Version disclosure?

  • Resolved sporkme

    (@sporkme)


    9 years, 1 month ago

    Hi,

    Quick question – this plugin in the past has had security issue, as have many others. While security through obscurity is not a fix, it’s also generally good security practice not to advertise the versions of things on a system to make the job of crackers (human or bot) easier.

    On that note, might it be better to NOT disclose the version of jetpack in the CSS link?

    (eg: <link rel='stylesheet' id='jetpack_css-css' href='https://example.com/wp-content/plugins/jetpack/css/jetpack.css?ver=4.4.2' type='text/css' media='all' />)

    This would also serve as an example of “best practices” to other plugin authors that look to WP-created plugins for direction.

Viewing 1 replies (of 1 total)
  • Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic 🚀

    9 years, 1 month ago

    We most likely won’t change the way different stylesheets and scripts are enqueued by Jetpack. Using the plugin’s version number when enqueuing is common practice when developing plugins or themes. That’s also how it’s done in WordPress itself.

    As you mentioned, security through obscurity is not really a fix and won’t really help here. Bots often won’t care what version of Jetpack (or WordPress) you use on your site; they’ll try to attack and be on their way if it doesn’t. The best way to protect yourself against attackers is to make sure your site and its plugins are kept up to date.

    You can read more about this here:
    https://konstantin.blog/2013/dont-hide-the-fact-that-youre-using-wordpress/

    If you’d rather hide the version of WordPress and the Jetpack version on your site anyway, plugins like this one will help.

Viewing 1 replies (of 1 total)

The topic ‘Version disclosure?’ is closed to new replies.