Having a particular version of the software easily discoverable makes hacker’s job easier and allows automated scrapers to gather a database of URLs with particular software versions that can be used at an event of security vulnerability discovery for attacks. Of course, hiding the Magento version won’t be enough to secure your store, but it is just a simple step to take, just like changing your admin URL that makes store a little bit more secure.

In Magento 2, the Magento_Version module allows to retrieve Magento version and edition by a GET request. It consists of one simple controller action that has the following route:

magento_version/index/index

This action gets required information and renders it:

# Magento\Version\Controller\Index\Index

public function execute()
    {
        $versionParts = explode('.', $this->productMetadata->getVersion());
        if (!isset($versionParts[0]) || !isset($versionParts[1])) {
            return ; // Major and minor version are not set - return empty response
        }
        $majorMinorVersion = $versionParts[0] . '.' . $versionParts[1];
        $this->getResponse()->setBody(
            $this->productMetadata->getName() . '/' .
            $majorMinorVersion . ' (' .
            $this->productMetadata->getEdition() . ')'
        );
    }

To check whether the module is active on your store or not, navigate to the mentioned route:

http://base-url-of-your-store.com/magento_version

If the module is active, you will see the version of your Magento 2 instance like in this example:

Magento/2.1 (Community)

Information like version and type of the platform can help hackers in an event of potential vulnerability discovery. This is why we recommend to deactivate this module on your store.

To do this, navigate to your Magento instance root via SSH and run the following command:

php bin/magento module:disable Magento_Version

You will get the following:

The following modules have been disabled:
- Magento_Version

Cache cleared successfully.
Generated classes cleared successfully. Please run the 'setup:di:compile' command to generate classes.
Info: Some modules might require static view files to be cleared. To do this, run 'module:disable' with the --clear-static-content option to clear them.

Now check the result. Go to the URL:

http://base-url-of-your-store.com/magento_version

If everything is correct, you will get a 404 page, which is good for us:

404 page

In this simple way, we are not disclosing too much information about the store for potential hackers and make the site more secure.