Support » Plugin: BulletProof Security » Suggestion: Remove WP version number from URLs and hide HTML comments

  • Resolved Daedalon

    (@daedalon)


    One part of security is not giving out unnecessary information on the website. Here are two security measures towards that end that I would appreciate in BulletProof Security:

    1. Hide WordPress core version number in URLs, such as CSS and JS, where it is currently added in the end.

      <link rel=’stylesheet’ id=’twentytwelve-style-css’ href=’http://siteurl/wp-content/themes/twentytwelve/style.css?ver=3.5.1′ type=’text/css’ media=’all’ />

    2. Remove all HTML comments from the web pages before sending them to users. Some plugins think it’s smart to tell the world in HTML comments which plugins and versions a site is running without even giving an option to disable these.

    Both of these pieces of information allow malicious hackers to automatically exploit sites running WP or plugin versions to which they have found exploits to. Not giving out this information would make the sites running BPS less likely to be exploited, especially via automated means.

    I’ve seen some other WP security plugins provide these features, but I’d be happiest to have BPS provide these as an all-in-one security plugin.

    http://wordpress.org/extend/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 46 total)
  • Plugin Author AITpro

    (@aitpro)

    You cannot hide the WordPress version – that is impossible. The feature in BPS that says it does this is very old and very stupid. There are literally dozens of different ways to find the WordPress version. Bottom line this is a silly thing, you cannot hide the WordPress version and you should not worry about it – it does not matter and is not really a website security measure at all.

    Neither of these things matter at all and are not legitimate website security measures so I would not bother wasting time pursuing either of these things since they do not maky any difference at all.

    Plugin Author AITpro

    (@aitpro)

    These are the top hacking targets by priority and order of attack for 2013:

    1. Crack FTP passwords
    2. Crack WordPress passwords – there is currently a worldwide attack going on right now and for the past week.
    3. Cross infect sites – 1 hosting account to another hosting account

    Do you have more information to share on #2?

    Plugin Author AITpro

    (@aitpro)

    If you check your hosts help pages or system alerts pages then you will probably see some sort of post about this. HostGator, Go Daddy, InMotion and several other Hosts have created posts about this. I think you can probably do a general Google search and will find lots of info about this. This post in the BulletProof Security Forum has some general info from a few different web hosts.

    Global brute force attack on WordPress sites

    Thanks!

    I’m not yet convinced that it wouldn’t be a security benefit to hide WP version number in any places where it’s publicly shown. Why does WordPress show it in the URLs in the first place? Where else is it shown publicy besides the HTML generator tag?

    Plugin Author AITpro

    (@aitpro)

    First off, hiding is not the same as obscuring. “Security through obscurity” is the most misunderstood WordPress phrase. Hiding is not a security measure – it never was and it never will be. A very simple cURL script that you can find anywhere around the Internet will allow any kiddiescripter to find anything he/she wants to find.

    The only real legitimate security approach is an Action Approach – it has always been and will always be the best and most effective security approach/measure.

    hacker X does bad action Y and Z is the result = blocked/Forbidden/etc.

    WordPress is at a point where it is now so secure/solid/tight/locked down/contains awesome security coding that doing a Signature probe/scan for the WordPress version number would only matter if you were using a version of WordPress that was many, many years old.

    To sum everything up – it does not matter what current version of WordPress you are using – it does not matter to the hacker unless you have an ancient version of WordPress installed.

    Thanks for the reply. However, isn’t that summary based on the assumption that a new, severe security flaw will not be found in WordPress in the future, at any point?

    That’s separate from the issue that in your experience hiding WordPress version from the public is really, really hard. Regarding that I’d be interested in reading a bit more on how WordPress reveals “anything a kiddiescripter wants to find”, if you’d happen to have a link handy.

    Plugin Author AITpro

    (@aitpro)

    I really do not want to debate this because I do not work for WP and it would be ludicrous of me to speak on behalf of WP or take logical guesses.

    I find it highly unlikely that a significant coding mistake would somehow get through the security specialists and everyone else at WP who are involved in releasing new versions.

    So without going any further in this discussion and explaining the layers of security that WP already incorporates/implements for just such an unlikely occurrence – I am going to say that even if a code flaw of any significance got into a final release then it would not be exploitable.

    There is no need to hide the WordPress version so there is no point in dwelling on that point.

    Go to php.net and look up cURL and what you can do with cURL. I will not say any more than that on this.

    Thanks for the info so far.

    Marking the topic as resolved.

    I can vouch for the attack on WordPress installations mentioned above. Right now, I’ve got two WordPress installations getting hammered by various systems around the world, trying to break in. So far, they haven’t had any success and I hope they’ll leave my WordPress installations alone. 🙂

    Peace…

    Plugin Author AITpro

    (@aitpro)

    Yeah its too bad that what is being repeated all over the Internet is the same thing that always happens – the wrong information, bad information, SEO writing style to get a high ranking post, copy catting bad information, repeating bad information, etc etc etc is all over the place.

    Happens every time without fail. sigh. You would think that top ranking websites would actually carefully choose their wording before posting totally incorrect or inaccurate information, but I assume that what happens is a person is designated to writing posts to get the highest possible post ranking – things like correct information or accurate information never seem to be that important vs getting a high ranking post. ugh.

    /** how to hide your WP version – add to theme’s functions.php **/

    function remove_wp_version_tag() {
    	return null;
    }
    add_filter( 'the_generator', 'remove_wp_version_tag' );
    
    function remove_wp_version_strings( $src ) {
    	global $wp_version;
    		parse_str(parse_url($src, PHP_URL_QUERY), $query);
    	if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
    		$src = remove_query_arg('ver', $src);
    	}
    	return $src;
    }
    add_filter( 'script_loader_src', 'remove_wp_version_strings' );
    add_filter( 'style_loader_src', 'remove_wp_version_strings' );
    Plugin Author AITpro

    (@aitpro)

    Ok now test this. Go to Sucuri.net and scan your website and you will see that Sucuri.net detected that your site is a WordPress site.

    Plugin Author AITpro

    (@aitpro)

    I assume builtwith.com will also detect that your site is a WordPress site.

    Plugin Author AITpro

    (@aitpro)

    And using any basic cURL script will always detect that your site is a WordPress site because it is impossible to hide that you have a WordPress site and not important to even try it.

Viewing 15 replies - 1 through 15 (of 46 total)
  • The topic ‘Suggestion: Remove WP version number from URLs and hide HTML comments’ is closed to new replies.