WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 5 weeks ago

#23394 closed enhancement (invalid)

Remove version from readme.html / Upgrade core doesn't restore the file

Reported by: momo360modena Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

I think it is necessary to remove the version number of the WordPress readme.html and those for several reasons.

  1. The file shows the version number of WordPress easily ... Security (Version disclosure)
  2. Few people are aware of the file. The impact is limited.
  3. Wrong reason, but the other major CMS do not!

Moreover, if we adopt the approach of deliberately delete from FTP, the next automatic update will restore it. This is a task binding.

I think the automatic update of the WordPress core should detect the presence of the file and not restored if does not exist!
I'd like to have your opinions before proposing any patch!

Change History (11)

comment:1 @momo360modena2 years ago

  • Cc amaury@… added

comment:2 follow-up: @markoheijnen2 years ago

All those three reasons are not valid for me. Even the first one. Mainly because there are several other ways to retrieve the version number.

comment:3 @ocean902 years ago

  • Component changed from Security to General
  • Keywords close added

Not really a security issue.

comment:4 in reply to: ↑ 2 @momo360modena2 years ago

Replying to markoheijnen:

All those three reasons are not valid for me. Even the first one. Mainly because there are several other ways to retrieve the version number.

This is true, but there are plenty of plugins to hide it. This is not the case for the readme.html file.

Moreover, are what WordPress is necessarily display the version number in the metadata generator?
The drupal project shows only the major version, what is the good beginning!

Last edited 2 years ago by momo360modena (previous) (diff)

comment:5 @iandunn2 years ago

  • Cc ian_dunn@… added

Bulletproof Security will block access to the readme file. I think Better WP Security will to, and perhaps Wordfence.

I actually don't have a problem with security-through-obscurity, provided it's the first of many layers, but in this case I don't think the benefits of hiding the version number outweigh the benefits of the readme file, especially since it's easy to 403 the file with one of those plugins or a custom htaccess rule.

comment:6 @momo360modena2 years ago

I still find it surprising that users are required to install some security plugin, kludge for most, while some minor changes in the core would allow to mask some compromising information.

Theoretically, almost all the features of a plugin like "Secure WordPress" should be native in core...

comment:7 @markoheijnen2 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Serious, most of the security plugins do stuff that isn't needed at all. If you believe in fake security you should install the plugin.
The only feature I would say that should be in core is limiting the login amount.

Closing the ticket since this kind of conversation shouldn't happen on trac.

comment:8 @SergeyBiryukov2 years ago

  • Version trunk deleted

comment:9 @nacin2 years ago

Some of the security plugins out there do a few decent things that can improve the security of a site. Pretty much every example is things that we could not reliably do in core, for reasons such as wide server support. Most plugins — and most things done by even some of the good plugins — are overzealous, dangerous, ill-informed, or resort to scaring users with things that they don't need to be bothered with or take action on. All in the name of "security".

The file shows the version number of WordPress easily ... Security (Version disclosure)

With publicly accessible web application software, there is no way to prevent version detection. The readme and generator versions are just the fairly cheap ways to do it. My favorite is looking at publicly accessible CSS and JS files, but there are many others. Script kiddies blindly attack sites. They don't sniff version numbers first. Even if they did, this means they're looking for core vulnerabilities. (Of which there are few, and anything of note requires a user account these days, at a minimum.) So, you're either running an out of date version — don't hide the version number, *update* — or you're running the latest (at which point, that's on us, and no suppressing that version is going to help you).

There's one thing I could go for, as proposed here: on one-click upgrades, don't copy readme.html back over if it is gone. Same we do for bundled default themes. But I'm not agreeing to this for security reasons. Beyond license.txt, it's the only non-PHP file shipped in the root. Maybe someone wants to remove those because they have OCD. Now that we have about.php for in-dashboard upgrades (and most installs happen by hosts, not users), the very existence of a readme file isn't that helpful anymore.

comment:10 @momo360modena2 years ago

Thank you for this comprehensive feedback.

To come back to the readme.html file, given the low interest, it might be relevant to change a readme.txt classic.
http://en.wikipedia.org/wiki/README

And once again, the version number is not useful :)

comment:11 @chriscct75 weeks ago

#32805 was marked as a duplicate.

Note: See TracTickets for help on using tickets.