WordPress.org

Ready to get started?Download WordPress

Forums

Version Number in HTML (4 posts)

  1. Zac Garrett
    Member
    Posted 7 years ago #

    While looking through the source of my site I noticed something quite disturbing from a security standpoint. The All in One SEO plugin puts the version number in the source of the site. From a security standpoint this is a big no-no, you don't want people to know the version of something you are running. If your version is outdated and there is a known security problem it is much easier for a script kiddie to exploit.

    For my personal site I changed the following code:

    echo "\n<!-- all in one seo pack $this->version ";
    if ($this->ob_start_detected) {
    echo "ob_start_detected ";
    }
    echo "[$this->title_start,$this->title_end] ";
    echo "-->\n";

    to

    echo "\n<!-- all in one seo pack -->\n";

  2. whooami
    Member
    Posted 7 years ago #

    nice job on that upgrade to 2.3.3! good for you! :P

    you can check your logs to figure out what I just clued you into :>

    im the 199.x.x.x ip

    --

    i noticed you put your version in the drop down box, thats not where I got it from.

  3. Zac Garrett
    Member
    Posted 7 years ago #

    Ahh, forgot to redirect all of the various feed items to feedburner. Still trying to work out all of the oddities of WordPress after moving over from Serendipity.

    Command line is fun:
    tail access_log | grep 199.[0-255].[0-255].[0-255]

    Thanks for pointing that out.

  4. uberdose
    Member
    Posted 7 years ago #

    Hi Zac, I don't think I will leave the version out because it helps me tremendously in diagnosing problems (which I do every day). And there has never been any security problem I'm aware of. So the benefits outweigh the drawbacks IMHO.

    If there is a loop hole in a web application you don't care very much for the exact version anyway since it's so easy to just probe it automatically.

Topic Closed

This topic has been closed to new replies.

About this Topic