How to Remove DNS Prefetch from WordPress for Better Security
June 7, 2019
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Remove the WordPress DNS prefetch link (s.w.org) from your site’s HTML header to eliminate a fingerprint that identifies your site as WordPress. WP Ghost removes it automatically with one click, or you can do it manually with a functions.php filter.
What Is DNS Prefetch in WordPress
DNS prefetching is a browser optimization technique. It tells the browser to resolve a domain name in the background before the user actually clicks a link to that domain. This saves a few milliseconds of DNS lookup time when the browser eventually needs to load a resource from that domain.
WordPress adds a DNS prefetch hint to every page by default. It looks like this in your HTML source code:
<link rel='dns-prefetch' href='//s.w.org' />
The domain s.w.org is a WordPress.org asset server. This single line in your page source tells any bot, theme detector, or hacker scanning your site that you are running WordPress. It is one of the easiest fingerprints to detect and one of the simplest to remove.
Why Removing DNS Prefetch Matters for Security
The DNS prefetch link to s.w.org serves no critical function for your site’s visitors. It was designed to speed up the loading of WordPress.org emoji images, but most sites either disable emoji or serve them from their own domain. The link itself is a WordPress CMS fingerprint that bots use during the reconnaissance phase of an attack.
When you combine DNS prefetch removal with other WP Ghost features like path security, generator meta removal, and HTML comment stripping, you eliminate the signals that bots and theme detectors rely on to identify WordPress installations. For the full list of fingerprints to remove, see the Hide Your Site From Theme Detectors tutorial.
Method 1 – Remove DNS Prefetch with WP Ghost (Recommended)
WP Ghost removes the DNS prefetch link automatically as part of its path security configuration. No code editing required.
1. Go to WP Ghost > Change Paths.
2. Select Safe Mode or Ghost Mode (Premium) if you have not already.
3. Scroll to the WP Core Security section.
4. Make sure Hide DNS Prefetch is switched on.
5. Click Save.
WP Ghost also removes other WordPress fingerprints from the same section, including the generator meta tag, RSD header, WordPress version numbers, HTML comments, and emoji scripts. Together, these settings strip all common WordPress identifiers from your page source in one place.
Method 2 – Remove DNS Prefetch with Code
If you prefer a manual approach without using a plugin, you can remove the DNS prefetch link by adding a filter to your theme’s functions.php file or a custom plugin.
Add this code to your functions.php:
add_action( 'init', 'remove_dns_prefetch' );
function remove_dns_prefetch() {
remove_action( 'wp_head', 'wp_resource_hints', 2, 99 );
}This removes the wp_resource_hints action from the wp_head hook, which is where WordPress outputs the DNS prefetch link. Save the file and check your page source to confirm the s.w.org link is gone.
Keep in mind that this code only removes the DNS prefetch link. It does not remove other WordPress fingerprints like the generator meta, version numbers, or default paths. If you want comprehensive WordPress fingerprint removal, WP Ghost handles all of these from a single settings page.
How to Verify It Worked
1. Open your site in an incognito browser window (make sure you are logged out).
2. Right-click and select View Page Source.
3. Press Ctrl+F and search for s.w.org.
4. If no results appear, the DNS prefetch link has been successfully removed.
For a complete security verification including all WordPress fingerprints, run the built-in Security Check at WP Ghost > Security Check.
Frequently Asked Questions
Will removing DNS prefetch slow down my website?
No. The DNS prefetch link for s.w.org pre-resolves the WordPress.org emoji server. Unless you are loading emoji images from WordPress.org (most sites do not), removing this link has zero impact on page load performance. If you use a CDN or load emoji locally, there is no benefit to keeping it.
Is removing DNS prefetch enough to hide WordPress?
No. The DNS prefetch link is just one of many WordPress fingerprints. You also need to remove the generator meta tag, version numbers, default paths, HTML comments, and style IDs. WP Ghost handles all of these from a single settings page. For the complete checklist, follow the Hide From Theme Detectors guide.
What other WordPress fingerprints should I remove?
In addition to DNS prefetch, WP Ghost can remove the WordPress generator meta tag, WordPress version numbers from CSS and JS files, RSD (Really Simple Discovery) header, WLW Manifest link, emoji scripts, HTML comments, and style/meta IDs. All of these are available in the WP Core Security section of WP Ghost > Change Paths.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server rewrite rules and WordPress hooks. No core files are moved, renamed, or modified. Deactivating the plugin restores all default paths and fingerprints instantly.