{"id":325155,"date":"2026-06-25T15:59:06","date_gmt":"2026-06-25T15:59:06","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/version-cloak\/"},"modified":"2026-06-26T12:00:54","modified_gmt":"2026-06-26T12:00:54","slug":"version-cloak","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/version-cloak\/","author":21097817,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.4","stable_tag":"1.0.4","tested":"7.0","requires":"5.0","requires_php":"7.0","requires_plugins":null,"header_name":"Version Cloak","header_author":"nextdoorentertainment","header_description":"Reduces fingerprinting by mass scanners: hides plugin\/core version leaks, neutralizes XML-RPC, and locks down WP-Cron. Hardening layer \u2014 NOT a substitute for keeping plugins updated.","assets_banners_color":"101e36","last_updated":"2026-06-26 12:00:54","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/spiri439\/wordpress_obfuscation","header_author_uri":"https:\/\/vladenterprises.ro","rating":5,"author_block_rating":0,"active_installs":0,"downloads":90,"num_ratings":1,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.1":{"tag":"1.0.1","author":"nextdoorentertainment","date":"2026-06-25 15:58:49"},"1.0.2":{"tag":"1.0.2","author":"nextdoorentertainment","date":"2026-06-26 11:43:17"},"1.0.3":{"tag":"1.0.3","author":"nextdoorentertainment","date":"2026-06-26 11:49:22"},"1.0.4":{"tag":"1.0.4","author":"nextdoorentertainment","date":"2026-06-26 12:00:54"}},"upgrade_notice":{"1.0.4":"<p>WP-Cron is left enabled by default now. Existing sites keep their current setting; change it under Settings -&gt; Version Cloak -&gt; WP-Cron if needed.<\/p>","1.0.3":"<p>Important fix: 1.0.2 could disable itself on a normal install. Update immediately.<\/p>","1.0.2":"<p>Stability and version-hiding improvements. Recommended update.<\/p>","1.0.1":"<p>Compatibility and packaging fixes for the WordPress.org review.<\/p>","1.0.0":"<p>Initial release.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3586364,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3586364,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3586364,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3586364,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[31093,600,9150,4568,6558],"plugin_category":[54],"plugin_contributors":[268888],"plugin_business_model":[],"class_list":["post-325155","plugin","type-plugin","status-publish","hentry","plugin_tags-hardening","plugin_tags-security","plugin_tags-version","plugin_tags-wp-cron","plugin_tags-xml-rpc","plugin_category-security-and-spam-protection","plugin_contributors-nextdoorentertainment","plugin_committers-nextdoorentertainment"],"banners":{"banner":"https:\/\/ps.w.org\/version-cloak\/assets\/banner-772x250.png?rev=3586364","banner_2x":"https:\/\/ps.w.org\/version-cloak\/assets\/banner-1544x500.png?rev=3586364","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/version-cloak\/assets\/icon-128x128.png?rev=3586364","icon_2x":"https:\/\/ps.w.org\/version-cloak\/assets\/icon-256x256.png?rev=3586364","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Version Cloak is a hardening plugin that reduces the information opportunistic, automated scanners can read about your site. Version-matching bots fingerprint a site, look up known issues for the detected versions, and probe the easy targets first. This plugin shrinks that fingerprint.<\/p>\n\n<p><strong>Important:<\/strong> this plugin obscures version and endpoint information. It does <strong>not<\/strong> patch vulnerable code. Keep your plugins, themes, and WordPress core updated \u2014 obscurity is a complement to patching, not a replacement for it.<\/p>\n\n<h4>Two version modes (per dropdown)<\/h4>\n\n<p>For <strong>WordPress core<\/strong> and for <strong>plugins &amp; themes<\/strong>, choose one of:<\/p>\n\n<ul>\n<li><strong>Off<\/strong> \u2014 leave the real version visible.<\/li>\n<li><strong>Obfuscate<\/strong> \u2014 remove or block the version so it can't be read.<\/li>\n<li><strong>Decoy<\/strong> \u2014 report a plausible current version (auto-detected latest, or a value you set) so the site reads as up to date.<\/li>\n<\/ul>\n\n<h4>What it covers<\/h4>\n\n<ul>\n<li>The WordPress <code>&lt;meta name=\"generator\"&gt;<\/code> tag, feed generators and the WLW manifest.<\/li>\n<li>Version query strings (<code>?ver=<\/code>) on enqueued CSS\/JS, and the same inside inline CSS.<\/li>\n<li>Version classes on the <code>&lt;body&gt;<\/code> tag (e.g. page-builder version classes).<\/li>\n<li>Plugin-emitted <code>&lt;meta name=\"generator\"&gt;<\/code> tags.<\/li>\n<li>Plugin version strings in HTML comments (e.g. SEO plugins).<\/li>\n<li>Static version files served directly by the web server \u2014 <code>readme.txt<\/code>, <code>changelog.txt<\/code>, <code>release_log.html<\/code> \u2014 and version banner comments in CSS\/JS assets. In Obfuscate these are blocked (Apache\/LiteSpeed <code>.htaccess<\/code>, or an Nginx rule you add); in Decoy their version strings are rewritten and automatically reverted when you switch back.<\/li>\n<li>WordPress core <code>readme.html<\/code> \/ <code>license.txt<\/code>, and the <code>install.php<\/code> \/ <code>upgrade.php<\/code> setup pages (blocked for non-logged-in visitors so admins can still run updates).<\/li>\n<\/ul>\n\n<h4>Other hardening<\/h4>\n\n<ul>\n<li><strong>XML-RPC<\/strong> \u2014 disable and return 404, or keep it but remove pingback and <code>system.multicall<\/code>.<\/li>\n<li><strong>WP-Cron<\/strong> \u2014 disable the HTTP pseudo-cron and block external hits to <code>wp-cron.php<\/code> (with an optional secret token for your system cron).<\/li>\n<li><strong>REST user enumeration<\/strong> \u2014 block the anonymous <code>\/wp-json\/wp\/v2\/users<\/code> endpoint.<\/li>\n<li><strong>Author enumeration<\/strong> \u2014 block the <code>?author=N<\/code> redirect that leaks usernames.<\/li>\n<\/ul>\n\n<h4>Reversible<\/h4>\n\n<p>Setting a mode to <strong>Off<\/strong>, or deactivating the plugin, restores the real version strings and removes the <code>.htaccess<\/code> rules \u2014 the site returns to its normal state.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>version-cloak<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install the ZIP via <strong>Plugins \u2192 Add New \u2192 Upload Plugin<\/strong>.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> menu.<\/li>\n<li>Configure under <strong>Settings \u2192 Version Cloak<\/strong>.<\/li>\n<li>If you use a page cache (LiteSpeed, etc.) or a CDN, purge it after changing settings so the changes are served.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20patch%20vulnerabilities%3F\"><h3>Does this patch vulnerabilities?<\/h3><\/dt>\n<dd><p>No. It hides or decoys version information to reduce automated scanning. The actual fix for an outdated component is to update it. Use this as an additional layer.<\/p><\/dd>\n<dt id=\"what%20is%20the%20difference%20between%20obfuscate%20and%20decoy%3F\"><h3>What is the difference between Obfuscate and Decoy?<\/h3><\/dt>\n<dd><p>Obfuscate removes or blocks the version so a scanner reports \"could not determine the version\". Decoy reports a plausible current version so the site reads as fully up to date. Use a real, recent version for Decoy \u2014 an implausible value may be ignored by scanners.<\/p><\/dd>\n<dt id=\"will%20it%20break%20my%20plugin%20or%20theme%20updates%3F\"><h3>Will it break my plugin or theme updates?<\/h3><\/dt>\n<dd><p>WordPress detects updates from each component's real version (its main file header for plugins, <code>style.css<\/code> for themes), which is read independently. Core and plugin update notifications are unaffected. Masking a theme's <code>style.css<\/code> version does affect that theme's own update notice, so the plugin shows its own update notice in that case.<\/p><\/dd>\n<dt id=\"i%20changed%20a%20setting%20but%20nothing%20changed.\"><h3>I changed a setting but nothing changed.<\/h3><\/dt>\n<dd><p>Almost always page caching. Purge your cache (e.g. LiteSpeed \u2192 Purge All) and any CDN after saving.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.4<\/h4>\n\n<ul>\n<li>WP-Cron hardening is now OFF by default. Fresh installs keep WordPress's normal scheduled tasks (update checks, scheduled posts, backups) working out of the box. Enable \"Disable the HTTP pseudo-cron\" only alongside a real system cron.<\/li>\n<\/ul>\n\n<h4>1.0.3<\/h4>\n\n<ul>\n<li>Fix: the 1.0.2 duplicate-copy guard wrongly triggered on normal single-site installs (PHP hoists the function it tested), disabling the plugin and its settings. The guard now checks only the runtime version constant.<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Guard against a fatal \"cannot redeclare\" error when a second copy of the plugin is active under a different folder name.<\/li>\n<li>Asset version hiding now catches the ver= query parameter in any position (e.g. ?cache=9&amp;ver=1.2.3), not only when it is first.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Raised minimum PHP to 7.0 (header and readme).<\/li>\n<li>Explicitly close the front-end output buffer on shutdown.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<\/ul>","raw_excerpt":"Hide or decoy plugin, theme and core versions from scanners. Neutralize XML-RPC and lock down WP-Cron.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/325155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=325155"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/nextdoorentertainment"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=325155"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=325155"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=325155"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=325155"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=325155"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=325155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}