WordPress.org

Ready to get started?Download WordPress

Forums

WordPress SEO by Yoast
TO ALL: HIDDEN BACKLINK in class-frontend.php (5 posts)

  1. MAVERICK1
    Member
    Posted 2 years ago #

    Today I installed Yoast SEO. I looked at my source code and I found link to Yoast website.

    It sitting in wordpress-seo/frontend/class-frontend.php
    pick up any code editor like PSPad and remove the link. You wont see it on your website unless look into source code.

    I managed to remove link, however I dislike this type of hiding the links without letting us know. Author should warn users even if the plugin is free-to-use.

    http://wordpress.org/extend/plugins/wordpress-seo/

  2. lenineto
    Member
    Posted 2 years ago #

    Actually, thats not a backlink per se, neither is hidden.
    This is nothing but credit to the author. He developed a great plugin and he is sharing with everybody absolutelly free. He owns and deserve the credit.
    If you take a closer look to the html code, you will see its
    <!-- This site is optimized with the Yoast WordPress SEO plugin v1.1.5 - http://yoast.com/wordpress/seo/ -->

    That's and HTML COMMENT. It's not a backlink at all.

    Hope it clears the misunderstanding for you and you give back the author the credit he deserves.

    Cheers.

  3. Domush
    Member
    Posted 2 years ago #

    And as long as there is never, ever a security flaw in his script, everything will be rainbows, until there is a flaw..

    The author has been informed as to how this is a security hole and has expressed how he doesn't care.

    Some day we'll all read news as to how someone hacked a host of sites running a specific version of this plugin, and nobody will be guessing how they figured it out.

    The plugin is great and feature packed, but the version number, especially, should never be displayed to the world.

  4. This is not a security hole, it's not a backlink, and it's not against the repo guidelines.

    HTML comments like that are not backlinks. HTML comments are completely ignored by search engines and these URLs are just plain text.

    To quote Viper007bond in a previous conversation:

    It's why hackers insert real links into footers and such but then hide them using CSS. They have to be real, "visible" (not commented out) links in order for them to do anything related to search engines.

    If there's a security hole that the author won't fix, please email that to plugins@wordpress.org

    But you'd better prove it with good examples of how it's a hole.

  5. Domush
    Member
    Posted 2 years ago #

    Exploiting 101:

    Step 1: When hacking a site, pull up the HTML source code, look for indications of the server running scripts with vulnerabilities.

    Step 2: Search the web for reports of security flaws regarding aforementioned server scripts

    Step 3: Hack said site using exploits matching the version the webmaster so helpfully advertised to you

    It only takes one vulnerability of one version to be very bad news, as when you advertise version numbers (let alone scripts), you are helping the world select the perfect exploit to use.

    Not all exploits are found by white hats and reported. There could be a flaw in any version of any plugin, and so long as they are advertised in html, people are far more at risk.

    It is security through obscurity, which is not ideal, but is certainly preferred to advertising "I'll help you hack me!" in your html source. Even wordpress adds a version # in the html source, which they should absolutely know better.

    To all who wish to remove the wordpress version # from your html, seeing as the topic is here, add this to your theme functions.php file:

    remove_action('wp_head', 'wp_generator');

    There may be a similar method to prevent SEO from adding the version # to the html source, but I'm no wordpress developer. I got that code from this security conscious article which warns of exactly what I just mentioned.

    Again, Yoast makes a wonderful plugin, but with anything this complex made by one guy, mistakes can happen, and advertising a script and version number does nothing but help hackers hack. The best wbesites out there are the ones you can't tell what script they run or, better yet, make you think it is a different script running in a different language.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic