[WordPress] 外掛分享: Version Cloak

首頁外掛目錄 › Version Cloak
WordPress 外掛 Version Cloak 的封面圖片
全新外掛
安裝啟用
尚無評分
21 天前
最後更新
問題解決
WordPress 5.0+ PHP 7.0+ v1.0.4 上架:2026-06-24

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.0.4) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Version Cloak」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

Version Cloak is a hardening plugin that reduces the information opportunistic, automated scanners can read about your site. Version-matching bots fingerprint a site, look up known issues for the detected versions, and probe the easy targets first. This plugin shrinks that fingerprint.
Important: this plugin obscures version and endpoint information. It does not patch vulnerable code. Keep your plugins, themes, and WordPress core updated — obscurity is a complement to patching, not a replacement for it.
Two version modes (per dropdown)
For WordPress core and for plugins & themes, choose one of:

Off — leave the real version visible.
Obfuscate — remove or block the version so it can’t be read.
Decoy — report a plausible current version (auto-detected latest, or a value you set) so the site reads as up to date.

What it covers

The WordPress tag, feed generators and the WLW manifest.
Version query strings (?ver=) on enqueued CSS/JS, and the same inside inline CSS.
Version classes on the tag (e.g. page-builder version classes).
Plugin-emitted tags.
Plugin version strings in HTML comments (e.g. SEO plugins).
Static version files served directly by the web server — readme.txt, changelog.txt, release_log.html — and version banner comments in CSS/JS assets. In Obfuscate these are blocked (Apache/LiteSpeed .htaccess, or an Nginx rule you add); in Decoy their version strings are rewritten and automatically reverted when you switch back.
WordPress core readme.html / license.txt, and the install.php / upgrade.php setup pages (blocked for non-logged-in visitors so admins can still run updates).

Other hardening

XML-RPC — disable and return 404, or keep it but remove pingback and system.multicall.
WP-Cron — disable the HTTP pseudo-cron and block external hits to wp-cron.php (with an optional secret token for your system cron).
REST user enumeration — block the anonymous /wp-json/wp/v2/users endpoint.
Author enumeration — block the ?author=N redirect that leaks usernames.

Reversible
Setting a mode to Off, or deactivating the plugin, restores the real version strings and removes the .htaccess rules — the site returns to its normal state.

延伸相關外掛

文章
Filter
Apply Filters
Mastodon