The Hardening WordPress “Codex” page currently recommends the following (emphasis original):
Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version.
Yet, WordPress’s default template says:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!– leave this for stats –>
So, which one is it? Do I leave it, or do I remove it? How important are those stats? How much more secure is my WordPress installation if I don’t advertise the version in use? In case those stats aren’t as important as the security provided by hiding the version information, why are they there by default?
Either a bad tip or a bad decision for the default template (and RSS feeds, too). My money is on the former.