Support » Fixing WordPress » Suppress identity for increased security?

  • Resolved alanatfluffdesign

    (@alanatfluffdesign)


    Hi WordPressers,

    Am I plain wrong to be looking at the following?

    I am attempting to find out how I might elegantly suppress the line:
    <meta name="generator" content="WordPress 2.5.1" />
    from appearing in the soucre of my site.

    This is _not_ because I am mean or want to pretend I did not use WP, and I also love the fact that this line might help WP in some ratings or other good f/b. But. But I was wondering if it’s presence might represent a reasonable opportunity for a hacker to gain knowledge about my system and hence provide a degree of advantage to the baddie. Especially if the baddie was a wandering robot sniffing for this string.

    I am happy to be told this is a useless/wrong quest because … and I will gladly listen. Only in the absence of other influences, it seems like a good idea to me.

    Thanks in advance for any comments! Cheers -Alan

Viewing 12 replies - 1 through 12 (of 12 total)
  • hey Alan.

    throw this line into your theme’s functions.php:

    remove_action(‘wp_head’, ‘wp_generator’);

    Used to be that this was in the themes, but since people removed it they decided to just add it again behind your back. If there’s a non-spammy reason for adding this into the core code, then where’s the in-your-face tickbox to turn it off?

    There are a lot of folks here who would tell you that security by obscurity is no security at all, but frankly I disagree – especially when you aren’t the coder, so you have to wait for an updated release to patch any security holes.

    Security by obscurity is perfectly valid in the world of poorly-scripted automated attacks, and so I thoroughly suggest you remove that line, as well as any number of other things you can do to obscure that you’re using wordpress (or any other software) at all.

    Of course security doesn’t begin or end here… but there’s really no reason not to use obscurity as an additional layer.

    The kind folks at automattic might prefer us all to keep the generator tag in place for statistical purposes, but I figure between the download counter and update checking they have enough stuff calling home now to be able to forego the generator tag.

    Ivovic, just to clarify, WordPress is not developed solely by Automattic. WordPress.org is not an Automattic property. Automattic contributes to the WordPress.org project like anyone else.

    alanatfluffdesign, removing the version makes your WP more obscure, but not more secure. It’s fine to do, we have nothing against it, but don’t let it give you a false sense of security. I wrote a bit about what to do to keep your blog truely secure here:

    http://ma.tt/2008/04/securityfocus-sql-injection-bogus/

    Well, someone’s signing off on a hefty number of unpopular choices lately. If it’s not anyone at automattic, then it probably should be.

    There’s no secret cabal, it’s all out there:

    http://wordpress.org/about/

    http://trac.wordpress.org/timeline

    Anyone is welcome to participate.

    Used to be that this was in the themes, but since people removed it they decided to just add it again behind your back. If there’s a non-spammy reason for adding this into the core code, then where’s the in-your-face tickbox to turn it off?

    Nope this was added in very much in the open – “Improving the WordPress generator”

    The whole point behind this change was actually to make it easier for people to hide/remove the generator from there site!

    Previously if you wanted to remove the generator you had to not only remove it from your theme but also from all the feed generating files as well. Now you can remove it easily from within a plugin or your themes functions.php file.

    Anyone is welcome to participate.

    Matt, I can’t believe you actually wrote that.

    [self-moderated]

    There’s no point discussing with people who think every user everywhere is bound to spend time reading dev lists, if they don’t want to advertise for wordpress.

    *cough* it’s -still- in themes no matter which way you slice it.

    hmm, I had no idea they had done that, Ivovic. That is kind of crappy isn’t it? :<

    It’s definitely kind of crappy… but more crappy is the assertion that it was done ‘in the open’.

    In the open is to shove it on people’s dashboards via the wordpress.org blog. Putting it on a post on Peter’s blog that has less than 10 replies on it is *not* in the open.

    Honestly, there’s an increasing expectation that users read dev lists or spend their day in trac, just because the devs do.

    You’d have to be more stupid than I am paranoid, to think that Joe Regular is going to ever discover that without first twigging that removing it from his theme had no effect, then coming here and asking about it.

    Thread Starter alanatfluffdesign

    (@alanatfluffdesign)

    My sincere thanks to Ivovic, Matt and everyone else for enlightening me.

    I agree that this step (hiding my WP ver or WP entirely) must not let me feel falsely secure and I also agree that doing so is not useless and has some value.

    I must admit that I did try fairly hard to find out how to suppress this version reporting and failed — that could be my lack of effort with Google or the search here, but I thought I had tried reasonably hard / intelligently. But then again, success is here, once more I have rapidly found out the answer via this thread, so thanks again to all.

    Now if _only_ I could as easily get my Zeus-powered hoster to support mod_rewite, I would be laughing!

    Cheers all, -Alan

    Actually, if I am testing whether a blog is WordPress powered, the first thing I would do is search for “wp-” (wp-content) in the HTML source code and try to access /wp-login.php & /wp-admin, then /?s=QUERY, and so on.

    Haochi, exactly, which is why wordpress paths should be defined as constants in wp-config.php

    But at least with a path, you are not advertising your version number. Those who are behind in upgrades are targeted, but much less specifically.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Suppress identity for increased security?’ is closed to new replies.