JS and CSS files

In my last post I mentioned how we can remove WordPress version number from the page source and RSS feeds. However, they are not the only places where we can identify the WordPress version number. Many CSS and JS files in the WordPress also have the WordPress version number appended to their source. In this post I will show how we can remove the version number from them too.

We can use one of the following 2 methods. Just added the code for one of the below methods in your theme’s functions.php file. The first method removes the “ver” parameter from all the enqueued CSS and JS files. The 2nd method removes the “ver” parameter only if its value matches the WordPress version number.

Method 1: Remove the “ver” parameter from all enqueued CSS and JS files

// remove wp version param from any enqueued scripts
function vc_remove_wp_ver_css_js( $src ) {
    if ( strpos( $src, 'ver=' ) )
        $src = remove_query_arg( 'ver', $src );
    return $src;
}
add_filter( 'style_loader_src', 'vc_remove_wp_ver_css_js', 9999 );
add_filter( 'script_loader_src', 'vc_remove_wp_ver_css_js', 9999 );

Method 2: Remove only the “ver” parameter which have WordPress version number from all enqueued CSS and JS files

// remove wp version param from any enqueued scripts
function vc_remove_wp_ver_css_js( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
        $src = remove_query_arg( 'ver', $src );
    return $src;
}
add_filter( 'style_loader_src', 'vc_remove_wp_ver_css_js', 9999 );
add_filter( 'script_loader_src', 'vc_remove_wp_ver_css_js', 9999 );

Using one of the above functions combined with one of the methods mentioned in my previous post (How to remove WordPress version number) will remove the WordPress version from most of the places on your site.

  1. There is one other place where the wordpress version can be found… in the readme.html that is found in the root of your wp installation, which by default is publicly accessible. The fix is to simply delete the file as it is not required.

  2. My blog and this site http://techtalk.virendrachandak.com/ display version WordPress when scan with sucuri check http://sitecheck.sucuri.net/ after use your methodes. Version WP refer to /wp-admin/js/common.js

    • Yes I saw that. However, its no accurate version number. Also, there might be some other places where the version number is available. I will try to find out if there are any other locations and find out how we can remove them. Let me know if you find from where its getting that info.

  3. Thanks for this useful snippet.

    Do you know how to do the same thing in the admin interface?
    Is there some filters available?

    • Hi Gilles,
      I don’t know how to do this in admin interface. Just curious, why do you need to do this in admin interface? Anyone with admin interface access can already know what version of WordPress you are using.

  4. Awesome. Was just looking how to do this as a WP+bootstrap setup has about 50 of these damn version numbers things appended to everything. Woo themes also have these littered about, very annoying. Thanks! 🙂

  5. I can’t seem to get it to work, I have no cache plugins active, I tried with the incognito mode on my browser to make sure I wasn’t loading anything from my local cache and yet the version numbers are still there.

    I’m using a custom theme I wrote if that makes any difference, any adivice?

    Thanks

    • You might be using the absolute URLs and not the default WordPress functions to load CSS and JS files. These functions would work only if you are using the default WordPress method to add the CSS and JS files.

      • I see, in fact the function works when using the default themes, however in my custom theme I’m not calling any particular javascript directly using absolute URLs I just let WordPress do it, same with plugins and css.

        I guess I should check again if there’s anything weird with my theme although the header is very simple.

        Thanks again for your time replying to my comment.

  6. A heads up, I received the following after trying this in my childtheme’s functions.php file. Even after I removed it, cleared cache, restarted browsers, etc., I’ve yet to figure out how to get rid of it. What I see at the top of the webpage:

    Warning: Cannot modify header information – headers already sent by (output started at /home/content/59/11641659/html/wp-content/themes/mytheme/functions.php:8) in /home/content/59/11641659/html/wp-content/plugins/woocommerce/classes/class-wc-session-handler.php on line 63

    • It seems there is some issue with another plugin as mentioned in the error. The plugin is “woocommerce”. I am not sure why you are getting this error, but a guess is some caching on the server side, or there might be some space somewhere. I cannot be 100% sure why you are getting this error without looking at your site and plugins.

  7. I think your guess on the server side was the issue. I started yanking things, first WC, then the child theme, etc., until it didn’t appear. Weird, it didn’t happen right away. Is there a proper way to dump the server side cache?

    Thanks

  8. HA! I had a closing php tag in my child’s theme function file 😉

    For some themes I’m pretty sure (or am I imagining things) I’ve had this and it worked, this is one that doesn’t like it.

    Sorry for any confusion.

  9. Just removing the version parameter is not a good idea. The parameter is part of the URL to make sure, that browsers will load the current version of the enqueued styles and scripts. Browsers will also cache this – because a http GET request has to deliver the same content with every request by definition. Removing the parameter means, that your visitors will probably see old (cached) versions of scripts and stylesheets when doing an update of themes or plugins – since their browsers already have a local cached version.

    Hiding a version number does not solve anything anyway. If an attacker wants to exploit known vulnerabilities, he will just try them all – regardless which version is reported by WordPress. If there are vulnerabilities they won’t go away just because the version number is not sent any longer.

    • As you said, the version number acts like a cache buster and is useful when doing updates. Removing the version parameter from the URL does not helps in security. I have been asked many times about how to do this and hence this post. This is not going to help make the site secure.

  10. Hi, your php code really usefull. Removing version make the files able to be put on CDN. My question, i often updating my main style.css, for this one, i want to add an exception so it will still showing its version. Is there’s a way to add an exception like this?

    Thanks

  11. I wonder why I would want to do this? Are there any disadvantages?

Leave a Reply