WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #28722, comment 25


Ignore:
Timestamp:
04/10/2016 12:04:31 PM (5 years ago)
Author:
RedSand
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #28722, comment 25

    initial v1  
    1 The WordPress version should not be used in headers like this, as it's a security risk. Revealing software version in headers or code is not a good security  practice.
     1The WordPress version should not be used in headers like this, as it's a security risk. Revealing software version in headers or code is not a good security practice in general.
    22
    33The IETF (Internet Engineering Task Force) has this to say in [http://www.ietf.org/rfc/rfc2068.txt RFC 2068]:
     
    55  "Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes."
    66
    7 If a security vulnerability is discovered, and a site owner hasn't upgraded their site yet, revealing this makes it easy for hackers to run automated scripts to scan their site and discover the version bumber. That's why most security hardening plugins remove the WordPress version number from the site's code.
     7If a security vulnerability is discovered, and a site owner hasn't upgraded their site yet, revealing this makes it easy for hackers to run automated scripts to scan their site and discover the version number. That's why most security hardening plugins remove the WordPress version number from the site's code.
    88
    9 Obviously a website owner should practice good security, but even so, this should be changed so that WordPress code leaks as little data as possible.
     9Obviously, a website owner should practice good security, but even so, this should be changed so that WordPress code leaks as little data as possible.
     10
     11Keep in mind that every version of WordPress released in the last couple years has had security vulnerabilities discovered after a while, so it's safe to assume that a vulnerability will be discovered in 4.5 sooner or later. If you look at the stats of what [https://wordpress.org/about/stats/ WordPress versions people are running] compared against a list of [https://wpvulndb.com/wordpresses vulnerable WordPress versions], you can see that only about 52% of users are running 4.4 or higher, and a good portion of the rest are using vulnerable versions. (Not everyone has upgraded to the security patched minor version in their branch.) If you look ahead 6 months or a year, there may still be users who haven't upgraded from 4.5 who will be in that same situation.