Support » Plugins » Version Number in HTML

  • While looking through the source of my site I noticed something quite disturbing from a security standpoint. The All in One SEO plugin puts the version number in the source of the site. From a security standpoint this is a big no-no, you don’t want people to know the version of something you are running. If your version is outdated and there is a known security problem it is much easier for a script kiddie to exploit.

    For my personal site I changed the following code:

    echo "\n<!-- all in one seo pack $this->version ";
    if ($this->ob_start_detected) {
    echo "ob_start_detected ";
    echo "[$this->title_start,$this->title_end] ";
    echo "-->\n";


    echo "\n<!-- all in one seo pack -->\n";

Viewing 3 replies - 1 through 3 (of 3 total)
  • whooami



    nice job on that upgrade to 2.3.3! good for you! 😛

    you can check your logs to figure out what I just clued you into :>

    im the 199.x.x.x ip

    i noticed you put your version in the drop down box, thats not where I got it from.

    Ahh, forgot to redirect all of the various feed items to feedburner. Still trying to work out all of the oddities of WordPress after moving over from Serendipity.

    Command line is fun:
    tail access_log | grep 199.[0-255].[0-255].[0-255]

    Thanks for pointing that out.

    Hi Zac, I don’t think I will leave the version out because it helps me tremendously in diagnosing problems (which I do every day). And there has never been any security problem I’m aware of. So the benefits outweigh the drawbacks IMHO.

    If there is a loop hole in a web application you don’t care very much for the exact version anyway since it’s so easy to just probe it automatically.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Version Number in HTML’ is closed to new replies.