Removing Proudly Powered by WordPress Text and Configuring Security Headers in WordPress

How to Remove the “Proudly Powered by WordPress” Text From Your Site

WordPress is a free website-building software. However, some users want to remove the “proudly powered by WordPress” text from their sites. They can do this legally because WordPress is licensed under the GPL.

The X-Powered-By HTTP response header contains information about the technology stack used by the webserver. This can help hackers to identify vulnerabilities in the server software.


The X-Powered-By header is a common non-standard HTTP response header (most headers prefixed with X- are non-standard). It reveals the technologies used by an application. This information allows attackers to conduct reconnaissance on the server and find vulnerabilities that could be exploited.

In the most severe cases, the X-Powered-By header can reveal sensitive information about your servers configuration, such as the versions of frameworks/components that you use, and the vulnerabilities that they might have. The X-Powered-By header can also be manipulated, and some servers choose not to include it or even provide misleading information to throw off attackers that might target a particular technology/version.

In order to prevent your website from leaking this information, you can disable the X-Powered-By header in IIS. This will prevent IIS from sending this header in HTTP responses. It will not disable the X-Powered-By information from the headers that are sent by other third-party websites. For example, some plugins, such as Helmet, will send the X-Powered-By header as part of their HTTP responses.


X-Frame-Options is an HTTP response header that places restrictions on how your site can be displayed. This can help protect against clickjacking attacks.

The X-Frame-Options header can be configured to deny, allow, or limit frame/iframe use. The default value is DENY. This value will prevent your site from being loaded in an iframe on another site. This is commonly used to protect against clickjacking attacks, in which malicious sites hide authentic pages behind a fake one, causing users to perform actions on the false page they never intended.

You can also configure X-Frame-Options to only permit framing from the same domain. This is typically used to ensure your site is not loaded in an iframe from a different domain and can only be viewed by users on your institution’s network. This option is useful when using an external service such as a web-based sign-on system, which may require users to visit your institution’s website. To configure this feature, expand the Connections pane on the left side, select the site you want to protect, then double-click the HTTP Response Headers icon in the middle of the feature list.


As a web application developer, it is important to ensure that your site’s server sends the correct Content-Type header in response. Browsers use MIME sniffing to determine the type of resource based on contextual clues, including magic bytes and other elements. This can lead to cross-site scripting attacks. To prevent this, web applications should add the X-Content-Type-Options header with the value nosniff.

This header was first introduced by Microsoft in Internet Explorer 8 as a way to block MIME sniffing that could transform non-executable MIME types into executable ones. Since then, many other browsers have adopted it, even if their MIME sniffing algorithms are less aggressive. Using this header in conjunction with the Content-Type representation header will prevent MIME sniffing and will ensure that your website’s assets are displayed correctly. These security headers work best when they are set at the web server level, which means they can be triggered early on in a request.


Cookies are small snippets of data that get stored in a user’s browser when visiting a website. They play a crucial role in nearly all of the functions that websites perform, including remembering login information and saving shopping cart items. They are also used to gather and store information about a user’s online activity, which helps websites create more tailored content.

WordPress core uses some cookies, such as wp-settings-time-[UID] and wordpress_logged_in_time-[hash]. These cookies help the interface recognize a logged-in user. WordPress cookies are stored in a hashed format, ensuring security and privacy.

Other WordPress cookies are set by plugins, such as commenter cookies, which enable visitors to post comments without reentering their details each time. Another example is a newsletter plugin, which might use a cookie to remember whether a visitor has already subscribed. These types of cookies typically expire after about a year. The settings for these cookies can be configured through the X-Cookie-Settings header or footer.

Go Home

Leave a Reply

Your email address will not be published. Required fields are marked *