WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#4155 closed enhancement (wontfix)

Let's hide the version number from public display

Reported by: drmike Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Greets:

I've got to admit that I'm troubled by how easy it is to find the version number of a wordpress blog. It's outputted in the meta tags and within the RSS feed. This is what bit phpBB and phpNuke in the butt when the Santy webworm against those platforms was going around.

http://www.geeklog.net/article.php/phpbb-worm

Thanks,
-drmike

Change History (8)

comment:1 @Otto428 years ago

-1

There's also a dozen other ways to determine version (it's included in nearly every theme, for example). If somebody is running a hackable version, they need to upgrade to a non-hackable one. Security by obscurity ain't going to work.

comment:2 follow-up: @drmike8 years ago

There's also a dozen other ways to determine version

You're right, there is. It's an issue with other softwares and has caused issues in the past. Let's go ahead and prevent it from happening to WP.

it's included in nearly every theme, for example

Yup, it's a template function call. Makes it easy to scan for that hackable version of wordpress that's out there.

they need to upgrade to a non-hackable one

Agreed but not everybody does so.

Security by obscurity ain't going to work.

Agreed but you don't hang up a sign on your front door stating that you've left the building when you go out, do you?

comment:3 in reply to: ↑ 2 @Otto428 years ago

Replying to drmike:

Agreed but you don't hang up a sign on your front door stating that you've left the building when you go out, do you?

Errr.. A lot of businesses do just that. ;)

Taking down the version number just means that they'll try lots of different ways to break in on every blog. It doesn't actually fix anything to not display a version number. It's not a bug or a vector of attack for the version number to be known.

In other words, I fail to see the point. You're wanting to hide information that doesn't actually hurt you in any way.

comment:4 @masquerade8 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Also, please get your facts straight. Showing the version number did no such thing to the aforementioned scripts. The search to google was a string that would find _any_ version of phpBB.

Most automated worms won't even bother checking version numbers, you just try the exploit, hope it worked, and move on. A human who is trying to target your site specifically is going to go through the trouble to find a vulnerability whether you advertise it or not. Security by obscurity is not going to help in this case.

Closing this as wontfix.

comment:5 @Nazgul8 years ago

  • Milestone 2.4 deleted

comment:6 follow-up: @g30rg3x8 years ago

  • Cc drmike removed
  • Component changed from Administration to General
  • Milestone set to 2.3 (trunk)
  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Type changed from defect to enhancement

I hate reopening tickets :-/...

but i have to agree that pointing this is a "security feature" or "security related" matter its not totally right and also useless because if a hacker didn't find the version he will try all know exploits and also this is applicable to all bots or automated exploit tools.

But I propose to see this as a privacy feature (not security feature), some prefer to hide his version rather than just being output publicly, i know this could be done by just changing some of the version retriever code (most of them are in bloginfo functions in general-template.php and other related to feeds files) and obviously add and a option in Options >> Privacy (wp-admin/options-privacy.php) to turn off and on the version disclousure.

IMHO this is better, let the user choose if he wants to display his version rather than just cutting off in all publicly view places...

comment:7 @pishmishy8 years ago

Personally I think that if someone cares this much about the version number appearing in the header then they won't find it at all difficult to work out how to remove it from the theme they're using.

This isn't the only place where bloginfo('version') is used in WordPress and crippling that function to achieve one particular task seems unwise.

comment:8 in reply to: ↑ 6 @foolswisdom8 years ago

  • Milestone 2.3 (trunk) deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed

g30rg3x, I like how you looked at this scenario from another direction, still most people will not understand or appreciate the privacy implications, and yet another option is usually a bad solution. Pishmishy's arguments seem sound as does the previous discussion.

I have flip flopped a little on this issue since I first started appreciating it a year ago. Although you don't want to advertise an open window to thieves, on the web it is trivial to brute force checking each window. I also like the version being there b/c friends don't let friends run old versions of WordPress ;-)

Note: See TracTickets for help on using tickets.