WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#32805 closed enhancement (duplicate)

Remove WP Version From HTML

Reported by: victorfreitas1 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Security Keywords:
Focuses: Cc:

Description

Hello, I strongly believe in WordPress potêncial as security, but has a small flaw that leaves us a bit insecure, which is always bringing in FrameWork the HTML version of the system in feeds, and files between other parts of the site, this is something with that in other preoculpamos to remove our website and there are hooks to be removed and do not do it for all files. I bring this safety tip is to fail to show the version in html files, feeds among others, Example: "site.com/wp-includes/css/buttons.min.css?ver=4.2.2". Remove the a version of sitema on "ver=" and put a filemtime for example in place.

Examples:

<link rel='stylesheet' id='google-font-css' href='fonts.googleapis.com/css?family=Lora%3A400%2C700%2C400italic%2C700italic%7CMuli%3A400%2C400italic%7CMontserrat%3A400%2C700&#038;ver=4.2.2' type='text/css' media='all' />
<generator>wordpress.org/?v=4.2.2</generator>
<meta name="generator" content="WordPress 4.2.2" />

Change History (2)

#1 @chriscct7
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #23394.

The version of WordPress being presented is not a security issue whatsoever. Hiding it doesn't make your site any more secure, not does showing it make it less secure. There is zero security benefit whatsoever in hiding that a site is WordPress powered, or what version of WordPress it is. 99% of attackers or bot attackers will just try their attack without seeing if your site has an affected version, and the 1% who do care can just as easily (and they do) just compare the contents of the Javascript and CSS files, among many other things.

Removing version numbers has been brought up many times on trac. I'm going to close this as a duplicate of the most recent one I've found for it

Last edited 4 years ago by chriscct7 (previous) (diff)

#2 @afercia
4 years ago

Always useful as reference:

The WordPress Meta “generator” Tag Paranoia
http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag-paranoia/

Don’t Hide the Fact That You’re Using WordPress
https://kovshenin.com/2013/dont-hide-the-fact-that-youre-using-wordpress/

:)

Note: See TracTickets for help on using tickets.