WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Suggestion: Remove WP version number from URLs and hide HTML comments (47 posts)

  1. Daedalon
    Member
    Posted 1 year ago #

    One part of security is not giving out unnecessary information on the website. Here are two security measures towards that end that I would appreciate in BulletProof Security:

    1. Hide WordPress core version number in URLs, such as CSS and JS, where it is currently added in the end.

      <link rel='stylesheet' id='twentytwelve-style-css' href='http://siteurl/wp-content/themes/twentytwelve/style.css?ver=3.5.1' type='text/css' media='all' />

    2. Remove all HTML comments from the web pages before sending them to users. Some plugins think it's smart to tell the world in HTML comments which plugins and versions a site is running without even giving an option to disable these.

    Both of these pieces of information allow malicious hackers to automatically exploit sites running WP or plugin versions to which they have found exploits to. Not giving out this information would make the sites running BPS less likely to be exploited, especially via automated means.

    I've seen some other WP security plugins provide these features, but I'd be happiest to have BPS provide these as an all-in-one security plugin.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You cannot hide the WordPress version - that is impossible. The feature in BPS that says it does this is very old and very stupid. There are literally dozens of different ways to find the WordPress version. Bottom line this is a silly thing, you cannot hide the WordPress version and you should not worry about it - it does not matter and is not really a website security measure at all.

    Neither of these things matter at all and are not legitimate website security measures so I would not bother wasting time pursuing either of these things since they do not maky any difference at all.

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    These are the top hacking targets by priority and order of attack for 2013:

    1. Crack FTP passwords
    2. Crack WordPress passwords - there is currently a worldwide attack going on right now and for the past week.
    3. Cross infect sites - 1 hosting account to another hosting account

  4. Daedalon
    Member
    Posted 1 year ago #

    Do you have more information to share on #2?

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If you check your hosts help pages or system alerts pages then you will probably see some sort of post about this. HostGator, Go Daddy, InMotion and several other Hosts have created posts about this. I think you can probably do a general Google search and will find lots of info about this. This post in the BulletProof Security Forum has some general info from a few different web hosts.

    http://forum.ait-pro.com/forums/topic/global-brute-force-attack-on-wordpress-sites/

  6. Daedalon
    Member
    Posted 1 year ago #

    Thanks!

    I'm not yet convinced that it wouldn't be a security benefit to hide WP version number in any places where it's publicly shown. Why does WordPress show it in the URLs in the first place? Where else is it shown publicy besides the HTML generator tag?

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    First off, hiding is not the same as obscuring. "Security through obscurity" is the most misunderstood WordPress phrase. Hiding is not a security measure - it never was and it never will be. A very simple cURL script that you can find anywhere around the Internet will allow any kiddiescripter to find anything he/she wants to find.

    The only real legitimate security approach is an Action Approach - it has always been and will always be the best and most effective security approach/measure.

    hacker X does bad action Y and Z is the result = blocked/Forbidden/etc.

    WordPress is at a point where it is now so secure/solid/tight/locked down/contains awesome security coding that doing a Signature probe/scan for the WordPress version number would only matter if you were using a version of WordPress that was many, many years old.

    To sum everything up - it does not matter what current version of WordPress you are using - it does not matter to the hacker unless you have an ancient version of WordPress installed.

  8. Daedalon
    Member
    Posted 1 year ago #

    Thanks for the reply. However, isn't that summary based on the assumption that a new, severe security flaw will not be found in WordPress in the future, at any point?

    That's separate from the issue that in your experience hiding WordPress version from the public is really, really hard. Regarding that I'd be interested in reading a bit more on how WordPress reveals "anything a kiddiescripter wants to find", if you'd happen to have a link handy.

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I really do not want to debate this because I do not work for WP and it would be ludicrous of me to speak on behalf of WP or take logical guesses.

    I find it highly unlikely that a significant coding mistake would somehow get through the security specialists and everyone else at WP who are involved in releasing new versions.

    So without going any further in this discussion and explaining the layers of security that WP already incorporates/implements for just such an unlikely occurrence - I am going to say that even if a code flaw of any significance got into a final release then it would not be exploitable.

    There is no need to hide the WordPress version so there is no point in dwelling on that point.

    Go to php.net and look up cURL and what you can do with cURL. I will not say any more than that on this.

  10. Daedalon
    Member
    Posted 1 year ago #

    Thanks for the info so far.

    Marking the topic as resolved.

  11. tomdkat
    Member
    Posted 1 year ago #

    I can vouch for the attack on WordPress installations mentioned above. Right now, I've got two WordPress installations getting hammered by various systems around the world, trying to break in. So far, they haven't had any success and I hope they'll leave my WordPress installations alone. :)

    Peace...

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yeah its too bad that what is being repeated all over the Internet is the same thing that always happens - the wrong information, bad information, SEO writing style to get a high ranking post, copy catting bad information, repeating bad information, etc etc etc is all over the place.

    Happens every time without fail. sigh. You would think that top ranking websites would actually carefully choose their wording before posting totally incorrect or inaccurate information, but I assume that what happens is a person is designated to writing posts to get the highest possible post ranking - things like correct information or accurate information never seem to be that important vs getting a high ranking post. ugh.

  13. wordpress
    Member
    Posted 1 year ago #

    /** how to hide your WP version - add to theme's functions.php **/

    function remove_wp_version_tag() {
    	return null;
    }
    add_filter( 'the_generator', 'remove_wp_version_tag' );
    
    function remove_wp_version_strings( $src ) {
    	global $wp_version;
    		parse_str(parse_url($src, PHP_URL_QUERY), $query);
    	if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
    		$src = remove_query_arg('ver', $src);
    	}
    	return $src;
    }
    add_filter( 'script_loader_src', 'remove_wp_version_strings' );
    add_filter( 'style_loader_src', 'remove_wp_version_strings' );
  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok now test this. Go to Sucuri.net and scan your website and you will see that Sucuri.net detected that your site is a WordPress site.

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I assume builtwith.com will also detect that your site is a WordPress site.

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And using any basic cURL script will always detect that your site is a WordPress site because it is impossible to hide that you have a WordPress site and not important to even try it.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Or of course hide the version.

  18. wordpress
    Member
    Posted 1 year ago #

    Sure. It's a WP site for sure but that's not the point.

    The point is that it hides the WP version.

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    post your website URL and I will scan your site with a basic cURL script and post the WordPress version that your site is using.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Or you can test with this very basic cURL script.

    $CustomScan = 'http://example.com/wp-includes/js/heartbeat.js';
    
    	$ch = curl_init();
    	curl_setopt($ch, CURLOPT_URL, $CustomScan);
    	//curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
    	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    	echo '<pre>';
    	$file_contents = curl_exec($ch);
    	echo '</pre>';
    	curl_close($ch);
  21. Daedalon
    Member
    Posted 1 year ago #

    Thanks to Njardim for the code to hide the version number and to AITpro for providing links and code for finding out the system of a site.

    AITpro: If the version number is hidden in this way, is there a way for an outsider to find out the version of WP a site is running?

    For an attacker it'd be neat to attack only vulnerable sites instead of attempting to attack also the up-to-date WP sites in the world. Hiding the version number would remove the site from any attack lists of WP sites with a specific version number.

  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    It is impossible to hide that your site is using WordPress and also impossible to hide the WordPress version. hackers don't bother with checking for the WordPress version anyway. Maybe they did 3 years ago, but they are no longer doing this sort of hacker recon. We monitor what hackers are scanning for/reconning for on a regular basis and they have not been scanning/reconning for the WordPress version in years.

    So basically the point I am trying to make is that there is no point in trying to hide the WordPress version at all because this is no longer an attack vector that hackers are checking anymore.

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Correction: hackers do still have a basic scan parameter for WordPress versions that are 3 years out of date with current versions of WordPress. If the site is using a 3+ year old version of WordPress then the assumption can be made that this is an abandoned/dead website. Probably not a very desirable target for a hacker. ;)

  24. Daedalon
    Member
    Posted 1 year ago #

    Thanks for the info!

  25. emodendroket
    Member
    Posted 8 months ago #

    This has to be the most ludicrous discussion I've ever heard. You "find it highly unlikely that a significant coding mistake would somehow get through the security specialists and everyone else at WP who are involved in releasing new versions?" The WP devs must be geniuses, because seemingly no other entity, no matter how many resources they devote to the problem, is able to do this.

    It's also strange because there are several known security vulnerabilities in even very recent versions of WP: http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

    The idea that hiding the WP version (or even that you're using WP at all) is "pointless" also doesn't make sense. It is not in and of itself an adequate security measure but it certainly does make you less likely to be the target of a mass automated attack.

    And the statement that reading about curl will show you why it's fruitless to try and hide the version is also nonsensical. Curl is ultimately used to make Web requests. That's totally separate from the issue that you can look at Javascript files to determine the version of WordPress that is being used.

  26. AITpro
    Member
    Plugin Author

    Posted 8 months ago #

    cURL is a common tool used by hackers and spammers.

  27. emodendroket
    Member
    Posted 8 months ago #

    So what? You could achieve the same results as your code by just typing the address into the address bar of a regular Web browser. I don't know what it proves that you can do it programmatically with PHP too.

  28. AITpro
    Member
    Plugin Author

    Posted 8 months ago #

    Of course. Doesn't prove anything. Merely a very basic example. I would not of course post advanced hacking scripts publicly. ;)

  29. AITpro
    Member
    Plugin Author

    Posted 8 months ago #

    This is a simple and pretty much harmless example of "other" uses for cURL.
    http://hakipedia.com/index.php/CURL#cURL_Brute_Force_Script

  30. emodendroket
    Member
    Posted 8 months ago #

    OK, that looks like a simple script to try and bruteforce basic HTTP auth. Can you explain what this has to do with determining the version of WordPress someone's running?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.